Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
September payments.exe

Overview

General Information

Sample name:September payments.exe
Analysis ID:1527847
MD5:bddb3b5687c1e5c4bb89e38d406261d1
SHA1:aaf992182827d0493b478b9723fdcab48b1b509d
SHA256:b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212beca
Tags:exeuser-adrian__luca
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • September payments.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\September payments.exe" MD5: BDDB3B5687C1E5C4BB89E38D406261D1)
    • powershell.exe (PID: 7804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7212 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7900 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 8068 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 8084 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 8108 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 8116 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 8124 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
  • YifGIcnmZiWfn.exe (PID: 8148 cmdline: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe MD5: BDDB3B5687C1E5C4BB89E38D406261D1)
    • schtasks.exe (PID: 1512 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 6948 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 6920 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 7028 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 4872 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
    • vbc.exe (PID: 1436 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: September payments.exe PID: 7628JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    Process Memory Space: YifGIcnmZiWfn.exe PID: 8148JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\September payments.exe", ParentImage: C:\Users\user\Desktop\September payments.exe, ParentProcessId: 7628, ParentProcessName: September payments.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe", ProcessId: 7804, ProcessName: powershell.exe
      Sigma detected: Powershell Defender Exclusion
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\September payments.exe", ParentImage: C:\Users\user\Desktop\September payments.exe, ParentProcessId: 7628, ParentProcessName: September payments.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe", ProcessId: 7804, ProcessName: powershell.exe
      Sigma detected: Suspicious Add Scheduled Task Parent
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe, ParentImage: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe, ParentProcessId: 8148, ParentProcessName: YifGIcnmZiWfn.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp", ProcessId: 1512, ProcessName: schtasks.exe
      Sigma detected: Suspicious Schtasks From Env Var Folder
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\September payments.exe", ParentImage: C:\Users\user\Desktop\September payments.exe, ParentProcessId: 7628, ParentProcessName: September payments.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp", ProcessId: 7900, ProcessName: schtasks.exe
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\September payments.exe", ParentImage: C:\Users\user\Desktop\September payments.exe, ParentProcessId: 7628, ParentProcessName: September payments.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe", ProcessId: 7804, ProcessName: powershell.exe

      Persistence and Installation Behavior

      barindex
      Sigma detected: Scheduled temp file as task from temp location
      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\September payments.exe", ParentImage: C:\Users\user\Desktop\September payments.exe, ParentProcessId: 7628, ParentProcessName: September payments.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp", ProcessId: 7900, ProcessName: schtasks.exe

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeReversingLabs: Detection: 60%
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeVirustotal: Detection: 34%Perma Link
      Multi AV Scanner detection for submitted file
      Source: September payments.exeReversingLabs: Detection: 60%
      Source: September payments.exeVirustotal: Detection: 34%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: September payments.exeJoe Sandbox ML: detected
      Source: September payments.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: September payments.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: BmTE.pdb source: September payments.exe, YifGIcnmZiWfn.exe.0.dr
      Source: Binary string: BmTE.pdbSHA256 source: September payments.exe, YifGIcnmZiWfn.exe.0.dr
      Source: September payments.exe, 00000000.00000002.1369478980.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, YifGIcnmZiWfn.exe, 0000000E.00000002.1416021877.000000000295B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

      System Summary

      barindex
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: September payments.exe
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_00C1D5DC0_2_00C1D5DC
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C807C00_2_06C807C0
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C807AF0_2_06C807AF
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C894F00_2_06C894F0
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C875E80_2_06C875E8
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C875E30_2_06C875E3
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C895000_2_06C89500
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C802680_2_06C80268
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C802780_2_06C80278
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C890C80_2_06C890C8
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C871B00_2_06C871B0
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C88C900_2_06C88C90
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_00DBD5DC14_2_00DBD5DC
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CD07C014_2_06CD07C0
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CD07AF14_2_06CD07AF
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CD94F014_2_06CD94F0
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CD75E814_2_06CD75E8
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CD950014_2_06CD9500
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CD026814_2_06CD0268
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CD027814_2_06CD0278
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CD90C814_2_06CD90C8
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CD71B014_2_06CD71B0
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CD8C9014_2_06CD8C90
      Source: September payments.exe, 00000000.00000000.1336830422.0000000000292000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBmTE.exeH vs September payments.exe
      Source: September payments.exe, 00000000.00000002.1366385860.000000000088E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs September payments.exe
      Source: September payments.exe, 00000000.00000002.1384220214.00000000099D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs September payments.exe
      Source: September payments.exe, 00000000.00000002.1371329305.000000000409A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs September payments.exe
      Source: September payments.exeBinary or memory string: OriginalFilenameBmTE.exeH vs September payments.exe
      Source: September payments.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: September payments.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: YifGIcnmZiWfn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, CLVLL99T6Oi59Tk1GW.csSecurity API names: _0020.SetAccessControl
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, CLVLL99T6Oi59Tk1GW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, CLVLL99T6Oi59Tk1GW.csSecurity API names: _0020.AddAccessRule
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, bBOVxW7S0gel36u4PX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, CLVLL99T6Oi59Tk1GW.csSecurity API names: _0020.SetAccessControl
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, CLVLL99T6Oi59Tk1GW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, CLVLL99T6Oi59Tk1GW.csSecurity API names: _0020.AddAccessRule
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, bBOVxW7S0gel36u4PX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, bBOVxW7S0gel36u4PX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, CLVLL99T6Oi59Tk1GW.csSecurity API names: _0020.SetAccessControl
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, CLVLL99T6Oi59Tk1GW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, CLVLL99T6Oi59Tk1GW.csSecurity API names: _0020.AddAccessRule
      Source: classification engineClassification label: mal100.troj.evad.winEXE@35/15@0/0
      Source: C:\Users\user\Desktop\September payments.exeFile created: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMutant created: \Sessions\1\BaseNamedObjects\eNvEqmiOoDtDQZUfTkSTDrmKNms
      Source: C:\Users\user\Desktop\September payments.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF1AE.tmpJump to behavior
      Source: September payments.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: September payments.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Users\user\Desktop\September payments.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: September payments.exe, 00000000.00000000.1336830422.0000000000292000.00000002.00000001.01000000.00000003.sdmp, YifGIcnmZiWfn.exe.0.drBinary or memory string: select * from [card] where [card].id = (select employees.[card] from employees where employees.id =quse employees; select [name] from department where id =
      Source: September payments.exeReversingLabs: Detection: 60%
      Source: September payments.exeVirustotal: Detection: 34%
      Source: C:\Users\user\Desktop\September payments.exeFile read: C:\Users\user\Desktop\September payments.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\September payments.exe "C:\Users\user\Desktop\September payments.exe"
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp"
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp"
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\September payments.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: September payments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: September payments.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: September payments.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: BmTE.pdb source: September payments.exe, YifGIcnmZiWfn.exe.0.dr
      Source: Binary string: BmTE.pdbSHA256 source: September payments.exe, YifGIcnmZiWfn.exe.0.dr

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: September payments.exe, authorizationForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
      Source: YifGIcnmZiWfn.exe.0.dr, authorizationForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
      Source: 0.2.September payments.exe.3882450.1.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
      Source: 0.2.September payments.exe.6ae0000.4.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
      Source: 0.2.September payments.exe.386a230.2.raw.unpack, MainForm.cs.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, CLVLL99T6Oi59Tk1GW.cs.Net Code: CENhTv5NoE System.Reflection.Assembly.Load(byte[])
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, CLVLL99T6Oi59Tk1GW.cs.Net Code: CENhTv5NoE System.Reflection.Assembly.Load(byte[])
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, CLVLL99T6Oi59Tk1GW.cs.Net Code: CENhTv5NoE System.Reflection.Assembly.Load(byte[])
      Source: September payments.exeStatic PE information: 0xD20C92D2 [Tue Sep 2 11:49:38 2081 UTC]
      Source: C:\Users\user\Desktop\September payments.exeCode function: 0_2_06C88800 pushfd ; retf 0006h0_2_06C88802
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CDCB30 push eax; ret 14_2_06CDCB31
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeCode function: 14_2_06CDD802 pushad ; retf 14_2_06CDD831
      Source: September payments.exeStatic PE information: section name: .text entropy: 7.5939135879816275
      Source: YifGIcnmZiWfn.exe.0.drStatic PE information: section name: .text entropy: 7.5939135879816275
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, m7r0yMa9Ti2J3ScCM9.csHigh entropy of concatenated method names: 'FDdGULA5Km', 'Hc8Gu6vKCx', 'AkoFb6OGga', 'Fn1F5lt2Z6', 'cEMGYSIpY9', 'pWHGpKf8Sr', 'pPtGeP6t9V', 'eW9GDlrCmF', 'HM3GmXdbwG', 'T1pGlsbFGt'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, RJ9jlEDmJ8gZw5oo8O.csHigh entropy of concatenated method names: 'QahLyaQjud', 'bshLpH6cPC', 'Ad1LDMQYOF', 'DPcLmX10GH', 'ttpLgGqnKA', 'j4kLQFBRWL', 'iWnLCZXnmv', 'wiUL60bhPN', 'mTgLSR9BTD', 'uRKLif1MaG'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, CLVLL99T6Oi59Tk1GW.csHigh entropy of concatenated method names: 'jxxVN5FLwu', 'FZuVMV99IE', 'pVTVcR2uwb', 'dvfVPtQZYT', 'VQdVAqLgPL', 'TjYVKk1rxn', 'DeRVZggbgR', 'w4lV9GZbTd', 'RtmVIYRtbL', 'xFmVkGXY3x'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, jn3pd38o6HydlGk2jv.csHigh entropy of concatenated method names: 'mYKKN1KFIr', 'XCEKceLdZR', 'JbuKAtukIa', 'r1yKZlSdaE', 'orJK9O2mYA', 'TJUAOH9Hv8', 'oFEAaF3IrX', 'Jy2AdO50IE', 'flsAUo3J5J', 'wtmA0weukl'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, flR3Wtu2gZG533jdYf.csHigh entropy of concatenated method names: 'nLTt5eXJBM', 'SpOtVdA16F', 'qdrthkibSI', 'QwGtMeg3PR', 'CY7tc1KJ5o', 'yb7tAOFkoF', 'eu7tK9GOul', 'bf0FdYZLsg', 'TqGFUsr6KG', 'OrHF0plkOP'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, nnVNRT4c5sySiXXnA1.csHigh entropy of concatenated method names: 'sauAX8Zeiw', 'UUvAjZXkkh', 'MJbPQP2lin', 'WxNPCG8cBF', 'HZMP6io1rC', 'S2FPSkJqPP', 'fSKPid8le1', 'KRTPnXu6sZ', 'OiJPrLB6SA', 'DkdPyRKitJ'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, k3g9ZncN9gMhaZC5gA.csHigh entropy of concatenated method names: 'Dispose', 'fIi50d79i2', 'KubogEII4i', 'J5m33pojX9', 'vHl5um4psO', 'FPj5zUh7S4', 'ProcessDialogKey', 'xm8obn1kKc', 'jRVo50iH4M', 'lboooMlR3W'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, DnoOdX55MSVlywNWqFj.csHigh entropy of concatenated method names: 'ToString', 'Uq32VPNthf', 'FMu2hkTSLv', 'Ghv2NqsdWh', 'fIv2MLAvJT', 'KU42cVpSMS', 'tAN2P8dfIi', 'bBD2AQaCKl', 'lc538ETVrY8gUNg1yJw', 'hqWGB9THGQqvl4RfZRh'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, FDW9O13LNeNN2ADGYN.csHigh entropy of concatenated method names: 'BK4PEgjAID', 'IAXPqNPV6g', 'oYDP75D7oh', 'E7nP3wcFOh', 'nFnPLe6oRr', 'I1xPRA1SQ7', 'rV1PGMQt8D', 'r39PFsmu2n', 'NvIPtLBM1w', 'InKP2l3vfN'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, doTbPAw0AUeUPrUYUG.csHigh entropy of concatenated method names: 'EWiGkHb2nW', 'MRaGvJKmlu', 'ToString', 'XdwGM1ZPaQ', 'TRDGc0QWk5', 'Sf7GPOd3yG', 'QtAGA45Ccw', 'I5GGK8XsGg', 'E9MGZ6HMAl', 'bsFG9REbML'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, GpM7jNiMoR3B8LQF5I.csHigh entropy of concatenated method names: 'uubZMjhka3', 'G5RZPIb8Pb', 'zPsZKulXBy', 'BrtKumBLZe', 'fTNKzcNNHF', 'NaoZbE71bW', 'If3Z5YruDj', 'RNEZoVjTyy', 'pTqZVkFu2P', 'NDhZhX90ke'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, ptYaKU5boCJp9McaiEV.csHigh entropy of concatenated method names: 'ItMtBZwTLj', 'IKXt1Ew0pt', 'MeytT3qCrG', 'JxXtEfXPrs', 'K7rtXVHpqP', 'yJktqAq8Gw', 'dVPtjTip0Z', 'shgt7SZrmG', 'XFOt3Wtanx', 'puat4XYreV'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, xlm4psUO4PjUh7S4Bm.csHigh entropy of concatenated method names: 'EWoFM2cPsO', 'KcUFcdyPZQ', 'dSBFPWbP3x', 'AWwFAegq0H', 'ejoFKLZJX4', 'pkVFZ8m98K', 'Q0nF9aqByO', 'QLQFI9g8YN', 'kZDFkkGVAZ', 'u4LFvYrRZw'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, q0kGt9okAjtGPm0jl7.csHigh entropy of concatenated method names: 'qTnTdYCPZ', 'XRrEQUjUv', 'AVEqvZcX4', 'CdQjk4Uk1', 'uds3VCRvH', 'kPI4XKCmp', 'VGYWLk3M8LZsO3U6jE', 'MccAO2DZJrckp0CVv5', 'Y5WFkHsHv', 'C8m2cKTEq'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, bBOVxW7S0gel36u4PX.csHigh entropy of concatenated method names: 'E2QcDpURYV', 'eiTcm7TG08', 'X82cl9F797', 'XGWcwZYvD2', 'TgdcODaJjt', 'WOBca7Kjlu', 'qPvcdfQkiX', 'OZEcUF2CiO', 'XoGc0AABXE', 'iTjcu8q9Il'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, kuHYVfr0G6ndTFipQi.csHigh entropy of concatenated method names: 'G9VZB8Yyqk', 'OgfZ1nSjQA', 'oHVZTPcdRj', 'b1xZEG1vrl', 'Cy2ZX2fj5v', 'OhHZqo1khM', 'cFkZjdac6g', 'x94Z7v8vil', 'yIcZ3lZ1kU', 'KRyZ4kuL0R'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, Gn1kKc0ZRV0iH4Mkbo.csHigh entropy of concatenated method names: 'oksF80llDj', 'TFwFgwtyX0', 'UcTFQD2lS5', 'J23FCtZ8JR', 'r71FD7MxSL', 'tyaF6lkve8', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, gnFlTahpqRvcZEpWdR.csHigh entropy of concatenated method names: 'hW55ZBOVxW', 'K0g59el36u', 'yLN5keNN2A', 'QGY5vNWnVN', 'BXn5LA1Zn3', 'Pd35Ro6Hyd', 'NR4pBUQS0PZOHZfPMb', 'r5rVhNf4WiI9pYsua3', 'FlQ55GnxHw', 'Mvg5VT22nT'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, eyntHx5VCUAEWgPjva2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dHS2DRliNe', 'Hm02m0tT9V', 'RAl2lvaLoi', 'YuS2wPYNtH', 'N4h2OUAj3J', 'kK92amnqkg', 'gyN2d4HGtN'
      Source: 0.2.September payments.exe.99d0000.5.raw.unpack, jItbcceLl11vo3ORv1.csHigh entropy of concatenated method names: 'mcVW73Nlrb', 'BfxW3hUUNA', 'HLuW8nHVNH', 'o8mWgs8iXZ', 'iyvWCH2nCt', 'iZqW6U0PAB', 'nvnWivPBUc', 'AiuWn45VeQ', 'PEZWybo5tV', 'E6mWYMeMOy'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, m7r0yMa9Ti2J3ScCM9.csHigh entropy of concatenated method names: 'FDdGULA5Km', 'Hc8Gu6vKCx', 'AkoFb6OGga', 'Fn1F5lt2Z6', 'cEMGYSIpY9', 'pWHGpKf8Sr', 'pPtGeP6t9V', 'eW9GDlrCmF', 'HM3GmXdbwG', 'T1pGlsbFGt'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, RJ9jlEDmJ8gZw5oo8O.csHigh entropy of concatenated method names: 'QahLyaQjud', 'bshLpH6cPC', 'Ad1LDMQYOF', 'DPcLmX10GH', 'ttpLgGqnKA', 'j4kLQFBRWL', 'iWnLCZXnmv', 'wiUL60bhPN', 'mTgLSR9BTD', 'uRKLif1MaG'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, CLVLL99T6Oi59Tk1GW.csHigh entropy of concatenated method names: 'jxxVN5FLwu', 'FZuVMV99IE', 'pVTVcR2uwb', 'dvfVPtQZYT', 'VQdVAqLgPL', 'TjYVKk1rxn', 'DeRVZggbgR', 'w4lV9GZbTd', 'RtmVIYRtbL', 'xFmVkGXY3x'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, jn3pd38o6HydlGk2jv.csHigh entropy of concatenated method names: 'mYKKN1KFIr', 'XCEKceLdZR', 'JbuKAtukIa', 'r1yKZlSdaE', 'orJK9O2mYA', 'TJUAOH9Hv8', 'oFEAaF3IrX', 'Jy2AdO50IE', 'flsAUo3J5J', 'wtmA0weukl'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, flR3Wtu2gZG533jdYf.csHigh entropy of concatenated method names: 'nLTt5eXJBM', 'SpOtVdA16F', 'qdrthkibSI', 'QwGtMeg3PR', 'CY7tc1KJ5o', 'yb7tAOFkoF', 'eu7tK9GOul', 'bf0FdYZLsg', 'TqGFUsr6KG', 'OrHF0plkOP'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, nnVNRT4c5sySiXXnA1.csHigh entropy of concatenated method names: 'sauAX8Zeiw', 'UUvAjZXkkh', 'MJbPQP2lin', 'WxNPCG8cBF', 'HZMP6io1rC', 'S2FPSkJqPP', 'fSKPid8le1', 'KRTPnXu6sZ', 'OiJPrLB6SA', 'DkdPyRKitJ'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, k3g9ZncN9gMhaZC5gA.csHigh entropy of concatenated method names: 'Dispose', 'fIi50d79i2', 'KubogEII4i', 'J5m33pojX9', 'vHl5um4psO', 'FPj5zUh7S4', 'ProcessDialogKey', 'xm8obn1kKc', 'jRVo50iH4M', 'lboooMlR3W'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, DnoOdX55MSVlywNWqFj.csHigh entropy of concatenated method names: 'ToString', 'Uq32VPNthf', 'FMu2hkTSLv', 'Ghv2NqsdWh', 'fIv2MLAvJT', 'KU42cVpSMS', 'tAN2P8dfIi', 'bBD2AQaCKl', 'lc538ETVrY8gUNg1yJw', 'hqWGB9THGQqvl4RfZRh'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, FDW9O13LNeNN2ADGYN.csHigh entropy of concatenated method names: 'BK4PEgjAID', 'IAXPqNPV6g', 'oYDP75D7oh', 'E7nP3wcFOh', 'nFnPLe6oRr', 'I1xPRA1SQ7', 'rV1PGMQt8D', 'r39PFsmu2n', 'NvIPtLBM1w', 'InKP2l3vfN'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, doTbPAw0AUeUPrUYUG.csHigh entropy of concatenated method names: 'EWiGkHb2nW', 'MRaGvJKmlu', 'ToString', 'XdwGM1ZPaQ', 'TRDGc0QWk5', 'Sf7GPOd3yG', 'QtAGA45Ccw', 'I5GGK8XsGg', 'E9MGZ6HMAl', 'bsFG9REbML'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, GpM7jNiMoR3B8LQF5I.csHigh entropy of concatenated method names: 'uubZMjhka3', 'G5RZPIb8Pb', 'zPsZKulXBy', 'BrtKumBLZe', 'fTNKzcNNHF', 'NaoZbE71bW', 'If3Z5YruDj', 'RNEZoVjTyy', 'pTqZVkFu2P', 'NDhZhX90ke'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, ptYaKU5boCJp9McaiEV.csHigh entropy of concatenated method names: 'ItMtBZwTLj', 'IKXt1Ew0pt', 'MeytT3qCrG', 'JxXtEfXPrs', 'K7rtXVHpqP', 'yJktqAq8Gw', 'dVPtjTip0Z', 'shgt7SZrmG', 'XFOt3Wtanx', 'puat4XYreV'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, xlm4psUO4PjUh7S4Bm.csHigh entropy of concatenated method names: 'EWoFM2cPsO', 'KcUFcdyPZQ', 'dSBFPWbP3x', 'AWwFAegq0H', 'ejoFKLZJX4', 'pkVFZ8m98K', 'Q0nF9aqByO', 'QLQFI9g8YN', 'kZDFkkGVAZ', 'u4LFvYrRZw'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, q0kGt9okAjtGPm0jl7.csHigh entropy of concatenated method names: 'qTnTdYCPZ', 'XRrEQUjUv', 'AVEqvZcX4', 'CdQjk4Uk1', 'uds3VCRvH', 'kPI4XKCmp', 'VGYWLk3M8LZsO3U6jE', 'MccAO2DZJrckp0CVv5', 'Y5WFkHsHv', 'C8m2cKTEq'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, bBOVxW7S0gel36u4PX.csHigh entropy of concatenated method names: 'E2QcDpURYV', 'eiTcm7TG08', 'X82cl9F797', 'XGWcwZYvD2', 'TgdcODaJjt', 'WOBca7Kjlu', 'qPvcdfQkiX', 'OZEcUF2CiO', 'XoGc0AABXE', 'iTjcu8q9Il'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, kuHYVfr0G6ndTFipQi.csHigh entropy of concatenated method names: 'G9VZB8Yyqk', 'OgfZ1nSjQA', 'oHVZTPcdRj', 'b1xZEG1vrl', 'Cy2ZX2fj5v', 'OhHZqo1khM', 'cFkZjdac6g', 'x94Z7v8vil', 'yIcZ3lZ1kU', 'KRyZ4kuL0R'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, Gn1kKc0ZRV0iH4Mkbo.csHigh entropy of concatenated method names: 'oksF80llDj', 'TFwFgwtyX0', 'UcTFQD2lS5', 'J23FCtZ8JR', 'r71FD7MxSL', 'tyaF6lkve8', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, gnFlTahpqRvcZEpWdR.csHigh entropy of concatenated method names: 'hW55ZBOVxW', 'K0g59el36u', 'yLN5keNN2A', 'QGY5vNWnVN', 'BXn5LA1Zn3', 'Pd35Ro6Hyd', 'NR4pBUQS0PZOHZfPMb', 'r5rVhNf4WiI9pYsua3', 'FlQ55GnxHw', 'Mvg5VT22nT'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, eyntHx5VCUAEWgPjva2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dHS2DRliNe', 'Hm02m0tT9V', 'RAl2lvaLoi', 'YuS2wPYNtH', 'N4h2OUAj3J', 'kK92amnqkg', 'gyN2d4HGtN'
      Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, jItbcceLl11vo3ORv1.csHigh entropy of concatenated method names: 'mcVW73Nlrb', 'BfxW3hUUNA', 'HLuW8nHVNH', 'o8mWgs8iXZ', 'iyvWCH2nCt', 'iZqW6U0PAB', 'nvnWivPBUc', 'AiuWn45VeQ', 'PEZWybo5tV', 'E6mWYMeMOy'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, m7r0yMa9Ti2J3ScCM9.csHigh entropy of concatenated method names: 'FDdGULA5Km', 'Hc8Gu6vKCx', 'AkoFb6OGga', 'Fn1F5lt2Z6', 'cEMGYSIpY9', 'pWHGpKf8Sr', 'pPtGeP6t9V', 'eW9GDlrCmF', 'HM3GmXdbwG', 'T1pGlsbFGt'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, RJ9jlEDmJ8gZw5oo8O.csHigh entropy of concatenated method names: 'QahLyaQjud', 'bshLpH6cPC', 'Ad1LDMQYOF', 'DPcLmX10GH', 'ttpLgGqnKA', 'j4kLQFBRWL', 'iWnLCZXnmv', 'wiUL60bhPN', 'mTgLSR9BTD', 'uRKLif1MaG'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, CLVLL99T6Oi59Tk1GW.csHigh entropy of concatenated method names: 'jxxVN5FLwu', 'FZuVMV99IE', 'pVTVcR2uwb', 'dvfVPtQZYT', 'VQdVAqLgPL', 'TjYVKk1rxn', 'DeRVZggbgR', 'w4lV9GZbTd', 'RtmVIYRtbL', 'xFmVkGXY3x'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, jn3pd38o6HydlGk2jv.csHigh entropy of concatenated method names: 'mYKKN1KFIr', 'XCEKceLdZR', 'JbuKAtukIa', 'r1yKZlSdaE', 'orJK9O2mYA', 'TJUAOH9Hv8', 'oFEAaF3IrX', 'Jy2AdO50IE', 'flsAUo3J5J', 'wtmA0weukl'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, flR3Wtu2gZG533jdYf.csHigh entropy of concatenated method names: 'nLTt5eXJBM', 'SpOtVdA16F', 'qdrthkibSI', 'QwGtMeg3PR', 'CY7tc1KJ5o', 'yb7tAOFkoF', 'eu7tK9GOul', 'bf0FdYZLsg', 'TqGFUsr6KG', 'OrHF0plkOP'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, nnVNRT4c5sySiXXnA1.csHigh entropy of concatenated method names: 'sauAX8Zeiw', 'UUvAjZXkkh', 'MJbPQP2lin', 'WxNPCG8cBF', 'HZMP6io1rC', 'S2FPSkJqPP', 'fSKPid8le1', 'KRTPnXu6sZ', 'OiJPrLB6SA', 'DkdPyRKitJ'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, k3g9ZncN9gMhaZC5gA.csHigh entropy of concatenated method names: 'Dispose', 'fIi50d79i2', 'KubogEII4i', 'J5m33pojX9', 'vHl5um4psO', 'FPj5zUh7S4', 'ProcessDialogKey', 'xm8obn1kKc', 'jRVo50iH4M', 'lboooMlR3W'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, DnoOdX55MSVlywNWqFj.csHigh entropy of concatenated method names: 'ToString', 'Uq32VPNthf', 'FMu2hkTSLv', 'Ghv2NqsdWh', 'fIv2MLAvJT', 'KU42cVpSMS', 'tAN2P8dfIi', 'bBD2AQaCKl', 'lc538ETVrY8gUNg1yJw', 'hqWGB9THGQqvl4RfZRh'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, FDW9O13LNeNN2ADGYN.csHigh entropy of concatenated method names: 'BK4PEgjAID', 'IAXPqNPV6g', 'oYDP75D7oh', 'E7nP3wcFOh', 'nFnPLe6oRr', 'I1xPRA1SQ7', 'rV1PGMQt8D', 'r39PFsmu2n', 'NvIPtLBM1w', 'InKP2l3vfN'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, doTbPAw0AUeUPrUYUG.csHigh entropy of concatenated method names: 'EWiGkHb2nW', 'MRaGvJKmlu', 'ToString', 'XdwGM1ZPaQ', 'TRDGc0QWk5', 'Sf7GPOd3yG', 'QtAGA45Ccw', 'I5GGK8XsGg', 'E9MGZ6HMAl', 'bsFG9REbML'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, GpM7jNiMoR3B8LQF5I.csHigh entropy of concatenated method names: 'uubZMjhka3', 'G5RZPIb8Pb', 'zPsZKulXBy', 'BrtKumBLZe', 'fTNKzcNNHF', 'NaoZbE71bW', 'If3Z5YruDj', 'RNEZoVjTyy', 'pTqZVkFu2P', 'NDhZhX90ke'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, ptYaKU5boCJp9McaiEV.csHigh entropy of concatenated method names: 'ItMtBZwTLj', 'IKXt1Ew0pt', 'MeytT3qCrG', 'JxXtEfXPrs', 'K7rtXVHpqP', 'yJktqAq8Gw', 'dVPtjTip0Z', 'shgt7SZrmG', 'XFOt3Wtanx', 'puat4XYreV'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, xlm4psUO4PjUh7S4Bm.csHigh entropy of concatenated method names: 'EWoFM2cPsO', 'KcUFcdyPZQ', 'dSBFPWbP3x', 'AWwFAegq0H', 'ejoFKLZJX4', 'pkVFZ8m98K', 'Q0nF9aqByO', 'QLQFI9g8YN', 'kZDFkkGVAZ', 'u4LFvYrRZw'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, q0kGt9okAjtGPm0jl7.csHigh entropy of concatenated method names: 'qTnTdYCPZ', 'XRrEQUjUv', 'AVEqvZcX4', 'CdQjk4Uk1', 'uds3VCRvH', 'kPI4XKCmp', 'VGYWLk3M8LZsO3U6jE', 'MccAO2DZJrckp0CVv5', 'Y5WFkHsHv', 'C8m2cKTEq'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, bBOVxW7S0gel36u4PX.csHigh entropy of concatenated method names: 'E2QcDpURYV', 'eiTcm7TG08', 'X82cl9F797', 'XGWcwZYvD2', 'TgdcODaJjt', 'WOBca7Kjlu', 'qPvcdfQkiX', 'OZEcUF2CiO', 'XoGc0AABXE', 'iTjcu8q9Il'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, kuHYVfr0G6ndTFipQi.csHigh entropy of concatenated method names: 'G9VZB8Yyqk', 'OgfZ1nSjQA', 'oHVZTPcdRj', 'b1xZEG1vrl', 'Cy2ZX2fj5v', 'OhHZqo1khM', 'cFkZjdac6g', 'x94Z7v8vil', 'yIcZ3lZ1kU', 'KRyZ4kuL0R'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, Gn1kKc0ZRV0iH4Mkbo.csHigh entropy of concatenated method names: 'oksF80llDj', 'TFwFgwtyX0', 'UcTFQD2lS5', 'J23FCtZ8JR', 'r71FD7MxSL', 'tyaF6lkve8', 'Next', 'Next', 'Next', 'NextBytes'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, gnFlTahpqRvcZEpWdR.csHigh entropy of concatenated method names: 'hW55ZBOVxW', 'K0g59el36u', 'yLN5keNN2A', 'QGY5vNWnVN', 'BXn5LA1Zn3', 'Pd35Ro6Hyd', 'NR4pBUQS0PZOHZfPMb', 'r5rVhNf4WiI9pYsua3', 'FlQ55GnxHw', 'Mvg5VT22nT'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, eyntHx5VCUAEWgPjva2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dHS2DRliNe', 'Hm02m0tT9V', 'RAl2lvaLoi', 'YuS2wPYNtH', 'N4h2OUAj3J', 'kK92amnqkg', 'gyN2d4HGtN'
      Source: 0.2.September payments.exe.4358c50.0.raw.unpack, jItbcceLl11vo3ORv1.csHigh entropy of concatenated method names: 'mcVW73Nlrb', 'BfxW3hUUNA', 'HLuW8nHVNH', 'o8mWgs8iXZ', 'iyvWCH2nCt', 'iZqW6U0PAB', 'nvnWivPBUc', 'AiuWn45VeQ', 'PEZWybo5tV', 'E6mWYMeMOy'
      Source: C:\Users\user\Desktop\September payments.exeFile created: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp"

      Hooking and other Techniques for Hiding and Protection

      barindex
      Loading BitLocker PowerShell Module
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM3
      Source: Yara matchFile source: Process Memory Space: September payments.exe PID: 7628, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: YifGIcnmZiWfn.exe PID: 8148, type: MEMORYSTR
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: BD0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: 2660000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: 7220000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: 8220000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: 83C0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: 93C0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: 9A60000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: AA60000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: BA60000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMemory allocated: CD0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMemory allocated: 26E0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMemory allocated: CD0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMemory allocated: 6D60000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMemory allocated: 7D60000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMemory allocated: 7EF0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMemory allocated: 8EF0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMemory allocated: 9450000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMemory allocated: A450000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeMemory allocated: B450000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5551Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 865Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7485Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exe TID: 7648Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep count: 5551 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7952Thread sleep count: 865 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156Thread sleep time: -4611686018427385s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep time: -1844674407370954s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160Thread sleep time: -5534023222112862s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe TID: 8176Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\September payments.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Adds a directory exclusion to Windows Defender
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe"
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe"
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
      Source: C:\Users\user\Desktop\September payments.exeQueries volume information: C:\Users\user\Desktop\September payments.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeQueries volume information: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\September payments.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading      		1
      Scheduled Task/Job      		11
      Disable or Modify Tools      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		31
      Virtualization/Sandbox Evasion      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA Secrets1
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
      Software Packing      		Cached Domain Credentials12
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Timestomp      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      DLL Side-Loading      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527847 Sample: September payments.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected AntiVM3 2->52 54 7 other signatures 2->54 7 September payments.exe 7 2->7         started        11 YifGIcnmZiWfn.exe 5 2->11         started        process3 file4 40 C:\Users\user\AppData\...\YifGIcnmZiWfn.exe, PE32 7->40 dropped 42 C:\...\YifGIcnmZiWfn.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmpF1AE.tmp, XML 7->44 dropped 46 C:\Users\user\...\September payments.exe.log, ASCII 7->46 dropped 56 Adds a directory exclusion to Windows Defender 7->56 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        26 5 other processes 7->26 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 20 schtasks.exe 1 11->20         started        22 vbc.exe 11->22         started        24 vbc.exe 11->24         started        28 3 other processes 11->28 signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 30 conhost.exe 13->30         started        32 WmiPrvSE.exe 13->32         started        34 conhost.exe 16->34         started        36 conhost.exe 18->36         started        38 conhost.exe 20->38         started        process8

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      September payments.exe61%ReversingLabsWin32.Trojan.Leonem
      September payments.exe35%VirustotalBrowse
      September payments.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe61%ReversingLabsWin32.Trojan.Leonem
      C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe35%VirustotalBrowse

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      s-part-0017.t-0009.t-msedge.net0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      s-part-0017.t-0009.t-msedge.net
      		13.107.246.45
      		truefalseunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSeptember payments.exe, 00000000.00000002.1369478980.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, YifGIcnmZiWfn.exe, 0000000E.00000002.1416021877.000000000295B000.00000004.00000800.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1527847
      Start date and time:2024-10-07 10:48:07 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 6m 14s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:28
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:September payments.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@35/15@0/0
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 99%
      • Number of executed functions: 50
      • Number of non-executed functions: 12
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtCreateKey calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      04:48:58API Interceptor1x Sleep call for process: September payments.exe modified
      04:49:00API Interceptor37x Sleep call for process: powershell.exe modified
      04:49:03API Interceptor1x Sleep call for process: YifGIcnmZiWfn.exe modified
      09:49:00Task SchedulerRun new task: YifGIcnmZiWfn path: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-part-0017.t-0009.t-msedge.nethttps://pub-e8583bd7c3574b5b8171769cd95518de.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
      • 13.107.246.45
      Fact-2024-10.pdfGet hashmaliciousUnknownBrowse
      • 13.107.246.45
      https://pub-737d748721344356b3ba725600a8404d.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
      • 13.107.246.45
      http://uppholldbcloginn.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
      • 13.107.246.45
      http://pub-ba5a046c69974217b0431bca4ba43740.r2.dev/rep.htmlGet hashmaliciousHTMLPhisherBrowse
      • 13.107.246.45
      http://pub-04836febb1fc46fca4a8c225ef7d2a38.r2.dev/tantindex.htmlGet hashmaliciousHTMLPhisherBrowse
      • 13.107.246.45
      http://pub-17d7828daac64fc3a83940a40d8b01d8.r2.dev/qwertyuiopBowa.htmlGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
      • 13.107.246.45
      http://webmailserv3038z.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
      • 13.107.246.45
      http://pub-3e7a5cfb45bf4e96837e2976d2a1ca5a.r2.dev/be141.htmlGet hashmaliciousHTMLPhisherBrowse
      • 13.107.246.45
      http://orange234.wixsite.com/my-site/Get hashmaliciousUnknownBrowse
      • 13.107.246.45

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\September payments.exe.log

      Download File
      Process:C:\Users\user\Desktop\September payments.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1216
      Entropy (8bit):5.34331486778365
      Encrypted:false
      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
      MD5:1330C80CAAC9A0FB172F202485E9B1E8
      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
      Malicious:true
      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YifGIcnmZiWfn.exe.log

      Download File
      Process:C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1216
      Entropy (8bit):5.34331486778365
      Encrypted:false
      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
      MD5:1330C80CAAC9A0FB172F202485E9B1E8
      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
      Malicious:false
      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:data
      Category:dropped
      Size (bytes):2232
      Entropy (8bit):5.379540626579189
      Encrypted:false
      SSDEEP:48:BWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugei/ZPUyus:BLHxvIIwLgZ2KRHWLOugss
      MD5:2B88D5C2F633006516FBC3B646994FE5
      SHA1:80E07B7D79AB4581DC389E81EE3F89FED014349B
      SHA-256:965370850F0B35E9AC0A096084C8B986392132D780112BFDCCB692C65A89C701
      SHA-512:959FFB914232EBB81097C4EBADECD580762E1FC05AEF37C23544F4640ECDEB5FD354DC7571D9C4C5B472D330CC8AA189965FF908B42CF4E21535453266971098
      Malicious:false
      Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tgp2hrl.4vp.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31xb4ngx.xec.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4x504xsh.u0r.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vk2ojvp.ewz.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0b20p4i.i1u.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_exqnzfwr.b5u.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnsomywv.gwq.ps1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yn350xzu.3bw.psm1

      Download File
      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):60
      Entropy (8bit):4.038920595031593
      Encrypted:false
      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
      MD5:D17FE0A3F47BE24A6453E9EF58C94641
      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
      Malicious:false
      Preview:# PowerShell test file to determine AppLocker lockdown mode

      C:\Users\user\AppData\Local\Temp\tmp304.tmp

      Download File
      Process:C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe
      File Type:XML 1.0 document, ASCII text
      Category:dropped
      Size (bytes):1572
      Entropy (8bit):5.088003133405676
      Encrypted:false
      SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewVv:HeLwYrFdOFzOz6dKrsuq0
      MD5:31A12CC6204AAED4B1537AF6EBAA76BE
      SHA1:1FF94F0FBB6DC2630E4201A6C07179FA71068E25
      SHA-256:1FCE77440A89BDD614088B36F1E2AFE03D3EB87B2A5EC6800F57D5A29583C96C
      SHA-512:CC697C1F3B58269212E16A79CF92BEC32E0CF919114D2A64BF040D9F4492A08140F04DC646D61F8E2628E2CC9D751C7AC928E5B2C71205E9E31739080B3C0BD3
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

      C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp

      Download File
      Process:C:\Users\user\Desktop\September payments.exe
      File Type:XML 1.0 document, ASCII text
      Category:dropped
      Size (bytes):1572
      Entropy (8bit):5.088003133405676
      Encrypted:false
      SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewVv:HeLwYrFdOFzOz6dKrsuq0
      MD5:31A12CC6204AAED4B1537AF6EBAA76BE
      SHA1:1FF94F0FBB6DC2630E4201A6C07179FA71068E25
      SHA-256:1FCE77440A89BDD614088B36F1E2AFE03D3EB87B2A5EC6800F57D5A29583C96C
      SHA-512:CC697C1F3B58269212E16A79CF92BEC32E0CF919114D2A64BF040D9F4492A08140F04DC646D61F8E2628E2CC9D751C7AC928E5B2C71205E9E31739080B3C0BD3
      Malicious:true
      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

      C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe

      Download File
      Process:C:\Users\user\Desktop\September payments.exe
      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):894464
      Entropy (8bit):7.585829148006058
      Encrypted:false
      SSDEEP:24576:Iv7Dh/9Fr/2yEjg4WIXAysZJmpTpnyEcu3GD:Ijt/X23zW+AhZMhpnyEzW
      MD5:BDDB3B5687C1E5C4BB89E38D406261D1
      SHA1:AAF992182827D0493B478B9723FDCAB48B1B509D
      SHA-256:B1FB20D5857D1CA65DBACD6CB100DC2D7DA8EB7CE54D4FAEEBAFB2BBB212BECA
      SHA-512:7CA8B69ADE3FF0F0D151CF09132CFF27880E0C080F9FE3BEF49FD5DF428ED37A86EFCDE753AC24B4DBCD5BB0DD421D3A478B5C38D3A4FF8183C8C54AE773E876
      Malicious:true
      Antivirus:
      • Antivirus: Joe Sandbox ML, Detection: 100%
      • Antivirus: ReversingLabs, Detection: 61%
      • Antivirus: Virustotal, Detection: 35%, Browse
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0................. ........@.. ....................................@.....................................O.......<............................{..p............................................ ............... ..H............text....... ...................... ..`.rsrc...<...........................@..@.reloc..............................@..B........................H........G..P.......Q...L...P.............................................{....*"..}....*....0...........(....r...po....o....}......}.....(.......(......{....s.......o.....r%..ps.......o......o.......o......,{.+k...o.........J.....J.........,K...(....sR...}.....{....oS.....{.....{....{....rU..p.{....{....( ...o!.......o".......-......,..o#.........,..o#......(.....*......^...........<..........0............{....o$...o%.....{....s.......o.....rY..p.{....|....(&...r...p( .....s

      C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe:Zone.Identifier

      Download File
      Process:C:\Users\user\Desktop\September payments.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:true
      Preview:[ZoneTransfer]....ZoneId=0

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.585829148006058
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      • Win32 Executable (generic) a (10002005/4) 49.78%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Generic Win/DOS Executable (2004/3) 0.01%
      • DOS Executable Generic (2002/1) 0.01%
      File name:September payments.exe
      File size:894'464 bytes
      MD5:bddb3b5687c1e5c4bb89e38d406261d1
      SHA1:aaf992182827d0493b478b9723fdcab48b1b509d
      SHA256:b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212beca
      SHA512:7ca8b69ade3ff0f0d151cf09132cff27880e0c080f9fe3bef49fd5df428ed37a86efcde753ac24b4dbcd5bb0dd421d3a478b5c38d3a4ff8183c8c54ae773e876
      SSDEEP:24576:Iv7Dh/9Fr/2yEjg4WIXAysZJmpTpnyEcu3GD:Ijt/X23zW+AhZMhpnyEzW
      TLSH:0E15ACC076296B05DD7947B09425DDB183B52C29B069F6D60CCAFBFB35A87039A08F4B
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

      File Icon

      Icon Hash:00928e8e8686b000

      Static PE Info

      General

      Entrypoint:0x4db9de
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Time Stamp:0xD20C92D2 [Tue Sep 2 11:49:38 2081 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

      Entrypoint Preview

      Instruction
      jmp dword ptr [00402000h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xdb98b0x4f.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xdc0000x63c.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0xd7b9c0x70.text
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000xd99e40xd9a0040b81ee285931ca9c626dc65057a0f4dFalse0.8150477006748995data7.5939135879816275IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rsrc0xdc0000x63c0x80073e094d2cb6865333e9a03a38d550e93False0.3388671875data3.489391156942365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0xde0000xc0x200e9e8befa9e0ce715f5180e0879fb6a6eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_VERSION0xdc0900x3acdata0.41595744680851066
      RT_MANIFEST0xdc44c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

      Imports

      DLLImport
      mscoree.dll_CorExeMain

      Network Behavior

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Oct 7, 2024 10:48:55.968266964 CEST1.1.1.1192.168.2.90x5c9aNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
      Oct 7, 2024 10:48:55.968266964 CEST1.1.1.1192.168.2.90x5c9aNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:04:48:58
      Start date:07/10/2024
      Path:C:\Users\user\Desktop\September payments.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\user\Desktop\September payments.exe"
      Imagebase:0x290000
      File size:894'464 bytes
      MD5 hash:BDDB3B5687C1E5C4BB89E38D406261D1
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      Has exited:true

      General

      Target ID:3
      Start time:04:48:59
      Start date:07/10/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe"
      Imagebase:0x160000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:4
      Start time:04:48:59
      Start date:07/10/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff70f010000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:5
      Start time:04:48:59
      Start date:07/10/2024
      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe"
      Imagebase:0x160000
      File size:433'152 bytes
      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:6
      Start time:04:48:59
      Start date:07/10/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff70f010000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:7
      Start time:04:48:59
      Start date:07/10/2024
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp"
      Imagebase:0xa70000
      File size:187'904 bytes
      MD5 hash:48C2FE20575769DE916F48EF0676A965
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:8
      Start time:04:48:59
      Start date:07/10/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff70f010000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      General

      Target ID:9
      Start time:04:48:59
      Start date:07/10/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Imagebase:0x420000
      File size:2'625'616 bytes
      MD5 hash:0A7608DB01CAE07792CEA95E792AA866
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:true

      General

      Target ID:10
      Start time:04:49:00
      Start date:07/10/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Imagebase:0x420000
      File size:2'625'616 bytes
      MD5 hash:0A7608DB01CAE07792CEA95E792AA866
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:true

      General

      Target ID:11
      Start time:04:49:00
      Start date:07/10/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Imagebase:0x420000
      File size:2'625'616 bytes
      MD5 hash:0A7608DB01CAE07792CEA95E792AA866
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:true

      General

      Target ID:12
      Start time:04:49:00
      Start date:07/10/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Imagebase:0x420000
      File size:2'625'616 bytes
      MD5 hash:0A7608DB01CAE07792CEA95E792AA866
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:true

      General

      Target ID:13
      Start time:04:49:00
      Start date:07/10/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Imagebase:0x420000
      File size:2'625'616 bytes
      MD5 hash:0A7608DB01CAE07792CEA95E792AA866
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      Has exited:true

      General

      Target ID:14
      Start time:04:49:00
      Start date:07/10/2024
      Path:C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe
      Imagebase:0x290000
      File size:894'464 bytes
      MD5 hash:BDDB3B5687C1E5C4BB89E38D406261D1
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Antivirus matches:
      • Detection: 100%, Joe Sandbox ML
      • Detection: 61%, ReversingLabs
      • Detection: 35%, Virustotal, Browse
      Has exited:true

      General

      Target ID:15
      Start time:04:49:02
      Start date:07/10/2024
      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      Imagebase:0x7ff72d8c0000
      File size:496'640 bytes
      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
      Has elevated privileges:true
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:false

      General

      Target ID:16
      Start time:04:49:04
      Start date:07/10/2024
      Path:C:\Windows\SysWOW64\schtasks.exe
      Wow64 process (32bit):true
      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp"
      Imagebase:0xa70000
      File size:187'904 bytes
      MD5 hash:48C2FE20575769DE916F48EF0676A965
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:17
      Start time:04:49:04
      Start date:07/10/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff70f010000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:18
      Start time:04:49:04
      Start date:07/10/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Imagebase:0x420000
      File size:2'625'616 bytes
      MD5 hash:0A7608DB01CAE07792CEA95E792AA866
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:19
      Start time:04:49:04
      Start date:07/10/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Imagebase:0x420000
      File size:2'625'616 bytes
      MD5 hash:0A7608DB01CAE07792CEA95E792AA866
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:20
      Start time:04:49:04
      Start date:07/10/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Imagebase:0x420000
      File size:2'625'616 bytes
      MD5 hash:0A7608DB01CAE07792CEA95E792AA866
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:21
      Start time:04:49:04
      Start date:07/10/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Imagebase:0x420000
      File size:2'625'616 bytes
      MD5 hash:0A7608DB01CAE07792CEA95E792AA866
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      General

      Target ID:22
      Start time:04:49:04
      Start date:07/10/2024
      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      Wow64 process (32bit):false
      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      Imagebase:0x420000
      File size:2'625'616 bytes
      MD5 hash:0A7608DB01CAE07792CEA95E792AA866
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Has exited:true

      Disassembly

      Reset < >

        Execution Graph

        Execution Coverage:11%
        Dynamic/Decrypted Code Coverage:100%
        Signature Coverage:0%
        Total number of Nodes:109
        Total number of Limit Nodes:8
        execution_graph 24308 c1acd0 24309 c1acdf 24308->24309 24312 c1adb7 24308->24312 24317 c1adc8 24308->24317 24313 c1adfc 24312->24313 24314 c1add9 24312->24314 24313->24309 24314->24313 24315 c1b000 GetModuleHandleW 24314->24315 24316 c1b02d 24315->24316 24316->24309 24318 c1adfc 24317->24318 24319 c1add9 24317->24319 24318->24309 24319->24318 24320 c1b000 GetModuleHandleW 24319->24320 24321 c1b02d 24320->24321 24321->24309 24322 c1d060 24323 c1d0a6 GetCurrentProcess 24322->24323 24325 c1d0f8 GetCurrentThread 24323->24325 24329 c1d0f1 24323->24329 24326 c1d135 GetCurrentProcess 24325->24326 24327 c1d12e 24325->24327 24328 c1d16b 24326->24328 24327->24326 24330 c1d193 GetCurrentThreadId 24328->24330 24329->24325 24331 c1d1c4 24330->24331 24366 c1d6b0 DuplicateHandle 24367 c1d746 24366->24367 24332 6c8e860 24333 6c8e9eb 24332->24333 24335 6c8e886 24332->24335 24335->24333 24336 6c8b2c0 24335->24336 24337 6c8eae0 PostMessageW 24336->24337 24338 6c8eb4c 24337->24338 24338->24335 24339 c14668 24340 c1467a 24339->24340 24341 c14686 24340->24341 24343 c14778 24340->24343 24344 c1479d 24343->24344 24349 c14888 24344->24349 24353 c149ea 24344->24353 24358 c14878 24344->24358 24351 c148af 24349->24351 24350 c1498c 24351->24350 24362 c144b0 24351->24362 24354 c14980 24353->24354 24357 c147a7 24353->24357 24355 c144b0 CreateActCtxA 24354->24355 24356 c1498c 24354->24356 24355->24356 24357->24341 24360 c148af 24358->24360 24359 c1498c 24360->24359 24361 c144b0 CreateActCtxA 24360->24361 24361->24359 24363 c15918 CreateActCtxA 24362->24363 24365 c159db 24363->24365 24223 6c8a783 24229 6c8d5b9 24223->24229 24237 6c8d666 24223->24237 24245 6c8d5f1 24223->24245 24252 6c8d600 24223->24252 24224 6c8a792 24230 6c8d5fc 24229->24230 24231 6c8d5be 24229->24231 24235 6c8d622 24230->24235 24259 6c8da8c 24230->24259 24263 6c8e1b4 24230->24263 24268 6c8dda2 24230->24268 24272 6c8dc8d 24230->24272 24231->24224 24235->24224 24238 6c8d5f4 24237->24238 24240 6c8d669 24237->24240 24239 6c8d622 24238->24239 24241 6c8da8c 2 API calls 24238->24241 24242 6c8dc8d 2 API calls 24238->24242 24243 6c8dda2 2 API calls 24238->24243 24244 6c8e1b4 2 API calls 24238->24244 24239->24224 24240->24224 24241->24239 24242->24239 24243->24239 24244->24239 24246 6c8d5f4 24245->24246 24247 6c8d622 24246->24247 24248 6c8da8c 2 API calls 24246->24248 24249 6c8dc8d 2 API calls 24246->24249 24250 6c8dda2 2 API calls 24246->24250 24251 6c8e1b4 2 API calls 24246->24251 24247->24224 24248->24247 24249->24247 24250->24247 24251->24247 24253 6c8d61a 24252->24253 24254 6c8da8c 2 API calls 24253->24254 24255 6c8dc8d 2 API calls 24253->24255 24256 6c8d622 24253->24256 24257 6c8dda2 2 API calls 24253->24257 24258 6c8e1b4 2 API calls 24253->24258 24254->24256 24255->24256 24256->24224 24257->24256 24258->24256 24276 6c8a1f8 24259->24276 24280 6c8a1ef 24259->24280 24264 6c8e1ba 24263->24264 24284 6c8a05b 24264->24284 24288 6c8a060 24264->24288 24265 6c8e1e0 24292 6c89eab 24268->24292 24296 6c89eb0 24268->24296 24269 6c8db4f 24269->24235 24269->24269 24300 6c89dd8 24272->24300 24304 6c89dd3 24272->24304 24273 6c8dae7 24273->24235 24277 6c8a281 CreateProcessA 24276->24277 24279 6c8a443 24277->24279 24281 6c8a1f8 CreateProcessA 24280->24281 24283 6c8a443 24281->24283 24285 6c8a060 ReadProcessMemory 24284->24285 24287 6c8a0ef 24285->24287 24287->24265 24289 6c8a0ab ReadProcessMemory 24288->24289 24291 6c8a0ef 24289->24291 24291->24265 24293 6c89eb0 VirtualAllocEx 24292->24293 24295 6c89f2d 24293->24295 24295->24269 24297 6c89ef0 VirtualAllocEx 24296->24297 24299 6c89f2d 24297->24299 24299->24269 24301 6c89e1d Wow64GetThreadContext 24300->24301 24303 6c89e65 24301->24303 24303->24273 24305 6c89dd8 Wow64GetThreadContext 24304->24305 24307 6c89e65 24305->24307 24307->24273

        Executed Functions

        Function 00C1D051 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetCurrentProcess.KERNEL32 ref: 00C1D0DE
        • GetCurrentThread.KERNEL32 ref: 00C1D11B
        • GetCurrentProcess.KERNEL32 ref: 00C1D158
        • GetCurrentThreadId.KERNEL32 ref: 00C1D1B1
        Memory Dump Source
        • Source File: 00000000.00000002.1367773961.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_c10000_September payments.jbxd
        Similarity
        • API ID: Current$ProcessThread
        • String ID:
        • API String ID: 2063062207-0
        • Opcode ID: 53b1be74531995109053261f1b5100f7eb673cb8a51fb7b8029096be7302ca30
        • Instruction ID: 27c186a5b5d08bbd66c4dfc1f2ea16d772e128c78c75e1c1515f198f369f8552
        • Opcode Fuzzy Hash: 53b1be74531995109053261f1b5100f7eb673cb8a51fb7b8029096be7302ca30
        • Instruction Fuzzy Hash: 3F5178B49007498FEB14CFA9D548BDEBBF1EF49314F208499E019A73A0D7749984CF65
        Function 00C1D060 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetCurrentProcess.KERNEL32 ref: 00C1D0DE
        • GetCurrentThread.KERNEL32 ref: 00C1D11B
        • GetCurrentProcess.KERNEL32 ref: 00C1D158
        • GetCurrentThreadId.KERNEL32 ref: 00C1D1B1
        Memory Dump Source
        • Source File: 00000000.00000002.1367773961.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_c10000_September payments.jbxd
        Similarity
        • API ID: Current$ProcessThread
        • String ID:
        • API String ID: 2063062207-0
        • Opcode ID: 78b775a3c1cac63420e14d751e005a0fcb8df9ed42bab12695333361496eb074
        • Instruction ID: edbf23eafe142d9c32d7f8f7d02e9d1dd748cfedf44b9e0820d7e72fd12aefd5
        • Opcode Fuzzy Hash: 78b775a3c1cac63420e14d751e005a0fcb8df9ed42bab12695333361496eb074
        • Instruction Fuzzy Hash: 3E5175B49007498FEB04CFAAD548BDEBBF5EF49310F208459E019A73A0D774A984CB66
        Function 06C8A1EF Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 63 6c8a1ef-6c8a28d 66 6c8a28f-6c8a299 63->66 67 6c8a2c6-6c8a2e6 63->67 66->67 68 6c8a29b-6c8a29d 66->68 74 6c8a2e8-6c8a2f2 67->74 75 6c8a31f-6c8a34e 67->75 69 6c8a29f-6c8a2a9 68->69 70 6c8a2c0-6c8a2c3 68->70 72 6c8a2ab 69->72 73 6c8a2ad-6c8a2bc 69->73 70->67 72->73 73->73 76 6c8a2be 73->76 74->75 77 6c8a2f4-6c8a2f6 74->77 81 6c8a350-6c8a35a 75->81 82 6c8a387-6c8a441 CreateProcessA 75->82 76->70 79 6c8a2f8-6c8a302 77->79 80 6c8a319-6c8a31c 77->80 83 6c8a304 79->83 84 6c8a306-6c8a315 79->84 80->75 81->82 86 6c8a35c-6c8a35e 81->86 95 6c8a44a-6c8a4d0 82->95 96 6c8a443-6c8a449 82->96 83->84 84->84 85 6c8a317 84->85 85->80 87 6c8a360-6c8a36a 86->87 88 6c8a381-6c8a384 86->88 90 6c8a36c 87->90 91 6c8a36e-6c8a37d 87->91 88->82 90->91 91->91 93 6c8a37f 91->93 93->88 106 6c8a4e0-6c8a4e4 95->106 107 6c8a4d2-6c8a4d6 95->107 96->95 109 6c8a4f4-6c8a4f8 106->109 110 6c8a4e6-6c8a4ea 106->110 107->106 108 6c8a4d8 107->108 108->106 112 6c8a508-6c8a50c 109->112 113 6c8a4fa-6c8a4fe 109->113 110->109 111 6c8a4ec 110->111 111->109 115 6c8a51e-6c8a525 112->115 116 6c8a50e-6c8a514 112->116 113->112 114 6c8a500 113->114 114->112 117 6c8a53c 115->117 118 6c8a527-6c8a536 115->118 116->115 120 6c8a53d 117->120 118->117 120->120
        APIs
        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C8A42E
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID: CreateProcess
        • String ID:
        • API String ID: 963392458-0
        • Opcode ID: ea49dfa711abf1687d3aee3d59aa2d398a9de151399faaeae0679c6ded3f61cf
        • Instruction ID: 8fc2d26d7b2008a22b6fcf7c42690cf17d49620143a180a0e657bb277116534b
        • Opcode Fuzzy Hash: ea49dfa711abf1687d3aee3d59aa2d398a9de151399faaeae0679c6ded3f61cf
        • Instruction Fuzzy Hash: 92918E71D007198FEF60DFA9C845BDEBBB2BF44314F04856AE809A7240DB749A85CF91
        Function 06C8A1F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 121 6c8a1f8-6c8a28d 123 6c8a28f-6c8a299 121->123 124 6c8a2c6-6c8a2e6 121->124 123->124 125 6c8a29b-6c8a29d 123->125 131 6c8a2e8-6c8a2f2 124->131 132 6c8a31f-6c8a34e 124->132 126 6c8a29f-6c8a2a9 125->126 127 6c8a2c0-6c8a2c3 125->127 129 6c8a2ab 126->129 130 6c8a2ad-6c8a2bc 126->130 127->124 129->130 130->130 133 6c8a2be 130->133 131->132 134 6c8a2f4-6c8a2f6 131->134 138 6c8a350-6c8a35a 132->138 139 6c8a387-6c8a441 CreateProcessA 132->139 133->127 136 6c8a2f8-6c8a302 134->136 137 6c8a319-6c8a31c 134->137 140 6c8a304 136->140 141 6c8a306-6c8a315 136->141 137->132 138->139 143 6c8a35c-6c8a35e 138->143 152 6c8a44a-6c8a4d0 139->152 153 6c8a443-6c8a449 139->153 140->141 141->141 142 6c8a317 141->142 142->137 144 6c8a360-6c8a36a 143->144 145 6c8a381-6c8a384 143->145 147 6c8a36c 144->147 148 6c8a36e-6c8a37d 144->148 145->139 147->148 148->148 150 6c8a37f 148->150 150->145 163 6c8a4e0-6c8a4e4 152->163 164 6c8a4d2-6c8a4d6 152->164 153->152 166 6c8a4f4-6c8a4f8 163->166 167 6c8a4e6-6c8a4ea 163->167 164->163 165 6c8a4d8 164->165 165->163 169 6c8a508-6c8a50c 166->169 170 6c8a4fa-6c8a4fe 166->170 167->166 168 6c8a4ec 167->168 168->166 172 6c8a51e-6c8a525 169->172 173 6c8a50e-6c8a514 169->173 170->169 171 6c8a500 170->171 171->169 174 6c8a53c 172->174 175 6c8a527-6c8a536 172->175 173->172 177 6c8a53d 174->177 175->174 177->177
        APIs
        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C8A42E
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID: CreateProcess
        • String ID:
        • API String ID: 963392458-0
        • Opcode ID: c44298da8063955a595cebb6c871f661d3a5db9eda2a579f649ff2ffa6616ef7
        • Instruction ID: c9028f6b6d954f9a735bb84b1a1a1346800d8fa2a8ede5f5a3c730a4804af803
        • Opcode Fuzzy Hash: c44298da8063955a595cebb6c871f661d3a5db9eda2a579f649ff2ffa6616ef7
        • Instruction Fuzzy Hash: 28918D71D007198FEF60DFA9C845BDEBBB2BF48314F14856AD809A7240DB749A85CF91
        Function 00C1ADC8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 178 c1adc8-c1add7 179 c1ae03-c1ae07 178->179 180 c1add9-c1ade6 call c1a0ec 178->180 182 c1ae09-c1ae13 179->182 183 c1ae1b-c1ae5c 179->183 187 c1ade8 180->187 188 c1adfc 180->188 182->183 189 c1ae69-c1ae77 183->189 190 c1ae5e-c1ae66 183->190 233 c1adee call c1b050 187->233 234 c1adee call c1b060 187->234 188->179 191 c1ae79-c1ae7e 189->191 192 c1ae9b-c1ae9d 189->192 190->189 194 c1ae80-c1ae87 call c1a0f8 191->194 195 c1ae89 191->195 197 c1aea0-c1aea7 192->197 193 c1adf4-c1adf6 193->188 196 c1af38-c1aff8 193->196 201 c1ae8b-c1ae99 194->201 195->201 228 c1b000-c1b02b GetModuleHandleW 196->228 229 c1affa-c1affd 196->229 198 c1aeb4-c1aebb 197->198 199 c1aea9-c1aeb1 197->199 202 c1aec8-c1aeca call c1a108 198->202 203 c1aebd-c1aec5 198->203 199->198 201->197 207 c1aecf-c1aed1 202->207 203->202 209 c1aed3-c1aedb 207->209 210 c1aede-c1aee3 207->210 209->210 211 c1af01-c1af0e 210->211 212 c1aee5-c1aeec 210->212 218 c1af31-c1af37 211->218 219 c1af10-c1af2e 211->219 212->211 214 c1aeee-c1aefe call c1a118 call c1a128 212->214 214->211 219->218 230 c1b034-c1b048 228->230 231 c1b02d-c1b033 228->231 229->228 231->230 233->193 234->193
        APIs
        • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1B01E
        Memory Dump Source
        • Source File: 00000000.00000002.1367773961.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_c10000_September payments.jbxd
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: 6d48fe3dab82841624575c15d84202dad234c2a00a39e618041ad81c132dfcce
        • Instruction ID: 5349bfd4dfbefc44b0370f7ce1322aa6660f68208f0576a43905ac780749d284
        • Opcode Fuzzy Hash: 6d48fe3dab82841624575c15d84202dad234c2a00a39e618041ad81c132dfcce
        • Instruction Fuzzy Hash: A8718770A01B058FDB24DF2AD54479ABBF1FF89300F00892DE09AD7A50D774E999CB92
        Function 00C144B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 235 c144b0-c159d9 CreateActCtxA 238 c159e2-c15a3c 235->238 239 c159db-c159e1 235->239 246 c15a4b-c15a4f 238->246 247 c15a3e-c15a41 238->247 239->238 248 c15a51-c15a5d 246->248 249 c15a60 246->249 247->246 248->249 251 c15a61 249->251 251->251
        APIs
        • CreateActCtxA.KERNEL32(?), ref: 00C159C9
        Memory Dump Source
        • Source File: 00000000.00000002.1367773961.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_c10000_September payments.jbxd
        Similarity
        • API ID: Create
        • String ID:
        • API String ID: 2289755597-0
        • Opcode ID: d13aea7ef9559c79cc5c6225ac87a72936f23a256ba1853b0defe473ad54a27a
        • Instruction ID: 6a378dffa24fcc458a4cde63461fcdfe251d0cdb843c2da6198144f12f30d85b
        • Opcode Fuzzy Hash: d13aea7ef9559c79cc5c6225ac87a72936f23a256ba1853b0defe473ad54a27a
        • Instruction Fuzzy Hash: F441D274C00719CBEB24CFAAC8847DEBBB5BF89704F20816AD409AB251DB756945DF90
        Function 00C1590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 252 c1590c-c15912 253 c1591c-c159d9 CreateActCtxA 252->253 255 c159e2-c15a3c 253->255 256 c159db-c159e1 253->256 263 c15a4b-c15a4f 255->263 264 c15a3e-c15a41 255->264 256->255 265 c15a51-c15a5d 263->265 266 c15a60 263->266 264->263 265->266 268 c15a61 266->268 268->268
        APIs
        • CreateActCtxA.KERNEL32(?), ref: 00C159C9
        Memory Dump Source
        • Source File: 00000000.00000002.1367773961.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_c10000_September payments.jbxd
        Similarity
        • API ID: Create
        • String ID:
        • API String ID: 2289755597-0
        • Opcode ID: 8895d86c44509b2e4b7ed0d8b2b6a339ce225f6feeb6bb69b1074ce9a353e5e1
        • Instruction ID: 8e4cfb9b22dd596e2da98e8a79b9054072d454b9304614dc0e517780ef868da1
        • Opcode Fuzzy Hash: 8895d86c44509b2e4b7ed0d8b2b6a339ce225f6feeb6bb69b1074ce9a353e5e1
        • Instruction Fuzzy Hash: 0A4102B0C00719CFEB14CFAAC8847CDBBB5BF89304F24816AC418AB291DB756986CF50
        Function 06C89DD3 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 269 6c89dd3-6c89e23 272 6c89e33-6c89e63 Wow64GetThreadContext 269->272 273 6c89e25-6c89e31 269->273 275 6c89e6c-6c89e9c 272->275 276 6c89e65-6c89e6b 272->276 273->272 276->275
        APIs
        • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06C89E56
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID: ContextThreadWow64
        • String ID:
        • API String ID: 983334009-0
        • Opcode ID: 9b57afccffcb3d1704c8f4dc37035e4d702db05686e8fc85942bc102789a4f55
        • Instruction ID: 487061d6e749f95e7ec60d941025a95f18d0a933fc3026dd471fcd4dae1ed8ed
        • Opcode Fuzzy Hash: 9b57afccffcb3d1704c8f4dc37035e4d702db05686e8fc85942bc102789a4f55
        • Instruction Fuzzy Hash: 9F213872D003098FDB10DFAAC985BEEBBF5EF48214F54842ED559A7240DB789A44CFA1
        Function 06C8A05B Relevance: 1.6, APIs: 1, Instructions: 67COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 280 6c8a05b-6c8a0ed ReadProcessMemory 284 6c8a0ef-6c8a0f5 280->284 285 6c8a0f6-6c8a126 280->285 284->285
        APIs
        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C8A0E0
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID: MemoryProcessRead
        • String ID:
        • API String ID: 1726664587-0
        • Opcode ID: 59a1b288e000d8603e6e2fb5249c4f17ac16f7b20e95ce7e0b58e043436a73e8
        • Instruction ID: a98b5b67517190253328a467479d0bba0a7cf47fc4e789acefb92496a9c3ca56
        • Opcode Fuzzy Hash: 59a1b288e000d8603e6e2fb5249c4f17ac16f7b20e95ce7e0b58e043436a73e8
        • Instruction Fuzzy Hash: E42125B6C003499FDB10DFAAC981BEEBBF5FF48310F14842AE559A7240D7799940CBA1
        Function 06C8A060 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 299 6c8a060-6c8a0ed ReadProcessMemory 302 6c8a0ef-6c8a0f5 299->302 303 6c8a0f6-6c8a126 299->303 302->303
        APIs
        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C8A0E0
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID: MemoryProcessRead
        • String ID:
        • API String ID: 1726664587-0
        • Opcode ID: 9ce03bfff4cacb1a2586d11024d735765a037c9914dd1f68ccfdae08a6b02ab0
        • Instruction ID: 429dbb9b475791d9b13a1a167bcdc84b9af18c499b4d37b4a285055f643dda8a
        • Opcode Fuzzy Hash: 9ce03bfff4cacb1a2586d11024d735765a037c9914dd1f68ccfdae08a6b02ab0
        • Instruction Fuzzy Hash: 692125B1C003499FDB10DFAAC981BEEBBF5FF48310F14842AE559A7240D7799940CBA0
        Function 06C89DD8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 289 6c89dd8-6c89e23 291 6c89e33-6c89e63 Wow64GetThreadContext 289->291 292 6c89e25-6c89e31 289->292 294 6c89e6c-6c89e9c 291->294 295 6c89e65-6c89e6b 291->295 292->291 295->294
        APIs
        • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06C89E56
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID: ContextThreadWow64
        • String ID:
        • API String ID: 983334009-0
        • Opcode ID: 801f778dde1a3a82ce1570820b23b682602434b7ce0b0551069bd316b9f40733
        • Instruction ID: c8c70c5d53653260168c829fc1755a5e3bcff572ba3b0cc6de01144a824c03e8
        • Opcode Fuzzy Hash: 801f778dde1a3a82ce1570820b23b682602434b7ce0b0551069bd316b9f40733
        • Instruction Fuzzy Hash: AC213572D003098FDB10DFAAC9857EEBBF4EF48214F54842ED559A7240D7789A44CFA0
        Function 00C1D6A9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 307 c1d6a9-c1d744 DuplicateHandle 308 c1d746-c1d74c 307->308 309 c1d74d-c1d76a 307->309 308->309
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C1D737
        Memory Dump Source
        • Source File: 00000000.00000002.1367773961.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_c10000_September payments.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 7834ec895511588223730073c3f05264b9cbd3b1bf7195ee785473db874a59c8
        • Instruction ID: b325dc3a9c8849df6601bbe95d0206ab11e4fa1459e8aee8a974042430a2d16c
        • Opcode Fuzzy Hash: 7834ec895511588223730073c3f05264b9cbd3b1bf7195ee785473db874a59c8
        • Instruction Fuzzy Hash: 5921F3B5900249DFDB10CFAAD584ADEBBF5FB48310F14802AE918B7350D378A954CFA0
        Function 00C1D6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 312 c1d6b0-c1d744 DuplicateHandle 313 c1d746-c1d74c 312->313 314 c1d74d-c1d76a 312->314 313->314
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C1D737
        Memory Dump Source
        • Source File: 00000000.00000002.1367773961.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_c10000_September payments.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 4fba6e038beeaba1cc8b2680a616136b8cf40236809ce3163ace212283e9d0cb
        • Instruction ID: 1c8dd5ac88329ac13c336cd6bff4fef67d00d0079e4c83956888ef5e042ae779
        • Opcode Fuzzy Hash: 4fba6e038beeaba1cc8b2680a616136b8cf40236809ce3163ace212283e9d0cb
        • Instruction Fuzzy Hash: 7521D5B5900249DFDB10CF9AD584ADEFBF4FB48310F14845AE958A3350D378A954CFA5
        Function 06C89EAB Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 317 6c89eab-6c89f2b VirtualAllocEx 321 6c89f2d-6c89f33 317->321 322 6c89f34-6c89f59 317->322 321->322
        APIs
        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C89F1E
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 3df71b05e218ca065330d84369648113ddca74f6f7a842ecdfd4b4aeb36af7d9
        • Instruction ID: b099b6829b4c3067fc670ef07c0b605eff5b7b672c3867c4ab8074bf214d3555
        • Opcode Fuzzy Hash: 3df71b05e218ca065330d84369648113ddca74f6f7a842ecdfd4b4aeb36af7d9
        • Instruction Fuzzy Hash: CC1167768003099FDB20DFAAC845BEFBBF5EF48314F148419E519A7250CB799940CFA1
        Function 06C89EB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
        Download Yara Rule
        APIs
        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C89F1E
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: fee7557960882309837d5267cc200608fd32334ef87b63fde19c960846057c5e
        • Instruction ID: ea8af1bfbe33fbbffa267d875a226415d2217ab4043ed7dae329d909ffcd1659
        • Opcode Fuzzy Hash: fee7557960882309837d5267cc200608fd32334ef87b63fde19c960846057c5e
        • Instruction Fuzzy Hash: 3F1149728003499FDB10DFAAC945BEFBBF5EF48314F148419E519A7250C7799540CFA1
        Function 06C8EADB Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
        Download Yara Rule
        APIs
        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06C8EB3D
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID: MessagePost
        • String ID:
        • API String ID: 410705778-0
        • Opcode ID: 9bc3a3ce89de5514b11d8fa574594be25c3ea1b4a605a93abe815c8f706b8be6
        • Instruction ID: e323e90ea326be90ba8aa4a81e146d106c2e28fde7857dd478cdaa36f174b56c
        • Opcode Fuzzy Hash: 9bc3a3ce89de5514b11d8fa574594be25c3ea1b4a605a93abe815c8f706b8be6
        • Instruction Fuzzy Hash: AC11F2B98003499FDB20DF9AD945BDEBBF8EB48314F10841AE518A3200D375A584CFB5
        Function 06C8B2C0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
        Download Yara Rule
        APIs
        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06C8EB3D
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID: MessagePost
        • String ID:
        • API String ID: 410705778-0
        • Opcode ID: 9284e1a82e5925eac1d52aa9a3363417c237fbf4580b120b5ba40712171bc26f
        • Instruction ID: d3716b893b8d6bf4bfd124db16df4ff889baeb5c789fd2a87fe0076f52893608
        • Opcode Fuzzy Hash: 9284e1a82e5925eac1d52aa9a3363417c237fbf4580b120b5ba40712171bc26f
        • Instruction Fuzzy Hash: 481133B58003099FDB20DF8AC985BEEBBF8EB48324F10841AE559A3300D375A944CFA4
        Function 00C1AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1B01E
        Memory Dump Source
        • Source File: 00000000.00000002.1367773961.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_c10000_September payments.jbxd
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: 9b66688f18ccd33e37dca266356a067b102e5f09982f05033c9f0065061cdd50
        • Instruction ID: 9d096ff864d823f6b4cd7d68bdf04c801d61333100d322ca37a360edcd866f43
        • Opcode Fuzzy Hash: 9b66688f18ccd33e37dca266356a067b102e5f09982f05033c9f0065061cdd50
        • Instruction Fuzzy Hash: 131110B5C007498FDB10CF9AC544BDEFBF4AF88310F10846AD428A7210D379A945CFA1
        Function 0086D4C4 Relevance: .1, Instructions: 75COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1366292810.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_86d000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 77c6487e80abefd9bf74fbb6b302af2ba925ca3018eb6363abbf8d4230c41dc7
        • Instruction ID: 143b34d1abefd06d0bb6c201cc716e66cf1ccb4ca5bec7fe9cddef90ab216e5a
        • Opcode Fuzzy Hash: 77c6487e80abefd9bf74fbb6b302af2ba925ca3018eb6363abbf8d4230c41dc7
        • Instruction Fuzzy Hash: 32212571A00344DFDB15DF10D9C4F26BF65FB88318F24C569E80A8B656C336D856CBA2
        Function 0087D1D4 Relevance: .1, Instructions: 72COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1366351760.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_87d000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0098fd282d53b9575ffa708d8a255763398d565dbd1976cb5451aff9e5a5a20c
        • Instruction ID: 4d963f33cf3ad8afdf8047b8fbb0ba960742026b7ef0fe37fd3f0254b538bfc4
        • Opcode Fuzzy Hash: 0098fd282d53b9575ffa708d8a255763398d565dbd1976cb5451aff9e5a5a20c
        • Instruction Fuzzy Hash: C621CF71614344AFDB05DF10D9C0B26BBB5FF84318F24C5A9E80E8B29AC336E846CA61
        Function 0087D01C Relevance: .1, Instructions: 72COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1366351760.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_87d000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 202cde7a408741d6c20832884955f5a4a31f72ce59c9c4d52d7923102743553c
        • Instruction ID: 5c4d60e7757397ef3d4fe605e11f3062807fc3add6ed9ccb302bf658859bc6f9
        • Opcode Fuzzy Hash: 202cde7a408741d6c20832884955f5a4a31f72ce59c9c4d52d7923102743553c
        • Instruction Fuzzy Hash: 9921CF756047449FDB14DF10D980B26BB65FF84318F24C569D80E8B29AC33AD847CA62
        Function 0086D4BF Relevance: .1, Instructions: 56COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1366292810.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_86d000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
        • Instruction ID: 7808d1f7765c961f2bd94c9099c2063aa21d3d5d075d030caa2a04af24d5e569
        • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
        • Instruction Fuzzy Hash: 9911B176904380CFCB15CF10D5C4B56BF71FB94318F28C6AAD84A4B656C336D856CBA1
        Function 0087D017 Relevance: .1, Instructions: 53COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1366351760.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_87d000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
        • Instruction ID: 3ce61dd0f731432276f5527e36da132135563b02855978c646912e08e3bc459d
        • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
        • Instruction Fuzzy Hash: C2118E75504780DFCB15CF14D5C4B15BB71FB44314F28C6AAD84D8B69AC33AD85ACB61
        Function 0087D1CF Relevance: .1, Instructions: 53COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1366351760.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_87d000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
        • Instruction ID: 2a5bc83573dd18b453717dd19c3a951ac6ad9c40a3c1df1c206dfa534220488a
        • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
        • Instruction Fuzzy Hash: 67118B75504280DFCB15CF50D5C4B15BBB2FF84314F28C6AAD8498B69AC33AE84ACB61
        Function 0086D745 Relevance: .0, Instructions: 45COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1366292810.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_86d000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 9db44392e8b6fa79ecee371d48bc76b17c2b7a2a56a6622a7991cd17b33ee9e9
        • Instruction ID: 44287680bf00542d54f7fb9d37d11b802e9af3223cf52037573f282288cbe98d
        • Opcode Fuzzy Hash: 9db44392e8b6fa79ecee371d48bc76b17c2b7a2a56a6622a7991cd17b33ee9e9
        • Instruction Fuzzy Hash: DD01D631A043449BF7109E25CD84B66BB98EF41324F18C56AED098E282D6799840CBB7
        Function 0086D744 Relevance: .0, Instructions: 36COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1366292810.000000000086D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0086D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_86d000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 42e66e46e2009a05eacafa416a939fa4f416fb3988463164dd897652a24ee2b1
        • Instruction ID: 0c622164ddcae45452be05244566c69ff567fc05ac65cd29fc89e60d1d3d241e
        • Opcode Fuzzy Hash: 42e66e46e2009a05eacafa416a939fa4f416fb3988463164dd897652a24ee2b1
        • Instruction Fuzzy Hash: 20F06D72504344AEEB108E16D988B62FF98EB91734F18C55AED088A296C2799844CBB2

        Non-executed Functions

        Function 06C875E8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID: anS
        • API String ID: 0-3078589576
        • Opcode ID: bfc6a8b8a97978df2e7e844e000e3193bf65ce8afc6720ffa75832df1603f8ed
        • Instruction ID: bb352d97f5d1b1162226aa61fdf25ae0bed2765a2f40925ecf87cab22b585644
        • Opcode Fuzzy Hash: bfc6a8b8a97978df2e7e844e000e3193bf65ce8afc6720ffa75832df1603f8ed
        • Instruction Fuzzy Hash: FDE1E574E002598FDB24DFA9C580AAEFBB2FF89305F248569D415AB355DB30AD41CFA0
        Function 06C89500 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID: 4{J
        • API String ID: 0-660055550
        • Opcode ID: 80f66ac302b01f7544ac3994726200ca6a68728399efe689b53dd51664bf92e9
        • Instruction ID: f61303748201c70545719761fc39bb0cadfafa7d4a2ad42ebbeb949c2597bc48
        • Opcode Fuzzy Hash: 80f66ac302b01f7544ac3994726200ca6a68728399efe689b53dd51664bf92e9
        • Instruction Fuzzy Hash: 3AE10674E002598FDB64DFA9C580AAEFBB2BF89305F24C169D414AB355DB31AD41CFA0
        Function 06C894F0 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID: 4{J
        • API String ID: 0-660055550
        • Opcode ID: 811de970b5a0e4058310c8d89a5fc5d83050eab63ae2e73ad729f03b4d58d550
        • Instruction ID: 4c8cbebac737bbcb4ebe344b10b249df10c43021e416fee3b354e699f9d4e018
        • Opcode Fuzzy Hash: 811de970b5a0e4058310c8d89a5fc5d83050eab63ae2e73ad729f03b4d58d550
        • Instruction Fuzzy Hash: B65108B4E002198FDB54DFA9C9805AEFBF2BF89305F24C16AD418AB355DB309941CFA1
        Function 06C875E3 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
        Download Yara Rule
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID: anS
        • API String ID: 0-3078589576
        • Opcode ID: 1948b44e9afb1836cac23f734f282510215437f855bd38415e5c1fe1c635fc2b
        • Instruction ID: 8ca287c99781f5aedc94c7346562bf6d17d2e3962d8930edf2c5c268538f3b21
        • Opcode Fuzzy Hash: 1948b44e9afb1836cac23f734f282510215437f855bd38415e5c1fe1c635fc2b
        • Instruction Fuzzy Hash: 4C51E974E006198FDB14DFA9C9805AEFBF2FF89305F24C16AD418AB255DB319A41CFA1
        Function 06C807C0 Relevance: .3, Instructions: 313COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 37cce79941dc652612cc0370cf5ae904ba61cde345f334f65b66ea1ca12c399f
        • Instruction ID: d3befefcacd3638beb0ac8cd399266a4a0b4ad45f01b3a207046f2b2228c3bb9
        • Opcode Fuzzy Hash: 37cce79941dc652612cc0370cf5ae904ba61cde345f334f65b66ea1ca12c399f
        • Instruction Fuzzy Hash: 0FD12370E04618DFDB58DFAAD98069EFBF2FF89300F14952AD419AB224D7349942CF94
        Function 06C807AF Relevance: .3, Instructions: 313COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 96df0f5a3ce8c7cdfb3a29e1ef7db50e4e3f56b74dda4b1fb8794d4379a7819b
        • Instruction ID: e658383a91605402ff95ac5a1155e9b3779fd2eaf47d308898544c6faebef154
        • Opcode Fuzzy Hash: 96df0f5a3ce8c7cdfb3a29e1ef7db50e4e3f56b74dda4b1fb8794d4379a7819b
        • Instruction Fuzzy Hash: 74D13370E04608CFDB58DFAAD98069EFBF2FF89300F14952AD419AB224D7349942CF94
        Function 06C890C8 Relevance: .3, Instructions: 312COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 6e8e1a8fffc86c8caddc23ed103bfaf8f9434fff23521fa30f4cd8515690010a
        • Instruction ID: 312303a2037200940345f28d4c5fc25e36c01cc6f9b3483317a9f5ce702a5d1c
        • Opcode Fuzzy Hash: 6e8e1a8fffc86c8caddc23ed103bfaf8f9434fff23521fa30f4cd8515690010a
        • Instruction Fuzzy Hash: CBE1F774E002598FDB64DFA9C580AAEFBB2BF89305F24C169D415AB355DB30AD41CFA0
        Function 06C871B0 Relevance: .3, Instructions: 312COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 42f9eab73848954f0135e5895111d47b3dbe4ce028f50cac97500cd957797987
        • Instruction ID: 00b812aa9c09739ce788159100ba6323500a0db197447204f7cf43c83033e703
        • Opcode Fuzzy Hash: 42f9eab73848954f0135e5895111d47b3dbe4ce028f50cac97500cd957797987
        • Instruction Fuzzy Hash: 4CE1E774E002598FDB64DFA9C580AAEFBB2FF89305F248169D814AB355DB30AD41CF61
        Function 06C88C90 Relevance: .3, Instructions: 312COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 8363b3ec4e2c29522470a3d4c9692160b098f22e4a410d30ad00ab63b2ac5421
        • Instruction ID: 7ec85850691cd8069f799ce1ca51983de87b0c260c9c42a16b7e9563a044119e
        • Opcode Fuzzy Hash: 8363b3ec4e2c29522470a3d4c9692160b098f22e4a410d30ad00ab63b2ac5421
        • Instruction Fuzzy Hash: B5E1F774E002598FDB64DFA9C580AAEFBB2BF89305F248169D414AB359D731AD41CFA0
        Function 06C80268 Relevance: .3, Instructions: 275COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ee9e1e96d058ae9ceb7195e72844e8e8b4d7283d7ef463e3727abbe395dc9623
        • Instruction ID: 3ebefccbe1a1ac45fa11df384bf7c1fe60b896d389a687f99ba19ae82c3a45d1
        • Opcode Fuzzy Hash: ee9e1e96d058ae9ceb7195e72844e8e8b4d7283d7ef463e3727abbe395dc9623
        • Instruction Fuzzy Hash: 02B12571E04219DFDB68CFAAD88459EFBB2FF89304F10942AD415BB264DB749A06CF50
        Function 06C80278 Relevance: .3, Instructions: 274COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1383389736.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_6c80000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 25151e662134b17afb7dd5cd6761a75bc0b8fd1871e5fb0b802bc6ee16e51259
        • Instruction ID: ca0438a081a1f5e5a7435b9f2b731b8d2c427c0c02e20554f66155bac14bf3c7
        • Opcode Fuzzy Hash: 25151e662134b17afb7dd5cd6761a75bc0b8fd1871e5fb0b802bc6ee16e51259
        • Instruction Fuzzy Hash: 2BB11571E04219DFDB68CFAAD88459EFBB2FF89304F10942AD415BB264DB749A06CF50
        Function 00C1D5DC Relevance: .3, Instructions: 264COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1367773961.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_0_2_c10000_September payments.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b557bc8c0dd18fe1e268a5c74ccc25c6d0830fda6c2f32f3afba378f5d18121e
        • Instruction ID: 7d2f7c300e21207e85fe4c82e3cff5064deda8158ad467572d0f1b2d1efdda51
        • Opcode Fuzzy Hash: b557bc8c0dd18fe1e268a5c74ccc25c6d0830fda6c2f32f3afba378f5d18121e
        • Instruction Fuzzy Hash: 55A14C36E00205CFCF05DFA4C8445DEB7B2FF86300B25857AE815AB261DB71E996EB40

        Execution Graph

        Execution Coverage:9.4%
        Dynamic/Decrypted Code Coverage:100%
        Signature Coverage:0%
        Total number of Nodes:96
        Total number of Limit Nodes:6
        execution_graph 25283 db4668 25284 db467a 25283->25284 25285 db4686 25284->25285 25287 db4778 25284->25287 25288 db479d 25287->25288 25292 db4888 25288->25292 25296 db4878 25288->25296 25294 db48af 25292->25294 25293 db498c 25293->25293 25294->25293 25300 db44b0 25294->25300 25298 db48af 25296->25298 25297 db498c 25297->25297 25298->25297 25299 db44b0 CreateActCtxA 25298->25299 25299->25297 25301 db5918 CreateActCtxA 25300->25301 25303 db59db 25301->25303 25303->25303 25304 6cdda78 25305 6cddc03 25304->25305 25306 6cdda9e 25304->25306 25306->25305 25308 6cdbd88 25306->25308 25309 6cddcf8 PostMessageW 25308->25309 25310 6cddd64 25309->25310 25310->25306 25191 dbacd0 25195 dbadc8 25191->25195 25200 dbadb7 25191->25200 25192 dbacdf 25196 dbadfc 25195->25196 25197 dbadd9 25195->25197 25196->25192 25197->25196 25198 dbb000 GetModuleHandleW 25197->25198 25199 dbb02d 25198->25199 25199->25192 25201 dbadd9 25200->25201 25202 dbadfc 25200->25202 25201->25202 25203 dbb000 GetModuleHandleW 25201->25203 25202->25192 25204 dbb02d 25203->25204 25204->25192 25281 dbd6b0 DuplicateHandle 25282 dbd746 25281->25282 25311 dbd060 25312 dbd0a6 GetCurrentProcess 25311->25312 25314 dbd0f8 GetCurrentThread 25312->25314 25315 dbd0f1 25312->25315 25316 dbd12e 25314->25316 25317 dbd135 GetCurrentProcess 25314->25317 25315->25314 25316->25317 25320 dbd16b 25317->25320 25318 dbd193 GetCurrentThreadId 25319 dbd1c4 25318->25319 25320->25318 25205 6cda783 25210 6cdc87e 25205->25210 25218 6cdc818 25205->25218 25225 6cdc808 25205->25225 25206 6cda792 25211 6cdc80c 25210->25211 25213 6cdc881 25210->25213 25212 6cdc83a 25211->25212 25232 6cdcea5 25211->25232 25236 6cdcfba 25211->25236 25240 6cdd3cc 25211->25240 25245 6cdcca4 25211->25245 25212->25206 25213->25206 25219 6cdc832 25218->25219 25220 6cdd3cc 2 API calls 25219->25220 25221 6cdcfba 2 API calls 25219->25221 25222 6cdcea5 2 API calls 25219->25222 25223 6cdcca4 2 API calls 25219->25223 25224 6cdc83a 25219->25224 25220->25224 25221->25224 25222->25224 25223->25224 25224->25206 25226 6cdc818 25225->25226 25227 6cdd3cc 2 API calls 25226->25227 25228 6cdcfba 2 API calls 25226->25228 25229 6cdcea5 2 API calls 25226->25229 25230 6cdcca4 2 API calls 25226->25230 25231 6cdc83a 25226->25231 25227->25231 25228->25231 25229->25231 25230->25231 25231->25206 25249 6cd9dd8 25232->25249 25253 6cd9dd2 25232->25253 25233 6cdccff 25233->25212 25257 6cd9eaa 25236->25257 25261 6cd9eb0 25236->25261 25237 6cdcd67 25237->25212 25241 6cdd3d2 25240->25241 25265 6cda05a 25241->25265 25269 6cda060 25241->25269 25242 6cdd3f8 25273 6cda1f8 25245->25273 25277 6cda1ec 25245->25277 25250 6cd9e1d Wow64GetThreadContext 25249->25250 25252 6cd9e65 25250->25252 25252->25233 25254 6cd9dd8 Wow64GetThreadContext 25253->25254 25256 6cd9e65 25254->25256 25256->25233 25258 6cd9eb0 VirtualAllocEx 25257->25258 25260 6cd9f2d 25258->25260 25260->25237 25262 6cd9ef0 VirtualAllocEx 25261->25262 25264 6cd9f2d 25262->25264 25264->25237 25266 6cda060 ReadProcessMemory 25265->25266 25268 6cda0ef 25266->25268 25268->25242 25270 6cda0ab ReadProcessMemory 25269->25270 25272 6cda0ef 25270->25272 25272->25242 25274 6cda281 CreateProcessA 25273->25274 25276 6cda443 25274->25276 25278 6cda1f8 CreateProcessA 25277->25278 25280 6cda443 25278->25280

        Executed Functions

        Function 00DBD051 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetCurrentProcess.KERNEL32 ref: 00DBD0DE
        • GetCurrentThread.KERNEL32 ref: 00DBD11B
        • GetCurrentProcess.KERNEL32 ref: 00DBD158
        • GetCurrentThreadId.KERNEL32 ref: 00DBD1B1
        Memory Dump Source
        • Source File: 0000000E.00000002.1415515614.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_db0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: Current$ProcessThread
        • String ID:
        • API String ID: 2063062207-0
        • Opcode ID: 5703bfa4c6f9ed47b79610a8104beb53199fbe4ae4e9da9c8f85f920721d2b0f
        • Instruction ID: 084af0159262f40ef31cc5cefc494a367c4d273498e364466b6948cdbeacfde9
        • Opcode Fuzzy Hash: 5703bfa4c6f9ed47b79610a8104beb53199fbe4ae4e9da9c8f85f920721d2b0f
        • Instruction Fuzzy Hash: EA5146B0901749CFDB14DFA9D548BEEBBF1EF88314F248459E009A7390DB74A944CB65
        Function 00DBD060 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
        Download Yara Rule

        Control-flow Graph

        APIs
        • GetCurrentProcess.KERNEL32 ref: 00DBD0DE
        • GetCurrentThread.KERNEL32 ref: 00DBD11B
        • GetCurrentProcess.KERNEL32 ref: 00DBD158
        • GetCurrentThreadId.KERNEL32 ref: 00DBD1B1
        Memory Dump Source
        • Source File: 0000000E.00000002.1415515614.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_db0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: Current$ProcessThread
        • String ID:
        • API String ID: 2063062207-0
        • Opcode ID: aef297d3ccbe03097c3fa304173e78a18a1bccd9a0dd278d890be3212cc19df0
        • Instruction ID: a4b1b017813f6b5b18a006751aa0d66ed852656c8a1e890b150a9ba0858896a1
        • Opcode Fuzzy Hash: aef297d3ccbe03097c3fa304173e78a18a1bccd9a0dd278d890be3212cc19df0
        • Instruction Fuzzy Hash: 6A5165B0900749CFDB14DFAAD548BEEBBF1EF88304F248459E009A7390DB74A984CB65
        Function 06CDA1EC Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 65 6cda1ec-6cda28d 68 6cda28f-6cda299 65->68 69 6cda2c6-6cda2e6 65->69 68->69 70 6cda29b-6cda29d 68->70 76 6cda31f-6cda34e 69->76 77 6cda2e8-6cda2f2 69->77 71 6cda29f-6cda2a9 70->71 72 6cda2c0-6cda2c3 70->72 74 6cda2ad-6cda2bc 71->74 75 6cda2ab 71->75 72->69 74->74 78 6cda2be 74->78 75->74 83 6cda387-6cda441 CreateProcessA 76->83 84 6cda350-6cda35a 76->84 77->76 79 6cda2f4-6cda2f6 77->79 78->72 81 6cda319-6cda31c 79->81 82 6cda2f8-6cda302 79->82 81->76 85 6cda304 82->85 86 6cda306-6cda315 82->86 97 6cda44a-6cda4d0 83->97 98 6cda443-6cda449 83->98 84->83 88 6cda35c-6cda35e 84->88 85->86 86->86 87 6cda317 86->87 87->81 89 6cda381-6cda384 88->89 90 6cda360-6cda36a 88->90 89->83 92 6cda36c 90->92 93 6cda36e-6cda37d 90->93 92->93 93->93 95 6cda37f 93->95 95->89 108 6cda4e0-6cda4e4 97->108 109 6cda4d2-6cda4d6 97->109 98->97 111 6cda4f4-6cda4f8 108->111 112 6cda4e6-6cda4ea 108->112 109->108 110 6cda4d8 109->110 110->108 114 6cda508-6cda50c 111->114 115 6cda4fa-6cda4fe 111->115 112->111 113 6cda4ec 112->113 113->111 117 6cda51e-6cda525 114->117 118 6cda50e-6cda514 114->118 115->114 116 6cda500 115->116 116->114 119 6cda53c 117->119 120 6cda527-6cda536 117->120 118->117 122 6cda53d 119->122 120->119 122->122
        APIs
        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CDA42E
        Memory Dump Source
        • Source File: 0000000E.00000002.1421157018.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_6cd0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: CreateProcess
        • String ID:
        • API String ID: 963392458-0
        • Opcode ID: db02342acd6e612b81c8bc8aba4a9f4efeac724d0286b596b0e1eec67b68fd34
        • Instruction ID: a9958968d892f6be31c905877e4813320afd88f3b3a92dd61ae5d3d4e77e711d
        • Opcode Fuzzy Hash: db02342acd6e612b81c8bc8aba4a9f4efeac724d0286b596b0e1eec67b68fd34
        • Instruction Fuzzy Hash: 3FA18C71D00719CFEB60CFA9C845BDEBBB2BF48314F1485A9D909A7280DB749A85CF91
        Function 06CDA1F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 123 6cda1f8-6cda28d 125 6cda28f-6cda299 123->125 126 6cda2c6-6cda2e6 123->126 125->126 127 6cda29b-6cda29d 125->127 133 6cda31f-6cda34e 126->133 134 6cda2e8-6cda2f2 126->134 128 6cda29f-6cda2a9 127->128 129 6cda2c0-6cda2c3 127->129 131 6cda2ad-6cda2bc 128->131 132 6cda2ab 128->132 129->126 131->131 135 6cda2be 131->135 132->131 140 6cda387-6cda441 CreateProcessA 133->140 141 6cda350-6cda35a 133->141 134->133 136 6cda2f4-6cda2f6 134->136 135->129 138 6cda319-6cda31c 136->138 139 6cda2f8-6cda302 136->139 138->133 142 6cda304 139->142 143 6cda306-6cda315 139->143 154 6cda44a-6cda4d0 140->154 155 6cda443-6cda449 140->155 141->140 145 6cda35c-6cda35e 141->145 142->143 143->143 144 6cda317 143->144 144->138 146 6cda381-6cda384 145->146 147 6cda360-6cda36a 145->147 146->140 149 6cda36c 147->149 150 6cda36e-6cda37d 147->150 149->150 150->150 152 6cda37f 150->152 152->146 165 6cda4e0-6cda4e4 154->165 166 6cda4d2-6cda4d6 154->166 155->154 168 6cda4f4-6cda4f8 165->168 169 6cda4e6-6cda4ea 165->169 166->165 167 6cda4d8 166->167 167->165 171 6cda508-6cda50c 168->171 172 6cda4fa-6cda4fe 168->172 169->168 170 6cda4ec 169->170 170->168 174 6cda51e-6cda525 171->174 175 6cda50e-6cda514 171->175 172->171 173 6cda500 172->173 173->171 176 6cda53c 174->176 177 6cda527-6cda536 174->177 175->174 179 6cda53d 176->179 177->176 179->179
        APIs
        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CDA42E
        Memory Dump Source
        • Source File: 0000000E.00000002.1421157018.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_6cd0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: CreateProcess
        • String ID:
        • API String ID: 963392458-0
        • Opcode ID: bc61964e0a412b35b6d2919da8b026a4f4e822e1d46b3a0c1aaf9216720aab5d
        • Instruction ID: 588372d69b3ee426bb162df6fdf5f0fe6203deb11d0056913d868e9836f6af4c
        • Opcode Fuzzy Hash: bc61964e0a412b35b6d2919da8b026a4f4e822e1d46b3a0c1aaf9216720aab5d
        • Instruction Fuzzy Hash: 18919E71D00719CFEB60CFA9C841BDEBBB2BF48314F148569D909A7280DB749A85CF91
        Function 00DBADC8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 180 dbadc8-dbadd7 181 dbadd9-dbade6 call dba0ec 180->181 182 dbae03-dbae07 180->182 189 dbade8 181->189 190 dbadfc 181->190 184 dbae1b-dbae5c 182->184 185 dbae09-dbae13 182->185 191 dbae69-dbae77 184->191 192 dbae5e-dbae66 184->192 185->184 238 dbadee call dbb050 189->238 239 dbadee call dbb060 189->239 190->182 193 dbae9b-dbae9d 191->193 194 dbae79-dbae7e 191->194 192->191 199 dbaea0-dbaea7 193->199 196 dbae89 194->196 197 dbae80-dbae87 call dba0f8 194->197 195 dbadf4-dbadf6 195->190 198 dbaf38-dbafb4 195->198 201 dbae8b-dbae99 196->201 197->201 230 dbafe0-dbaff8 198->230 231 dbafb6-dbafde 198->231 202 dbaea9-dbaeb1 199->202 203 dbaeb4-dbaebb 199->203 201->199 202->203 204 dbaec8-dbaeca call dba108 203->204 205 dbaebd-dbaec5 203->205 209 dbaecf-dbaed1 204->209 205->204 211 dbaede-dbaee3 209->211 212 dbaed3-dbaedb 209->212 213 dbaf01-dbaf0e 211->213 214 dbaee5-dbaeec 211->214 212->211 220 dbaf31-dbaf37 213->220 221 dbaf10-dbaf2e 213->221 214->213 216 dbaeee-dbaefe call dba118 call dba128 214->216 216->213 221->220 233 dbaffa-dbaffd 230->233 234 dbb000-dbb02b GetModuleHandleW 230->234 231->230 233->234 235 dbb02d-dbb033 234->235 236 dbb034-dbb048 234->236 235->236 238->195 239->195
        APIs
        • GetModuleHandleW.KERNELBASE(00000000), ref: 00DBB01E
        Memory Dump Source
        • Source File: 0000000E.00000002.1415515614.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_db0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: ff6fae72ac7debd87ed0b7e281fbeeaddb94c1719bd18a03470859911e17b3da
        • Instruction ID: fde02168342785f6c4b9b2431ebe9f5a9d56ddaa174600058cb06d6e7395dcac
        • Opcode Fuzzy Hash: ff6fae72ac7debd87ed0b7e281fbeeaddb94c1719bd18a03470859911e17b3da
        • Instruction Fuzzy Hash: AA814770A00B05CFDB24DF29D4557AABBF1FF88304F14892EE0969BA40D775E845CBA1
        Function 00DB44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 240 db44b0-db59d9 CreateActCtxA 243 db59db-db59e1 240->243 244 db59e2-db5a3c 240->244 243->244 251 db5a4b-db5a4f 244->251 252 db5a3e-db5a41 244->252 253 db5a51-db5a5d 251->253 254 db5a60 251->254 252->251 253->254 256 db5a61 254->256 256->256
        APIs
        • CreateActCtxA.KERNEL32(?), ref: 00DB59C9
        Memory Dump Source
        • Source File: 0000000E.00000002.1415515614.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_db0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: Create
        • String ID:
        • API String ID: 2289755597-0
        • Opcode ID: 0aa73bb586c3606a8111d2217b66586f15a32588d00e4f170894f31bb61ddc52
        • Instruction ID: 0be679c8a589143786068466349e0767e9be825c4ebcbc2d7438b82df78100e2
        • Opcode Fuzzy Hash: 0aa73bb586c3606a8111d2217b66586f15a32588d00e4f170894f31bb61ddc52
        • Instruction Fuzzy Hash: AB41E1B0C00719CBDB24DFA9D884BDEBBB5FF89704F20806AD409AB255DB756945CF90
        Function 00DB590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 257 db590c-db5913 258 db591c-db59d9 CreateActCtxA 257->258 260 db59db-db59e1 258->260 261 db59e2-db5a3c 258->261 260->261 268 db5a4b-db5a4f 261->268 269 db5a3e-db5a41 261->269 270 db5a51-db5a5d 268->270 271 db5a60 268->271 269->268 270->271 273 db5a61 271->273 273->273
        APIs
        • CreateActCtxA.KERNEL32(?), ref: 00DB59C9
        Memory Dump Source
        • Source File: 0000000E.00000002.1415515614.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_db0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: Create
        • String ID:
        • API String ID: 2289755597-0
        • Opcode ID: 7bad4109090f7064b3f4211be52b05367d577f31b0aea59aacfa9f60ca11939a
        • Instruction ID: b42f9a97018bbccb46ed7ffa84101045f68c450727b3574ce2026184eae0b8b7
        • Opcode Fuzzy Hash: 7bad4109090f7064b3f4211be52b05367d577f31b0aea59aacfa9f60ca11939a
        • Instruction Fuzzy Hash: 184103B0C00719CBEB24DFA9D8847CDBBB1BF88704F20805AD409AB255DB716945CF50
        Function 06CD9DD2 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 274 6cd9dd2-6cd9e23 277 6cd9e25-6cd9e31 274->277 278 6cd9e33-6cd9e63 Wow64GetThreadContext 274->278 277->278 280 6cd9e6c-6cd9e9c 278->280 281 6cd9e65-6cd9e6b 278->281 281->280
        APIs
        • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06CD9E56
        Memory Dump Source
        • Source File: 0000000E.00000002.1421157018.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_6cd0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: ContextThreadWow64
        • String ID:
        • API String ID: 983334009-0
        • Opcode ID: 68f0d478248974dbe5693a5c01433450b8178f62450d05b84e629ac1556c03b5
        • Instruction ID: 7bd27cb2fe8868db050497629e0ee8635fe808de007b06ebb9c770197bdee3ff
        • Opcode Fuzzy Hash: 68f0d478248974dbe5693a5c01433450b8178f62450d05b84e629ac1556c03b5
        • Instruction Fuzzy Hash: 2D216875D003098FDB10DFAAC8857EEBBF4FF48210F54842AD559A7641CB789A45CFA1
        Function 06CDA05A Relevance: 1.6, APIs: 1, Instructions: 67COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 285 6cda05a-6cda0ed ReadProcessMemory 289 6cda0ef-6cda0f5 285->289 290 6cda0f6-6cda126 285->290 289->290
        APIs
        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CDA0E0
        Memory Dump Source
        • Source File: 0000000E.00000002.1421157018.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_6cd0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: MemoryProcessRead
        • String ID:
        • API String ID: 1726664587-0
        • Opcode ID: bceb2b1a2fb968ad06a865eb406bed402234bdab4c2a8edfed4b44d67908dd47
        • Instruction ID: 719892f584db744bdcd2271e6b00ee8db8e0c9c52281dd771477f0654ce2b66c
        • Opcode Fuzzy Hash: bceb2b1a2fb968ad06a865eb406bed402234bdab4c2a8edfed4b44d67908dd47
        • Instruction Fuzzy Hash: EE2136B18003499FDB10CFAAD880BEEBBF5FF48310F50842AE559A7240CB799940CBA1
        Function 00DBD6A9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 294 dbd6a9-dbd6ae 295 dbd6b0-dbd744 DuplicateHandle 294->295 296 dbd74d-dbd76a 295->296 297 dbd746-dbd74c 295->297 297->296
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DBD737
        Memory Dump Source
        • Source File: 0000000E.00000002.1415515614.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_db0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 2db7b5e1b9ce0d4149fdc637b31ee5fb2de5bc64db7efe65f6bc3f84d2cc0071
        • Instruction ID: 8a69382bfe607574895677ea574f2c58d800d1ceb73a64c1a4a8ecf3590b5102
        • Opcode Fuzzy Hash: 2db7b5e1b9ce0d4149fdc637b31ee5fb2de5bc64db7efe65f6bc3f84d2cc0071
        • Instruction Fuzzy Hash: BB21E4B5900249DFDB10CF9AD484ADEBBF5FB48320F14842AE959B3350D374A941CFA1
        Function 06CDA060 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 310 6cda060-6cda0ed ReadProcessMemory 313 6cda0ef-6cda0f5 310->313 314 6cda0f6-6cda126 310->314 313->314
        APIs
        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CDA0E0
        Memory Dump Source
        • Source File: 0000000E.00000002.1421157018.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_6cd0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: MemoryProcessRead
        • String ID:
        • API String ID: 1726664587-0
        • Opcode ID: 82584dff7d5206b1638d1ce338f4aae6ec4fa4b1e800e726ce84139afc6d1c2f
        • Instruction ID: 731c02e1cff6406ffd5b425069cd9932ab3889a27f669ae8c10ffc9b2382e2fc
        • Opcode Fuzzy Hash: 82584dff7d5206b1638d1ce338f4aae6ec4fa4b1e800e726ce84139afc6d1c2f
        • Instruction Fuzzy Hash: 822128B1C003499FDB10CFAAC880BEEBBF5FF48310F54842AE559A7240D7799940CBA1
        Function 06CD9DD8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 300 6cd9dd8-6cd9e23 302 6cd9e25-6cd9e31 300->302 303 6cd9e33-6cd9e63 Wow64GetThreadContext 300->303 302->303 305 6cd9e6c-6cd9e9c 303->305 306 6cd9e65-6cd9e6b 303->306 306->305
        APIs
        • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06CD9E56
        Memory Dump Source
        • Source File: 0000000E.00000002.1421157018.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_6cd0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: ContextThreadWow64
        • String ID:
        • API String ID: 983334009-0
        • Opcode ID: adecf3d135410dfdefa55ce4e627fbd720644733b221ca4c0180679320be50d4
        • Instruction ID: c04d3a155e59d671ea686e07c6bdd80a8657a726591c24588834a41abbfbc4b9
        • Opcode Fuzzy Hash: adecf3d135410dfdefa55ce4e627fbd720644733b221ca4c0180679320be50d4
        • Instruction Fuzzy Hash: C8213576D003098FDB10DFAAC4857EEBBF4FF88220F54842AD559A7241DB789A45CFA0
        Function 00DBD6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 318 dbd6b0-dbd744 DuplicateHandle 319 dbd74d-dbd76a 318->319 320 dbd746-dbd74c 318->320 320->319
        APIs
        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DBD737
        Memory Dump Source
        • Source File: 0000000E.00000002.1415515614.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_db0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: DuplicateHandle
        • String ID:
        • API String ID: 3793708945-0
        • Opcode ID: 061892abae9f790f16b459c479ef13cc4b17f201ca6b877cb78b4e6f73afd43f
        • Instruction ID: 33c4fba82889ffa75f5cf342ac81dc5ae28eb2536c393452e34b75ee938f34f7
        • Opcode Fuzzy Hash: 061892abae9f790f16b459c479ef13cc4b17f201ca6b877cb78b4e6f73afd43f
        • Instruction Fuzzy Hash: F921F5B5900249DFDB10CF9AD484ADEFBF5FB48320F14841AE959A3350D374A941CFA0
        Function 06CD9EAA Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
        Download Yara Rule

        Control-flow Graph

        • Executed
        • Not Executed
        control_flow_graph 323 6cd9eaa-6cd9f2b VirtualAllocEx 327 6cd9f2d-6cd9f33 323->327 328 6cd9f34-6cd9f59 323->328 327->328
        APIs
        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CD9F1E
        Memory Dump Source
        • Source File: 0000000E.00000002.1421157018.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_6cd0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 93319886c360c8591dddf0560df43c8ce2c47becbf0178c5d12c9ca881154e72
        • Instruction ID: 188c5ab756ce7c334207507f4f5c0c94695e2c6e6ec25b5bf46f30ebde4a77f3
        • Opcode Fuzzy Hash: 93319886c360c8591dddf0560df43c8ce2c47becbf0178c5d12c9ca881154e72
        • Instruction Fuzzy Hash: 071156768002099FDB10CFAAD845BDFBBF5EF88320F148429E559A7250CB799540CFA1
        Function 06CD9EB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
        Download Yara Rule
        APIs
        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CD9F1E
        Memory Dump Source
        • Source File: 0000000E.00000002.1421157018.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_6cd0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 04344d3894dc965bd049f904ee77ab5917453c94407602084feba20e7f0ae696
        • Instruction ID: 33686c60e542c5d9545f5ad571fa527b3866dbc748a706196b264cb1cb1cd2c5
        • Opcode Fuzzy Hash: 04344d3894dc965bd049f904ee77ab5917453c94407602084feba20e7f0ae696
        • Instruction Fuzzy Hash: 201149768003499FDB10DFAAD844BDFBBF5EF88320F148419E559A7250C7799540CFA1
        Function 06CDDCF0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
        Download Yara Rule
        APIs
        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06CDDD55
        Memory Dump Source
        • Source File: 0000000E.00000002.1421157018.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_6cd0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: MessagePost
        • String ID:
        • API String ID: 410705778-0
        • Opcode ID: 6d2b14be438e12307e34e9b1f12dc9f8ae0c8aab4f228985ea4fe662259ea701
        • Instruction ID: 3ce1dfb6ef9f665a59717dd1f9b572ae8564823efcc5207503f23c1953112422
        • Opcode Fuzzy Hash: 6d2b14be438e12307e34e9b1f12dc9f8ae0c8aab4f228985ea4fe662259ea701
        • Instruction Fuzzy Hash: 8511F2B58003499FDB20CF9AD885BDEBBF8EB48320F20841AE559A7250D375A944CFB1
        Function 06CDBD88 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
        Download Yara Rule
        APIs
        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06CDDD55
        Memory Dump Source
        • Source File: 0000000E.00000002.1421157018.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_6cd0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: MessagePost
        • String ID:
        • API String ID: 410705778-0
        • Opcode ID: 2a0086703201cccfff68e31ef345eee72bcb5d4bb09bba7ba0b9c7a82d9b07be
        • Instruction ID: acd05e5b6674ca91c418163c71b299849e4814bd77d886b8249fcabb14899878
        • Opcode Fuzzy Hash: 2a0086703201cccfff68e31ef345eee72bcb5d4bb09bba7ba0b9c7a82d9b07be
        • Instruction Fuzzy Hash: 781103B58003499FDB20DF9AC944BDEBBF8EB48320F20841AE959A7350D375A944CFA5
        Function 00DBAFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
        Download Yara Rule
        APIs
        • GetModuleHandleW.KERNELBASE(00000000), ref: 00DBB01E
        Memory Dump Source
        • Source File: 0000000E.00000002.1415515614.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_db0000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID: HandleModule
        • String ID:
        • API String ID: 4139908857-0
        • Opcode ID: 122cf4fdd897e6753bfc82789d031a31821092d70c0dee9cc319b6acbfbcb550
        • Instruction ID: ac2b4915d808e55a8d7a63108792a3ab130b87820a4837f6c3024834895fea99
        • Opcode Fuzzy Hash: 122cf4fdd897e6753bfc82789d031a31821092d70c0dee9cc319b6acbfbcb550
        • Instruction Fuzzy Hash: 24110FB5C002498FDB20DF9AD444BDEFBF4AB88320F14842AD469A7210D3B9A545CFA1
        Function 00A3D3D8 Relevance: .1, Instructions: 75COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000E.00000002.1414665772.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_a3d000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a925926d5d1816ead28d41322e6d6d2e2b0d140a565be26effb17efb6130a5dd
        • Instruction ID: 24de1a52d8ac498990fb9aea5eace494d6975738eda0debb854e96f10ff295c6
        • Opcode Fuzzy Hash: a925926d5d1816ead28d41322e6d6d2e2b0d140a565be26effb17efb6130a5dd
        • Instruction Fuzzy Hash: 92210775504344DFDB05DF10E9C0B26BB65FB98324F24C569F90A4F256C336E856CBA2
        Function 00A4D1D4 Relevance: .1, Instructions: 72COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000E.00000002.1414747987.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_a4d000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5cfd3d6e7ba4dac9134e591f6780f27c69ebc1397b21be3dab422c5e34496a07
        • Instruction ID: 3063e8167190d23a6854d5d782d8d772c7443f0a3be1d27be985a578773ca8a8
        • Opcode Fuzzy Hash: 5cfd3d6e7ba4dac9134e591f6780f27c69ebc1397b21be3dab422c5e34496a07
        • Instruction Fuzzy Hash: 16210479604344EFDB05DF10D9C0B66BBA5FBC4314F24C6ADE8094B292C3B6D846CA61
        Function 00A4D01C Relevance: .1, Instructions: 72COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000E.00000002.1414747987.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_a4d000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b7499b7e445562de9e402b77e6de39db62682a8edcfae049c5e12bb25cefe116
        • Instruction ID: 74963b772eeafbca526435ef5da1750996f2b4f89e2dde0b7f5b50e3c5fe8462
        • Opcode Fuzzy Hash: b7499b7e445562de9e402b77e6de39db62682a8edcfae049c5e12bb25cefe116
        • Instruction Fuzzy Hash: 5521F279604344DFDB14DF10D9C4B26BB65FBC4314F24C5ADD80A4B286C37AD847CA62
        Function 00A3D3D3 Relevance: .1, Instructions: 56COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000E.00000002.1414665772.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_a3d000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
        • Instruction ID: 3ccd5d8d0fd72917a182738d8048ab2660bd22557c6851b3f7e63dc1254fa740
        • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
        • Instruction Fuzzy Hash: 7911E676504240DFCF16CF10E5C4B56BF71FB94324F24C6A9E8490B656C33AE856CBA1
        Function 00A4D017 Relevance: .1, Instructions: 53COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000E.00000002.1414747987.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_a4d000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
        • Instruction ID: 96e8b5dbe09011fcc5cc25009afa49e0fb437823d4fba486af227edadf87f116
        • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
        • Instruction Fuzzy Hash: D0119079504280DFCB15CF14D5C4B15FB61FB84314F24C6AED84A4B696C33AD84ACB61
        Function 00A4D1CF Relevance: .1, Instructions: 53COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 0000000E.00000002.1414747987.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
        Joe Sandbox IDA Plugin
        • Snapshot File: hcaresult_14_2_a4d000_YifGIcnmZiWfn.jbxd
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
        • Instruction ID: 98084502a3c75c0eea69a8df6b06011fafdb3c0f709c99234d48e986e9ce509f
        • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
        • Instruction Fuzzy Hash: B1119D79504280DFCB15CF50D5C4B55FBB1FB84314F28C6AED8494B696C37AD84ACB61