Edit tour

Windows Analysis Report
New Cmr JV2410180005.exe

Overview

General Information

Sample name:	New Cmr JV2410180005.exe
Analysis ID:	1541686
MD5:	adf34c05adf9629f38d6388bceaad6fd
SHA1:	12b9c57576e5b2ca7c3d070e68bada4f59a659ab
SHA256:	2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09
Tags:	AgentTeslaexeuser-threatcat_ch
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

New Cmr JV2410180005.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\New Cmr JV2410180005.exe" MD5: ADF34C05ADF9629F38D6388BCEAAD6FD)

powershell.exe (PID: 1020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kOtBoy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7528 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 432 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7212 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7236 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

kOtBoy.exe (PID: 7256 cmdline: C:\Users\user\AppData\Roaming\kOtBoy.exe MD5: ADF34C05ADF9629F38D6388BCEAAD6FD)

schtasks.exe (PID: 7664 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp7C89.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7720 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7728 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1886513393.00000000070C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1941337532.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.2989084655.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1939429311.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1939429311.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.2989084655.0000000002C37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1941337532.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1941337532.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: New Cmr JV2410180005.exe PID: 7044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: New Cmr JV2410180005.exe PID: 7044	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: New Cmr JV2410180005.exe PID: 7044	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7236	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7236	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: kOtBoy.exe PID: 7256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7728	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.New Cmr JV2410180005.exe.70c0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.New Cmr JV2410180005.exe.70c0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.New Cmr JV2410180005.exe.3ed9970.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.New Cmr JV2410180005.exe.3ed9970.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.New Cmr JV2410180005.exe.3ed9970.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33659:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33735:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.New Cmr JV2410180005.exe.4126538.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.New Cmr JV2410180005.exe.4126538.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.New Cmr JV2410180005.exe.4126538.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dceb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dde7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33659:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de79:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6dee3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33735:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df55:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6dfeb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e07b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x280093:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2ba8b3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x280105:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x2ba925:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x28018f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x2ba9af:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33659:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x280221:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x2baa41:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x28028b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x2baaab:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33735:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2802fd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2bab1d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x280393:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2babb3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x421f1:$s1: file:/// 0x4214d:$s2: {11111-22222-10009-11112} 0x42181:$s3: {11111-22222-50001-00000} 0x3fe36:$s4: get_Module 0x302e7:$s5: Reverse 0x27ceaf:$s5: Reverse 0x2b76cf:$s5: Reverse 0x32ce1:$s6: BlockCopy 0x27f8a9:$s6: BlockCopy 0x2ba0c9:$s6: BlockCopy 0x2f839f:$s6: BlockCopy 0x3054c:$s7: ReadByte 0x27d114:$s7: ReadByte 0x2b7934:$s7: ReadByte 0x2f85f3:$s7: ReadByte 0x42203:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 17 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Cmr JV2410180005.exe", ParentImage: C:\Users\user\Desktop\New Cmr JV2410180005.exe, ParentProcessId: 7044, ParentProcessName: New Cmr JV2410180005.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe", ProcessId: 1020, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp7C89.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp7C89.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\kOtBoy.exe, ParentImage: C:\Users\user\AppData\Roaming\kOtBoy.exe, ParentProcessId: 7256, ParentProcessName: kOtBoy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp7C89.tmp", ProcessId: 7664, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7236, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New Cmr JV2410180005.exe", ParentImage: C:\Users\user\Desktop\New Cmr JV2410180005.exe, ParentProcessId: 7044, ParentProcessName: New Cmr JV2410180005.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp", ProcessId: 432, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New Cmr JV2410180005.exe", ParentImage: C:\Users\user\Desktop\New Cmr JV2410180005.exe, ParentProcessId: 7044, ParentProcessName: New Cmr JV2410180005.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe", ProcessId: 1020, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New Cmr JV2410180005.exe", ParentImage: C:\Users\user\Desktop\New Cmr JV2410180005.exe, ParentProcessId: 7044, ParentProcessName: New Cmr JV2410180005.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp", ProcessId: 432, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Multi AV Scanner detection for domain / URL

Source: mail.iaa-airferight.com	Virustotal: Detection: 7%			Perma Link
Source: http://mail.iaa-airferight.com	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\kOtBoy.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: New Cmr JV2410180005.exe	ReversingLabs: Detection: 71%
Source: New Cmr JV2410180005.exe	Virustotal: Detection: 34%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\kOtBoy.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: New Cmr JV2410180005.exe

Joe Sandbox ML: detected

Source: New Cmr JV2410180005.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: New Cmr JV2410180005.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: jwSv.pdbSHA256 source: New Cmr JV2410180005.exe, kOtBoy.exe.0.dr
Source:	Binary string: jwSv.pdb source: New Cmr JV2410180005.exe, kOtBoy.exe.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 46.175.148.58 46.175.148.58

Source: Joe Sandbox View

ASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 46.175.148.58:25

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: RegSvcs.exe, 00000009.00000002.1941337532.0000000002CD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2989084655.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: New Cmr JV2410180005.exe, 00000000.00000002.1882214707.0000000002F36000.00000004.00000800.00020000.00000000.sdmp, kOtBoy.exe, 0000000A.00000002.1946742054.00000000030E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: New Cmr JV2410180005.exe, 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1939429311.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, SKTzxzsJw.cs	.Net Code: sf6jJs8S
Source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, SKTzxzsJw.cs	.Net Code: sf6jJs8S

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_016BDCBC	0_2_016BDCBC
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_070F8B90	0_2_070F8B90
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_070F9392	0_2_070F9392
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_070FAAF0	0_2_070FAAF0
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_07100628	0_2_07100628
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_07103100	0_2_07103100
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_07107C68	0_2_07107C68
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_0710061B	0_2_0710061B
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_0710B558	0_2_0710B558
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_0710D4B3	0_2_0710D4B3
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_0710D4C0	0_2_0710D4C0
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_071002F8	0_2_071002F8
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_071002E8	0_2_071002E8
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_0710B120	0_2_0710B120
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_071030F0	0_2_071030F0
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_07107C58	0_2_07107C58
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_0710ACE8	0_2_0710ACE8
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_0CB30B67	0_2_0CB30B67
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_0CB332D8	0_2_0CB332D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01309B38	9_2_01309B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01304A98	9_2_01304A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0130CDB0	9_2_0130CDB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01303E80	9_2_01303E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_013041C8	9_2_013041C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E856E0	9_2_05E856E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E80040	9_2_05E80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E8BD08	9_2_05E8BD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E83F50	9_2_05E83F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E88B9A	9_2_05E88B9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E8DB28	9_2_05E8DB28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E82B00	9_2_05E82B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E89AE8	9_2_05E89AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E85000	9_2_05E85000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E8323B	9_2_05E8323B
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_02F34B00	10_2_02F34B00
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_02F3DCBC	10_2_02F3DCBC
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_07528B90	10_2_07528B90
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_07529388	10_2_07529388
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075E0628	10_2_075E0628
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075E3100	10_2_075E3100
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075E7C68	10_2_075E7C68
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075E061A	10_2_075E061A
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075EB558	10_2_075EB558
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075ED4C0	10_2_075ED4C0
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075ED4B2	10_2_075ED4B2
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075E02F8	10_2_075E02F8
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075E02E8	10_2_075E02E8
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075EB120	10_2_075EB120
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075E30F0	10_2_075E30F0
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075E7C58	10_2_075E7C58
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075EACE8	10_2_075EACE8
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_075EA8AA	10_2_075EA8AA
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_0C360040	10_2_0C360040
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_0C36001D	10_2_0C36001D
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_0C3627B0	10_2_0C3627B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01089378	18_2_01089378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01089B38	18_2_01089B38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01084A98	18_2_01084A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_01083E80	18_2_01083E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_010841C8	18_2_010841C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0108E96F	18_2_0108E96F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_060456E0	18_2_060456E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_06043F50	18_2_06043F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_0604DD18	18_2_0604DD18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_06049AE8	18_2_06049AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_06042B00	18_2_06042B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_06048BA0	18_2_06048BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_06040040	18_2_06040040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_06043250	18_2_06043250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 18_2_06045000	18_2_06045000

Source: New Cmr JV2410180005.exe, 00000000.00000002.1882214707.0000000002F36000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs New Cmr JV2410180005.exe
Source: New Cmr JV2410180005.exe, 00000000.00000000.1730147009.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamejwSv.exe8 vs New Cmr JV2410180005.exe
Source: New Cmr JV2410180005.exe, 00000000.00000002.1882214707.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs New Cmr JV2410180005.exe
Source: New Cmr JV2410180005.exe, 00000000.00000002.1881060907.000000000115E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs New Cmr JV2410180005.exe
Source: New Cmr JV2410180005.exe, 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs New Cmr JV2410180005.exe
Source: New Cmr JV2410180005.exe, 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs New Cmr JV2410180005.exe
Source: New Cmr JV2410180005.exe, 00000000.00000002.1888011613.0000000009810000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs New Cmr JV2410180005.exe
Source: New Cmr JV2410180005.exe	Binary or memory string: OriginalFilenamejwSv.exe8 vs New Cmr JV2410180005.exe

Source: New Cmr JV2410180005.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: New Cmr JV2410180005.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: kOtBoy.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, MJjgHDK9738lOHXcKD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, cf615UEWMrVo5fLfIW.cs	Security API names: _0020.SetAccessControl
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, cf615UEWMrVo5fLfIW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, cf615UEWMrVo5fLfIW.cs	Security API names: _0020.AddAccessRule
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, MJjgHDK9738lOHXcKD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, cf615UEWMrVo5fLfIW.cs	Security API names: _0020.SetAccessControl
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, cf615UEWMrVo5fLfIW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, cf615UEWMrVo5fLfIW.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/15@1/1

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

File created: C:\Users\user\AppData\Roaming\kOtBoy.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_03

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5941.tmp

Jump to behavior

Source: New Cmr JV2410180005.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: New Cmr JV2410180005.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: New Cmr JV2410180005.exe	ReversingLabs: Detection: 71%
Source: New Cmr JV2410180005.exe	Virustotal: Detection: 34%

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

File read: C:\Users\user\Desktop\New Cmr JV2410180005.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New Cmr JV2410180005.exe "C:\Users\user\Desktop\New Cmr JV2410180005.exe"
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kOtBoy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kOtBoy.exe C:\Users\user\AppData\Roaming\kOtBoy.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp7C89.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kOtBoy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp7C89.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: New Cmr JV2410180005.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: New Cmr JV2410180005.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: New Cmr JV2410180005.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: jwSv.pdbSHA256 source: New Cmr JV2410180005.exe, kOtBoy.exe.0.dr
Source:	Binary string: jwSv.pdb source: New Cmr JV2410180005.exe, kOtBoy.exe.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.New Cmr JV2410180005.exe.70c0000.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{cPRyvIfYviaTKciquO(typeof(IntPtr).TypeHandle),cPRyvIfYviaTKciquO(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, cf615UEWMrVo5fLfIW.cs	.Net Code: LATFkkIbie System.Reflection.Assembly.Load(byte[])
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, cf615UEWMrVo5fLfIW.cs	.Net Code: LATFkkIbie System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_070F9CC0 pushad ; retf	0_2_070F9D09
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Code function: 0_2_0710FD38 push esp; ret	0_2_0710FD39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_05E83AD7 push ebx; retf	9_2_05E83ADA
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_07529CC0 pushad ; retf	10_2_07529D09
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Code function: 10_2_0C361380 pushfd ; retf	10_2_0C361381

Source: New Cmr JV2410180005.exe	Static PE information: section name: .text entropy: 7.77676485066093
Source: kOtBoy.exe.0.dr	Static PE information: section name: .text entropy: 7.77676485066093

Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, eFNPR2j5EMaFkEB3I1.cs	High entropy of concatenated method names: 'ToQ7iP37oO', 'XW07I1dVaJ', 'BsS7cHSU8r', 'knl7tjtBSb', 'OS27EWTj9y', 'lXhcNeVP23', 'KrNc4Qag1u', 'FNlcGAseG1', 'q2ecTD5w9t', 'U5EcwH4OlS'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, MJjgHDK9738lOHXcKD.cs	High entropy of concatenated method names: 'ygdIv2Hei3', 'SUlISrtJCG', 'T5wIXrdBPM', 'WLGIeC2a76', 'XmPIN0p7Ui', 'Gy9I42Zdws', 'rAxIGMnjTn', 'NCEITspVlF', 'Al5IwUC72v', 'vJxIlvMsqx'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, YO2MvRvqj39bjgFy4q.cs	High entropy of concatenated method names: 'j1LngTfZLp', 'OSVnBgmF1l', 'cvnnvEft5b', 'ynvnSBTBwa', 'L2hnCXAc52', 'YPcnZjlul7', 'NvMnmZJlsW', 'VZXnpG9Wkv', 'RoCn84blPF', 'bNlnQ39A6w'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, zGv5qVTkptrjWgecXP.cs	High entropy of concatenated method names: 'H8wJbxuhyc', 'na3JIFWavZ', 's9cJopJALU', 'g5jJcNtU3G', 'lUoJ7PaWpp', 'qnfJtW45mJ', 'kdwJEnOKCL', 'LmdJ6kRwvt', 'v96JML20gj', 'r0EJWLD4BP'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, nokE1ffyTXwoRITMn7.cs	High entropy of concatenated method names: 'vTUc16ACrh', 'vUNcyY9WH4', 'PYEoZ96KEX', 'y8iomR3t9H', 'gsEopGBs2o', 'x5Po8xdwOZ', 'ElooQWhaPo', 'etYodGJEoa', 'xBeo9K74ty', 'QtYogkkDRY'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, cpfSwtuydTZ3ThPSY3.cs	High entropy of concatenated method names: 'QrTohAFi1O', 'MpkoYej1VM', 'U9NoKGOgaF', 'eyiouyEQ7W', 'wtEonumupL', 'cS8o0iNCns', 'LOLo5hU2xe', 'Bh3oJNKmHe', 'eN9o2ItVUx', 'vq2ormta0m'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, gsIJ1uAqQVb9Bsovn82.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QyRrvpHdth', 'zs4rSij49l', 'KefrXA9ZCc', 'B9UrekVSoi', 'CoIrNnXFMq', 'u68r4xS2Lt', 'Hk3rGmtOOy'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, cf615UEWMrVo5fLfIW.cs	High entropy of concatenated method names: 'ugwqi6Hd4M', 'IKuqb6fj1x', 'kCmqI3mUcg', 'QY6qox385k', 'fZfqcBTZVV', 'dsOq7kxOLy', 't89qtcTGNw', 'KvpqEFLwve', 'eVDq63WHAk', 'oOnqMYQ9wO'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, qaLuCFISuOWf4sQIca.cs	High entropy of concatenated method names: 'Dispose', 'qHbAwvMabM', 'O0KUCHBfN9', 'k4W33fJ2Ua', 'zkGAlv5qVk', 'JtrAzjWgec', 'ProcessDialogKey', 'SP6UHKT2UJ', 'H0EUAUcPKX', 'UKRUUItSIE'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, koBgmPAHvs0KHO8OEOB.cs	High entropy of concatenated method names: 'cf72x6NkZJ', 'K6a2aANbn4', 'QCC2komlCS', 'iCo2hmGIQx', 'LOR214ySvG', 'mO72YZqcAx', 'dXH2yoZTxF', 'kyO2KTtxKA', 'O6d2uUuM9h', 'WnP2ftOEfM'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, DkgmBcFrkGyEelcNnw.cs	High entropy of concatenated method names: 'vjdAtJjgHD', 'M73AE8lOHX', 'jydAMTZ3Th', 'wSYAW3WokE', 'gTMAnn7FFN', 'vR2A05EMaF', 'TjiQvrbxXtwc6wFi6F', 'XZrTfAB6eVi779HELN', 'IKkAA0BdJO', 'XwmAqj5G8P'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, CbwD4A9JZ4fuHvHuHp.cs	High entropy of concatenated method names: 'MFNtx3PruF', 'Enhta6Cffe', 'MLetkRL0wk', 'Ybwthd7uXg', 'FGjt13ds6p', 'b3stY64d2Z', 'E7ctySaFQB', 'zPytKJno0L', 'EIxtu6qGpC', 'vdFtfxRVGI'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, lqK1viLKjbL4eMGCsS.cs	High entropy of concatenated method names: 'p0GOKIn5CP', 'NRfOuMpbbF', 'uCtOj6hRHn', 'suYOCbvu43', 'WuoOmCEqD2', 'lbGOpwmc4N', 'zHdOQKHP66', 'QoDOdLoAxH', 'iA1OgWN0en', 'nt5OskQGqD'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, kYb5wJU3l9uYqIuhgi.cs	High entropy of concatenated method names: 'Haikr7HWQ', 'yplhANE5i', 'qHKYk4QNG', 'VykyrlnCy', 'pEZuZdbrK', 'ehkfMdweQ', 'dLNWqDnF4iDrlwrG5B', 'qCKenFjYvgMJQXXEvM', 'VaWJk1Hci', 'bTNrOeO5Y'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, z7vW504WEp44NqOsIU.cs	High entropy of concatenated method names: 'v9W5TFYFlV', 'zoV5lBhG4h', 'cpeJHrnEMF', 'YDtJATEQP8', 'vv45sRkKmr', 'lkN5BUAX6P', 'Uh05LncTNx', 'VWe5vPf6wu', 'NV65SGbScA', 'p3m5XYjAVW'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, lKT2UJwC0EUcPKXNKR.cs	High entropy of concatenated method names: 'jrqJj3WFFv', 'MbsJCprXei', 'ksdJZ8VbuP', 'nymJm50NxQ', 'BALJv6yHc4', 'z38JpRtFse', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, rTkPuQXaTJcqj5kZIM.cs	High entropy of concatenated method names: 'ToString', 'eIn0s7bZ0e', 'QQw0Cc1BHR', 'dH50ZjpYUs', 'hMc0mxPSKt', 'rC70pkY38k', 'MGT08Dyd9T', 'y9o0QE487N', 'hWj0dIJuy1', 'fpY09anTRN'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, gtSIEplje3IpBiA8Rf.cs	High entropy of concatenated method names: 'nRK2AldVKe', 'AGS2q9lgPU', 'AsG2FtkX5P', 'cEo2bVMSql', 'VwD2IkMTGA', 'Lav2cLoCjH', 'Hd827h7c0e', 's3cJGRcPKB', 'wlYJTs5Tsu', 'WFqJwDymTM'
Source: 0.2.New Cmr JV2410180005.exe.41a2958.0.raw.unpack, oyCfG1o3MeUfMO0kAE.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BKyUwKNXMU', 'iH6UlCob65', 'osaUzCxiKH', 'TPdqHR8JW8', 'wKYqAUcXYY', 'wCsqUh5lK7', 'MArqq2whT9', 'fQZ3dJhCRDJLPIKqf9q'
Source: 0.2.New Cmr JV2410180005.exe.70c0000.3.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'YgSHuitkd', 'aiP2N9Y7C', 'gHQx79i6W', 'AGv9PUWi3', 'QMsbTCblb', 'beIGikGSa', 'clTPOt4ON', 'fF0vNYCEL', 'C5TCjFvvv', 'ln3BTm5Rw'
Source: 0.2.New Cmr JV2410180005.exe.70c0000.3.raw.unpack, at4ONG9F0NYCELN5Tj.cs	High entropy of concatenated method names: 'nVoxarmF975Urj2p8sJ', 'tIta6WmWAkGE6iVCWgt', 'Y8N2DklRel', 'hpreq0m6Xcu1pidWj9b', 'KFC0XvmT5N8D2LR210h', 'a5foommXYpDAHBV6LjL', 'd3wYgimbV84NAc2fo7p', 'ItvPp5mqvV1adE08UOg', 'KA7rbWmJ0EMRNxYE2Vd', 'PPtPBAmQMyT7QpfjJpI'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, eFNPR2j5EMaFkEB3I1.cs	High entropy of concatenated method names: 'ToQ7iP37oO', 'XW07I1dVaJ', 'BsS7cHSU8r', 'knl7tjtBSb', 'OS27EWTj9y', 'lXhcNeVP23', 'KrNc4Qag1u', 'FNlcGAseG1', 'q2ecTD5w9t', 'U5EcwH4OlS'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, MJjgHDK9738lOHXcKD.cs	High entropy of concatenated method names: 'ygdIv2Hei3', 'SUlISrtJCG', 'T5wIXrdBPM', 'WLGIeC2a76', 'XmPIN0p7Ui', 'Gy9I42Zdws', 'rAxIGMnjTn', 'NCEITspVlF', 'Al5IwUC72v', 'vJxIlvMsqx'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, YO2MvRvqj39bjgFy4q.cs	High entropy of concatenated method names: 'j1LngTfZLp', 'OSVnBgmF1l', 'cvnnvEft5b', 'ynvnSBTBwa', 'L2hnCXAc52', 'YPcnZjlul7', 'NvMnmZJlsW', 'VZXnpG9Wkv', 'RoCn84blPF', 'bNlnQ39A6w'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, zGv5qVTkptrjWgecXP.cs	High entropy of concatenated method names: 'H8wJbxuhyc', 'na3JIFWavZ', 's9cJopJALU', 'g5jJcNtU3G', 'lUoJ7PaWpp', 'qnfJtW45mJ', 'kdwJEnOKCL', 'LmdJ6kRwvt', 'v96JML20gj', 'r0EJWLD4BP'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, nokE1ffyTXwoRITMn7.cs	High entropy of concatenated method names: 'vTUc16ACrh', 'vUNcyY9WH4', 'PYEoZ96KEX', 'y8iomR3t9H', 'gsEopGBs2o', 'x5Po8xdwOZ', 'ElooQWhaPo', 'etYodGJEoa', 'xBeo9K74ty', 'QtYogkkDRY'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, cpfSwtuydTZ3ThPSY3.cs	High entropy of concatenated method names: 'QrTohAFi1O', 'MpkoYej1VM', 'U9NoKGOgaF', 'eyiouyEQ7W', 'wtEonumupL', 'cS8o0iNCns', 'LOLo5hU2xe', 'Bh3oJNKmHe', 'eN9o2ItVUx', 'vq2ormta0m'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, gsIJ1uAqQVb9Bsovn82.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QyRrvpHdth', 'zs4rSij49l', 'KefrXA9ZCc', 'B9UrekVSoi', 'CoIrNnXFMq', 'u68r4xS2Lt', 'Hk3rGmtOOy'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, cf615UEWMrVo5fLfIW.cs	High entropy of concatenated method names: 'ugwqi6Hd4M', 'IKuqb6fj1x', 'kCmqI3mUcg', 'QY6qox385k', 'fZfqcBTZVV', 'dsOq7kxOLy', 't89qtcTGNw', 'KvpqEFLwve', 'eVDq63WHAk', 'oOnqMYQ9wO'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, qaLuCFISuOWf4sQIca.cs	High entropy of concatenated method names: 'Dispose', 'qHbAwvMabM', 'O0KUCHBfN9', 'k4W33fJ2Ua', 'zkGAlv5qVk', 'JtrAzjWgec', 'ProcessDialogKey', 'SP6UHKT2UJ', 'H0EUAUcPKX', 'UKRUUItSIE'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, koBgmPAHvs0KHO8OEOB.cs	High entropy of concatenated method names: 'cf72x6NkZJ', 'K6a2aANbn4', 'QCC2komlCS', 'iCo2hmGIQx', 'LOR214ySvG', 'mO72YZqcAx', 'dXH2yoZTxF', 'kyO2KTtxKA', 'O6d2uUuM9h', 'WnP2ftOEfM'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, DkgmBcFrkGyEelcNnw.cs	High entropy of concatenated method names: 'vjdAtJjgHD', 'M73AE8lOHX', 'jydAMTZ3Th', 'wSYAW3WokE', 'gTMAnn7FFN', 'vR2A05EMaF', 'TjiQvrbxXtwc6wFi6F', 'XZrTfAB6eVi779HELN', 'IKkAA0BdJO', 'XwmAqj5G8P'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, CbwD4A9JZ4fuHvHuHp.cs	High entropy of concatenated method names: 'MFNtx3PruF', 'Enhta6Cffe', 'MLetkRL0wk', 'Ybwthd7uXg', 'FGjt13ds6p', 'b3stY64d2Z', 'E7ctySaFQB', 'zPytKJno0L', 'EIxtu6qGpC', 'vdFtfxRVGI'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, lqK1viLKjbL4eMGCsS.cs	High entropy of concatenated method names: 'p0GOKIn5CP', 'NRfOuMpbbF', 'uCtOj6hRHn', 'suYOCbvu43', 'WuoOmCEqD2', 'lbGOpwmc4N', 'zHdOQKHP66', 'QoDOdLoAxH', 'iA1OgWN0en', 'nt5OskQGqD'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, kYb5wJU3l9uYqIuhgi.cs	High entropy of concatenated method names: 'Haikr7HWQ', 'yplhANE5i', 'qHKYk4QNG', 'VykyrlnCy', 'pEZuZdbrK', 'ehkfMdweQ', 'dLNWqDnF4iDrlwrG5B', 'qCKenFjYvgMJQXXEvM', 'VaWJk1Hci', 'bTNrOeO5Y'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, z7vW504WEp44NqOsIU.cs	High entropy of concatenated method names: 'v9W5TFYFlV', 'zoV5lBhG4h', 'cpeJHrnEMF', 'YDtJATEQP8', 'vv45sRkKmr', 'lkN5BUAX6P', 'Uh05LncTNx', 'VWe5vPf6wu', 'NV65SGbScA', 'p3m5XYjAVW'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, lKT2UJwC0EUcPKXNKR.cs	High entropy of concatenated method names: 'jrqJj3WFFv', 'MbsJCprXei', 'ksdJZ8VbuP', 'nymJm50NxQ', 'BALJv6yHc4', 'z38JpRtFse', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, rTkPuQXaTJcqj5kZIM.cs	High entropy of concatenated method names: 'ToString', 'eIn0s7bZ0e', 'QQw0Cc1BHR', 'dH50ZjpYUs', 'hMc0mxPSKt', 'rC70pkY38k', 'MGT08Dyd9T', 'y9o0QE487N', 'hWj0dIJuy1', 'fpY09anTRN'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, gtSIEplje3IpBiA8Rf.cs	High entropy of concatenated method names: 'nRK2AldVKe', 'AGS2q9lgPU', 'AsG2FtkX5P', 'cEo2bVMSql', 'VwD2IkMTGA', 'Lav2cLoCjH', 'Hd827h7c0e', 's3cJGRcPKB', 'wlYJTs5Tsu', 'WFqJwDymTM'
Source: 0.2.New Cmr JV2410180005.exe.9810000.4.raw.unpack, oyCfG1o3MeUfMO0kAE.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BKyUwKNXMU', 'iH6UlCob65', 'osaUzCxiKH', 'TPdqHR8JW8', 'wKYqAUcXYY', 'wCsqUh5lK7', 'MArqq2whT9', 'fQZ3dJhCRDJLPIKqf9q'

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

File created: C:\Users\user\AppData\Roaming\kOtBoy.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: New Cmr JV2410180005.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: kOtBoy.exe PID: 7256, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory allocated: 16B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory allocated: 99D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory allocated: A9D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory allocated: AC00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory allocated: BC00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory allocated: 9390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory allocated: A390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory allocated: A5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory allocated: B5A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7569	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2144	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7287	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2301	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2493	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8513

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe TID: 7124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4856	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3164	Thread sleep count: 7287 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1344	Thread sleep count: 2301 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1196	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe TID: 7288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99292	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98723	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98030	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99873
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98857
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94578

Source: kOtBoy.exe, 0000000A.00000002.1940265315.00000000014C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegSvcs.exe, 00000009.00000002.1947103283.0000000005F80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: RegSvcs.exe, 00000012.00000002.2997265799.0000000005E33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe"
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kOtBoy.exe"
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kOtBoy.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BD7008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AE2008	Jump to behavior

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kOtBoy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp7C89.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Users\user\Desktop\New Cmr JV2410180005.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Queries volume information: C:\Users\user\AppData\Roaming\kOtBoy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kOtBoy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\New Cmr JV2410180005.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.4126538.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1941337532.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2989084655.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1939429311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2989084655.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1941337532.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Cmr JV2410180005.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7728, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.70c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.70c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1886513393.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.4126538.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1939429311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1941337532.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Cmr JV2410180005.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7728, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.4126538.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.4126538.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1941337532.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2989084655.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1939429311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2989084655.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1941337532.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Cmr JV2410180005.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7728, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.70c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.70c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1886513393.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.New Cmr JV2410180005.exe.3ed9970.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New Cmr JV2410180005.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
New Cmr JV2410180005.exe	34%	Virustotal		Browse
New Cmr JV2410180005.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\kOtBoy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\kOtBoy.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.iaa-airferight.com	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
http://mail.iaa-airferight.com	7%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.iaa-airferight.com	46.175.148.58	true	true	7%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	New Cmr JV2410180005.exe, 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1939429311.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.iaa-airferight.com	RegSvcs.exe, 00000009.00000002.1941337532.0000000002CD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2989084655.0000000002C56000.00000004.00000800.00020000.00000000.sdmp	true	7%, Virustotal, Browse	unknown
http://www.tiro.com	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	New Cmr JV2410180005.exe, 00000000.00000002.1882214707.0000000002F36000.00000004.00000800.00020000.00000000.sdmp, kOtBoy.exe, 0000000A.00000002.1946742054.00000000030E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	New Cmr JV2410180005.exe, 00000000.00000002.1886710527.0000000007142000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.175.148.58	mail.iaa-airferight.com	Ukraine		56394	ASLAGIDKOM-NETUA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541686
Start date and time:	2024-10-25 02:00:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New Cmr JV2410180005.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/15@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 167 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:01:19	Task Scheduler	Run new task: kOtBoy path: C:\Users\user\AppData\Roaming\kOtBoy.exe
20:01:11	API Interceptor	1x Sleep call for process: New Cmr JV2410180005.exe modified
20:01:16	API Interceptor	87x Sleep call for process: powershell.exe modified
20:01:22	API Interceptor	211x Sleep call for process: RegSvcs.exe modified
20:01:24	API Interceptor	1x Sleep call for process: kOtBoy.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
46.175.148.58	PO F1298-24 Fabric Order.exe	Get hash	malicious	AgentTesla	Browse
	PO F1298-24 Fabric Order.zip	Get hash	malicious	AgentTesla	Browse
	PO 316347 24MIA00660067.exe	Get hash	malicious	AgentTesla	Browse
	Purchase Order For Linear Actuator.exe	Get hash	malicious	AgentTesla	Browse
	PO FOR CONNECTOR WITH TERMINAL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	New PO-Auras Demand.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exe	Get hash	malicious	AgentTesla	Browse
	New Purchase Order 568330.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exe	Get hash	malicious	AgentTesla	Browse
	rrpC2ZDgUd.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.iaa-airferight.com	PO F1298-24 Fabric Order.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO F1298-24 Fabric Order.zip	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO 316347 24MIA00660067.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Purchase Order For Linear Actuator.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO FOR CONNECTOR WITH TERMINAL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	New PO-Auras Demand.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	New Purchase Order 568330.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	rrpC2ZDgUd.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLAGIDKOM-NETUA	PO F1298-24 Fabric Order.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO F1298-24 Fabric Order.zip	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO 316347 24MIA00660067.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	Purchase Order For Linear Actuator.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	PO FOR CONNECTOR WITH TERMINAL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	New PO-Auras Demand.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SecuriteInfo.com.BackDoor.AgentTeslaNET.37.28277.26776.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	New Purchase Order 568330.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SecuriteInfo.com.Win32.PWSX-gen.20380.30925.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	rrpC2ZDgUd.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58

Process:	C:\Users\user\Desktop\New Cmr JV2410180005.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kOtBoy.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\kOtBoy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.378486415808052
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZeUyus:fLHxvIIwLgZ2KRHWLOugos
MD5:	6DFA5C5C671AE3B12C05C766C69CAB61
SHA1:	AC1EDD2AAA653980C8E88DD3C581CDEC2C38DDC3
SHA-256:	31F626FB392EF951245AB899BE569F1E276C20119A54A5081B63A371E43B8F92
SHA-512:	AAD4C225869DCFD6E9A0F5584B7E1A754D35A4C0E87E6201E9EE87EF5DCF3AD43828599B20A7AF68ECE7D64B6977D3F234AD6674C2D3C7A89EA8C72A90F15DFE
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43spzwod.fqo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czax2xex.lae.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbnjeid0.rbu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpvjau10.ooc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nca1ykdo.x4r.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbxvwhva.fiq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vb10veqf.wzn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yaiazckf.uvf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp5941.tmp

Download File

Process:	C:\Users\user\Desktop\New Cmr JV2410180005.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.1044042768308175
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTGv
MD5:	3DBCF3749E9AF3768165059BC16EB549
SHA1:	A533142A2D245318FC683C902EAFBEE792FB6ED4
SHA-256:	94BA6563532C559AAFCC0E73F281A1C2B49A2BB135B9D25A808D5201F985008F
SHA-512:	827D71054DA79EE95E270242C22B542218D29F71F323CD6C3EF0477015B34416949092175AF2F042DD56A1F0AF2A6D74E83FA2B5E641B5AE2191CFEBEE789BC7
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp7C89.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\kOtBoy.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.1044042768308175
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTGv
MD5:	3DBCF3749E9AF3768165059BC16EB549
SHA1:	A533142A2D245318FC683C902EAFBEE792FB6ED4
SHA-256:	94BA6563532C559AAFCC0E73F281A1C2B49A2BB135B9D25A808D5201F985008F
SHA-512:	827D71054DA79EE95E270242C22B542218D29F71F323CD6C3EF0477015B34416949092175AF2F042DD56A1F0AF2A6D74E83FA2B5E641B5AE2191CFEBEE789BC7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\kOtBoy.exe

Download File

Process:	C:\Users\user\Desktop\New Cmr JV2410180005.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	964096
Entropy (8bit):	7.487399102020608
Encrypted:	false
SSDEEP:	24576:OYJW0Qy7IvDjljdCc4P7wCwnFMg+Y1ahxyhwU:zqj1opcGjYq8wU
MD5:	ADF34C05ADF9629F38D6388BCEAAD6FD
SHA1:	12B9C57576E5B2CA7C3D070E68BADA4F59A659AB
SHA-256:	2518788F855F3DD62BE94E01361E96373B1A6D7B86F48E72D3BB899589200F09
SHA-512:	7C748E84F37A9727F094DFDBD3ACC351030CF9B0651D37FAF8D3460C6F626B23F85ACC17488FC515A3CD8E2276142634B629F1A06751FE528BB4E234529F02B6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................................@.................................l...O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......h:.../......0...li...............................................0..>.........}.....(.......(.....~....o.........,..s!.....o.......(........0..\|.........{....o....o.....~....~"...%-.&~!.....>...s....%."...(...+...o.....+ .o.......{....o.....o....o....&..o....-....,..o ...........D.,p......&..(!.......0..+.........,..{.......+....,...{....o .......("......0............s#...}.....s$...}.....s%...}.....{....o&.....('.....{....(6...o(.....{.... @... ....s)...o*.....{.

C:\Users\user\AppData\Roaming\kOtBoy.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\New Cmr JV2410180005.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.487399102020608
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	New Cmr JV2410180005.exe
File size:	964'096 bytes
MD5:	adf34c05adf9629f38d6388bceaad6fd
SHA1:	12b9c57576e5b2ca7c3d070e68bada4f59a659ab
SHA256:	2518788f855f3dd62be94e01361e96373b1a6d7b86f48e72d3bb899589200f09
SHA512:	7c748e84f37a9727f094dfdbd3acc351030cf9b0651d37faf8d3460c6f626b23f85acc17488fc515a3cd8e2276142634b629f1a06751fe528bb4e234529f02b6
SSDEEP:	24576:OYJW0Qy7IvDjljdCc4P7wCwnFMg+Y1ahxyhwU:zqj1opcGjYq8wU
TLSH:	7425F0045746C952C9E81B308871E3F84B991EB9BC35C70FEEDABDEF3E729692494190
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	71d8d4d6dcd8b24d

Static PE Info

General

Entrypoint:	0x4bfbbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67170CBC [Tue Oct 22 02:23:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc ecx
add byte ptr [ebx+00h], dh
jnc 00007FF5FD0D57B2h
imul eax, dword ptr [eax], 006E0067h
insd
add byte ptr [ebp+00h], ah
outsb
add byte ptr [eax+eax+32h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbfb6c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x2d5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xbe8fc	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbdbdc	0xbdc00	da59e22ce897e09949f5bf325b262d39	False	0.9119987236495388	data	7.77676485066093	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x2d5a4	0x2d600	aaa6f353773216808ac19dcd544aae3d	False	0.34638106921487605	data	5.631955851710547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee000	0xc	0x200	a4f5339d11b9c694461fa42ffb29e8a9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc0298	0x57be	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9988870091710444
RT_ICON	0xc5a58	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.18212468945936353
RT_ICON	0xd6280	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.26989173849064535
RT_ICON	0xdf728	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.305822550831793
RT_ICON	0xe4bb0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.29841757203589986
RT_ICON	0xe8dd8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.3866182572614108
RT_ICON	0xeb380	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.44348030018761725
RT_ICON	0xec428	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.5413934426229509
RT_ICON	0xecdb0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.6365248226950354
RT_GROUP_ICON	0xed218	0x84	data	0.7045454545454546
RT_GROUP_ICON	0xed29c	0x14	data	1.05
RT_VERSION	0xed2b0	0x2f4	data	0.44047619047619047

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 02:01:24.189521074 CEST	49736	25	192.168.2.4	46.175.148.58
Oct 25, 2024 02:01:25.182964087 CEST	49736	25	192.168.2.4	46.175.148.58
Oct 25, 2024 02:01:27.733515024 CEST	49741	25	192.168.2.4	46.175.148.58
Oct 25, 2024 02:01:28.745465040 CEST	49741	25	192.168.2.4	46.175.148.58
Oct 25, 2024 02:01:30.745632887 CEST	49741	25	192.168.2.4	46.175.148.58
Oct 25, 2024 02:01:34.745448112 CEST	49741	25	192.168.2.4	46.175.148.58
Oct 25, 2024 02:01:42.745455027 CEST	49741	25	192.168.2.4	46.175.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 02:01:24.138359070 CEST	56493	53	192.168.2.4	1.1.1.1
Oct 25, 2024 02:01:24.173773050 CEST	53	56493	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 02:01:24.138359070 CEST	192.168.2.4	1.1.1.1	0x571e	Standard query (0)	mail.iaa-airferight.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 02:01:24.173773050 CEST	1.1.1.1	192.168.2.4	0x571e	No error (0)	mail.iaa-airferight.com		46.175.148.58	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	20:01:04
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\New Cmr JV2410180005.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Cmr JV2410180005.exe"
Imagebase:	0xae0000
File size:	964'096 bytes
MD5 hash:	ADF34C05ADF9629F38D6388BCEAAD6FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1886513393.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1883270170.0000000003ED9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:01:14
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New Cmr JV2410180005.exe"
Imagebase:	0xcc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:01:15
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:01:15
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kOtBoy.exe"
Imagebase:	0xcc0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	20:01:16
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:01:16
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp5941.tmp"
Imagebase:	0x880000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	20:01:17
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:01:18
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x780000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:01:19
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x8c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1941337532.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1939429311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1939429311.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1941337532.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1941337532.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:01:19
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Roaming\kOtBoy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\kOtBoy.exe
Imagebase:	0xc80000
File size:	964'096 bytes
MD5 hash:	ADF34C05ADF9629F38D6388BCEAAD6FD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:01:23
Start date:	24/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	20:01:25
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kOtBoy" /XML "C:\Users\user\AppData\Local\Temp\tmp7C89.tmp"
Imagebase:	0x880000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	20:01:25
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	20:01:25
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x330000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	20:01:25
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x840000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2989084655.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2989084655.0000000002C37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	323
Total number of Limit Nodes:	22

Executed Functions

Function 07100628 Relevance: 7.3, Strings: 5, Instructions: 1001
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pjq, xrefs: 071012E7
TJkq, xrefs: 071007CB
xbiq, xrefs: 07100758
Tefq, xrefs: 07100E76
4'fq, xrefs: 07101212

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID: 4'fq$TJkq$Tefq$pjq$xbiq
API String ID: 0-2688501482
Opcode ID: b2d3335174c9a159ca142976aadcc952b5ff241a7f188ec291e6162aefe166d9
Instruction ID: f09d0f5d43c3d202dcd76bdf622302cb85e3941e3ca8ea31254e178e0239376a
Opcode Fuzzy Hash: b2d3335174c9a159ca142976aadcc952b5ff241a7f188ec291e6162aefe166d9
Instruction Fuzzy Hash: 8AB2C075E00228DFDB64CF69C984ADDBBB2BF89300F1581E9D509AB265DB319E81CF40

Function 070F8B90 Relevance: 6.9, Strings: 5, Instructions: 625
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hjq, xrefs: 070F9A73
Hjq, xrefs: 070F99EC
Hjq, xrefs: 070F9AFD
Hjq, xrefs: 070F9959
Hjq, xrefs: 070F9BBB

Memory Dump Source

Source File: 00000000.00000002.1886598212.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID: Hjq$Hjq$Hjq$Hjq$Hjq
API String ID: 0-1529018591
Opcode ID: 95eabe13422c98afa2280cc0dd9e9a4cddf9cbd04f943e98e46aab6a29a5b1ce
Instruction ID: cc330377332115dadc3eb3b91b011f39055616c258f16a6590ca503d1045569c
Opcode Fuzzy Hash: 95eabe13422c98afa2280cc0dd9e9a4cddf9cbd04f943e98e46aab6a29a5b1ce
Instruction Fuzzy Hash: 29327EB1E102188FDB54DFA8C85079EBBF2BF84300F1485AAD549EB395DA34AD45CF91

Function 0CB30B67 Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

P&^, xrefs: 0CB30CC4

Memory Dump Source

Source File: 00000000.00000002.1889603212.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID: P&^
API String ID: 0-2339185298
Opcode ID: 3c1eac968df6aed4d18487325a4f6021ff39b871c47e1d93f4f652dd46552af8
Instruction ID: 87d17a30cade996bffdc6a14e1406775bffee93ec226a3408b08a990b44e628f
Opcode Fuzzy Hash: 3c1eac968df6aed4d18487325a4f6021ff39b871c47e1d93f4f652dd46552af8
Instruction Fuzzy Hash: A19128B4E05228CBDB68DF66D8407EDBBB6BF89300F1491EAD40DA6240EB705AC5CF40

Function 071030F0 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cd1a3eceae8bfa958fb3c4643c2c0465d07eb30f43ce25caf50db61b2423c0
Instruction ID: 242c7cc08a2b27ec6895461e88d36ca3e6282e0813cacceefb0ee5f1838ab841
Opcode Fuzzy Hash: 01cd1a3eceae8bfa958fb3c4643c2c0465d07eb30f43ce25caf50db61b2423c0
Instruction Fuzzy Hash: 42D1F9B4D15228CFDB24DFA5C8447DEBBB2FF4A300F1085AAD529AB280D7B44985CF91

Function 07103100 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae489e93c2b36547474f1320fc6cfc3973fb76463d056d456a0012ad2877c40
Instruction ID: cf293b7cc848ab951133929e5a69f1b829a2f57af379b23b63f33d3a44f2c62f
Opcode Fuzzy Hash: 3ae489e93c2b36547474f1320fc6cfc3973fb76463d056d456a0012ad2877c40
Instruction Fuzzy Hash: B3D1E8B4D15228CFDB24DFA5C8487DEBBB2FF49300F1085AAD529AB280D7B45985CF91

Function 070F9392 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886598212.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f944affcdce1a687db362580cdd059752a69df7d671bdf9194d445cfbe16e04
Instruction ID: e9c38b907051932a3b530e63518cbfb5f97d0b5d52ea70f84c8242a7a8a390d4
Opcode Fuzzy Hash: 9f944affcdce1a687db362580cdd059752a69df7d671bdf9194d445cfbe16e04
Instruction Fuzzy Hash: E8C16CB1E10219CFCF54CFA9C88079DBBF2AF89310F14C2AAD549AB655DB30A985CF51

Function 070FAAF0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886598212.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c0913ae58455b60ce63e7cc0ffe1eca6c4a5b68cddb10cf1f255d7a5fc7f8e
Instruction ID: 73dc0a3a59cf14de30168814f4d608c4245060c8dd8c4c4ad3efc00eb2921f42
Opcode Fuzzy Hash: f5c0913ae58455b60ce63e7cc0ffe1eca6c4a5b68cddb10cf1f255d7a5fc7f8e
Instruction Fuzzy Hash: 0631F533A00B18CFE312D61796059827BD9DFBA330B15D2AEC1182F1F2D668A580EF85

Function 07107C58 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2346872ec01d8f4b3fe1e6055b480bcd18c13abe012356db5c9c23971f7acb3c
Instruction ID: 23831cb6e438d0f913f4bdaae8accf423676a7f23b2996994d242680a0257de3
Opcode Fuzzy Hash: 2346872ec01d8f4b3fe1e6055b480bcd18c13abe012356db5c9c23971f7acb3c
Instruction Fuzzy Hash: 452116B0D186198BDB08CF67C9443EEBFF6BFC9310F04C06AD409A6294DB7409458F90

Function 07107C68 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488f4bf3ce99800714e13d166a9ebaab0205519c99f99e0b5b34db1534f8010b
Instruction ID: 63471b66c96cc29f337a13797d1876f77a1fd73ffda8eb8cc5b59c4557d2963c
Opcode Fuzzy Hash: 488f4bf3ce99800714e13d166a9ebaab0205519c99f99e0b5b34db1534f8010b
Instruction Fuzzy Hash: 5321C7B0D186198BDB18CFABC9443EEFAF6AFC9310F04C06AD40976294DBB509458F91

Function 016BD740 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016BD7BE
GetCurrentThread.KERNEL32 ref: 016BD7FB
GetCurrentProcess.KERNEL32 ref: 016BD838
GetCurrentThreadId.KERNEL32 ref: 016BD891

Memory Dump Source

Source File: 00000000.00000002.1881708881.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_New Cmr JV2410180005.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 25c1f2cc48555d8fa135030db20ce71109861203849d0fc99c395ade94bf6711
Instruction ID: c1dc38206b5fdb17ae4ddc02dbcf0718a94a3f6c14e3264b6f991b6d4d3591fc
Opcode Fuzzy Hash: 25c1f2cc48555d8fa135030db20ce71109861203849d0fc99c395ade94bf6711
Instruction Fuzzy Hash: 5A5155B0D002498FDB14DFAAD988BDEBBF5AF88318F248459E119A7360D7346984CF61

Function 0710D9A5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0710DBE6

Strings

P&^, xrefs: 0710DCCC

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: CreateProcess
String ID: P&^
API String ID: 963392458-2339185298
Opcode ID: 12ed96bee8b8a8e76bdfb9936ac33f74a7edd8439b7504e5939af70109944cd5
Instruction ID: 4d9f979f86a740ebca905bed19e7c56c176418aad633eb53b2d86c42de4eece3
Opcode Fuzzy Hash: 12ed96bee8b8a8e76bdfb9936ac33f74a7edd8439b7504e5939af70109944cd5
Instruction Fuzzy Hash: AEA16DB1E0021ADFDF25DFA8D9417EDBBB2BF48310F148169D849A7280DBB49985CF91

Function 0710D9B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0710DBE6

Strings

P&^, xrefs: 0710DCCC

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: CreateProcess
String ID: P&^
API String ID: 963392458-2339185298
Opcode ID: 92b919e6bacd8aab0253a65c7810372211f2aac36f38105b44033839527ca2b9
Instruction ID: 592e4e42b3c14ba917681ccb08dc49c58c2d4cc049252e3ed2b2e3c46196078f
Opcode Fuzzy Hash: 92b919e6bacd8aab0253a65c7810372211f2aac36f38105b44033839527ca2b9
Instruction Fuzzy Hash: 46917DB1E0021ADFDF25DFA8D9417DDBBB2BF48310F148169D849A7280DBB49985CF91

Function 016BB498 Relevance: 1.7, APIs: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016BB6FE

Memory Dump Source

Source File: 00000000.00000002.1881708881.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_New Cmr JV2410180005.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9e06fff1edcb8171de90a31931cc6168d8d00abc5eb05f0fdbe58898f80c7637
Instruction ID: f8b036d5c53626417beffabfc143d0288760334c0d21471b1fbcf5ab482ad965
Opcode Fuzzy Hash: 9e06fff1edcb8171de90a31931cc6168d8d00abc5eb05f0fdbe58898f80c7637
Instruction Fuzzy Hash: D68114B0A00B458FD725DF69D89479ABBF1BF48300F048A2DD08ADBB51D775E885CB91

Function 016B5A84 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1881708881.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0435fc078481a7f6184478aa4c44b5e91e7e7af0016f99c6677ff475b5e26e8f
Instruction ID: 6d6b3f70fdf25128741503a74f38dc92324021dfc9fe595b60213edd03ece270
Opcode Fuzzy Hash: 0435fc078481a7f6184478aa4c44b5e91e7e7af0016f99c6677ff475b5e26e8f
Instruction Fuzzy Hash: 7341CF71805388CECB21DFA8CCC56EEBBB1EF46324F14818AC407AB255C7356A86CF51

Function 016B44D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 016B59C9

Memory Dump Source

Source File: 00000000.00000002.1881708881.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_New Cmr JV2410180005.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 577ada4d5fe627b1c2ae9ae1f49628b31eae9ee4e7fc33839898854822012ff8
Instruction ID: ac3ea0e07b9d80259511a0adbef68c4f75d1eef81988e7e27a26dea57004f2bc
Opcode Fuzzy Hash: 577ada4d5fe627b1c2ae9ae1f49628b31eae9ee4e7fc33839898854822012ff8
Instruction Fuzzy Hash: 8641C2B0C0071DCBDB25DFA9C984BDEBBB6BF49304F20805AD509AB251DB756985CF90

Function 0710D2E8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0710D380

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: c42c5954846465614927f854d99123916cfa7bdaccb8710c1bcf56a5904b79ff
Instruction ID: 9219b7a877fe79cc203709fb0e659d86e3c9b158c605e7a8f67934e73ca52e20
Opcode Fuzzy Hash: c42c5954846465614927f854d99123916cfa7bdaccb8710c1bcf56a5904b79ff
Instruction Fuzzy Hash: 552128B59003499FDF10CFA9C981BDEBBF5FF48320F108429E959A7240D7789944DBA1

Function 054C7C74 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,054C80A5,?,?), ref: 054C8157

Memory Dump Source

Source File: 00000000.00000002.1885342485.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54c0000_New Cmr JV2410180005.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: bad305be13adaccf5341020acb7fddecd58969c09b277e873c1d3fc63a91164a
Instruction ID: d2a0c5790da9b6860e0341c1b5280a130fcbfebd86380fa4d522815f68e9eacf
Opcode Fuzzy Hash: bad305be13adaccf5341020acb7fddecd58969c09b277e873c1d3fc63a91164a
Instruction Fuzzy Hash: 0431E2B59002099FDB10CF9AD884ADEBBF5FF48320F14846EE819A7310D774A944CFA0

Function 054C80B9 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,054C80A5,?,?), ref: 054C8157

Memory Dump Source

Source File: 00000000.00000002.1885342485.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54c0000_New Cmr JV2410180005.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 5afccfc4e67e4c98bf34c214b663e7f6c01fb58ae28b0379753794ecca363249
Instruction ID: 393a23720c01447f0e7889a553e66ae96760330fc0fc5ab770f63880cd3c853b
Opcode Fuzzy Hash: 5afccfc4e67e4c98bf34c214b663e7f6c01fb58ae28b0379753794ecca363249
Instruction Fuzzy Hash: 8B31BFB59002499FDB10CF9AD880ADEBBF5FB48320F24846AE819A7310D775A944CFA0

Function 0710D2F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0710D380

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 83b5797e0318602768b8270f1fe06b8b42f604645d6d0553e996d1d1a921a6a1
Instruction ID: c01f69d2764b33aed586b070cda4b6878322a4f52c8d897f1fdde9c509df9380
Opcode Fuzzy Hash: 83b5797e0318602768b8270f1fe06b8b42f604645d6d0553e996d1d1a921a6a1
Instruction Fuzzy Hash: DD2127B59003499FDB10CFA9C881BDEBBF5FF48320F10842AE959A7280C7789944DBA0

Function 0710D150 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0710D1D6

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5aa8e3f61e1ac365be4eda5e9e891523097baffdfcb415d49d9cb36d181b1557
Instruction ID: 4ff9e48456284deab0f0f9a983d79d9f791e21c8e226026b53c3826162b07763
Opcode Fuzzy Hash: 5aa8e3f61e1ac365be4eda5e9e891523097baffdfcb415d49d9cb36d181b1557
Instruction Fuzzy Hash: F92139B1D002098FDB10DFAAC9857AEBBF5EF48320F148429D559A7381CBB89545CFA1

Function 0710D3D8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0710D460

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0dff2d52e5052849f15a95642481c450c97f32ac7f43dfd80d12622e1865b51d
Instruction ID: 6931676f9764625d70c71a648ca76bfac679a2f9e7816350066d2086d7d6fee1
Opcode Fuzzy Hash: 0dff2d52e5052849f15a95642481c450c97f32ac7f43dfd80d12622e1865b51d
Instruction Fuzzy Hash: 382148B1D003499FCB10CFAAC881ADEFBF5FF48320F10842AE959A7240D7789900DBA1

Function 0710D3E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0710D460

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6103d83ef5b577c2c0ef5b71518e49cebeee6bc2d4c363ea3b93ecb79b691e29
Instruction ID: 6ad00192a8a6e7c3930ea8905cef379ddb0e78ef1b4930eb9a7cb45aa0fe9420
Opcode Fuzzy Hash: 6103d83ef5b577c2c0ef5b71518e49cebeee6bc2d4c363ea3b93ecb79b691e29
Instruction Fuzzy Hash: 182128B1D003499FDB10DFAAC881ADEBBF5FF48320F10842AE559A7240C778A544DBA1

Function 0710D158 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0710D1D6

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6451f68c1411c7cdb0d6a53a85957fc7ea97ae74307a04b2cf2cb4ed4ee25b56
Instruction ID: d22e69266543528bd733bf93effe0619248dc8edacce0cbd016c560b30a86700
Opcode Fuzzy Hash: 6451f68c1411c7cdb0d6a53a85957fc7ea97ae74307a04b2cf2cb4ed4ee25b56
Instruction Fuzzy Hash: 70211AB1D003098FDB10DFAAC5857AEBBF5EF48324F148429D559A7380DB789544CFA1

Function 016BDD90 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016BDE17

Memory Dump Source

Source File: 00000000.00000002.1881708881.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_New Cmr JV2410180005.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: adecae7aba1083cce7554dc5bc828a1f005019e4a4d48b5d98bee56ef6e719fe
Instruction ID: e5f221ec88f84eb9164e33dc5e146ac66c2d74a22abde3067e24cd6d3b4dfdb6
Opcode Fuzzy Hash: adecae7aba1083cce7554dc5bc828a1f005019e4a4d48b5d98bee56ef6e719fe
Instruction Fuzzy Hash: 9F21E4B59002499FDB10CF9AD984ADEBFF9EF48324F14841AE918A7310D374A954CFA0

Function 070F8BD8 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,070F9CDA,?,?,?,?,?), ref: 070F9D7F

Memory Dump Source

Source File: 00000000.00000002.1886598212.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_New Cmr JV2410180005.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: cd08377a24319379d0d5db5562918c19c5ac5760c7fb7262d8e015e91d9d31e4
Instruction ID: 158a5cf8828923bd3209aa9bbc79fd26fa87e2ef4add2f6cf7438fb90666774f
Opcode Fuzzy Hash: cd08377a24319379d0d5db5562918c19c5ac5760c7fb7262d8e015e91d9d31e4
Instruction Fuzzy Hash: 751137B58003499FDB10DF9AC844BDEBFF8EF48320F24841AE918A7210C375A954DFA4

Function 070F9D0A Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,070F9CDA,?,?,?,?,?), ref: 070F9D7F

Memory Dump Source

Source File: 00000000.00000002.1886598212.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_New Cmr JV2410180005.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 6ab6c83608833d019bfdb676f2510ff335eeef11a5bae867be4ac8c726c90e98
Instruction ID: 6ba698e1cf394c2599d063c51fb41ac888dfced239d5de785104f8ce2a820f04
Opcode Fuzzy Hash: 6ab6c83608833d019bfdb676f2510ff335eeef11a5bae867be4ac8c726c90e98
Instruction Fuzzy Hash: 9D1137B68003499FDB10DF99C945BDEBFF8EF48320F24841AE518A7210C375A554DFA4

Function 0710D22B Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0710D29E

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d0c3a9b056ea303a7238e6b66475ee8f455a9dee24028c47d397f6e92928270d
Instruction ID: 39bd40df7bcbe0a3f6f7dd96b7161183df5cbdf973094aa09fcff8e4a76acf99
Opcode Fuzzy Hash: d0c3a9b056ea303a7238e6b66475ee8f455a9dee24028c47d397f6e92928270d
Instruction Fuzzy Hash: F91167B29002499FCF10DFAAC845BDEBFF5EF88320F248419E519A7250C775A944DFA1

Function 0710D230 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0710D29E

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4f7ec8468b3ae7e876ea099e76f8d7038c202f183c3d9b317f0ad26a23edba70
Instruction ID: 39b8d1458358d8d36b1fd05167cf3c6266c526c7d44abf3ce9716cd2caa07491
Opcode Fuzzy Hash: 4f7ec8468b3ae7e876ea099e76f8d7038c202f183c3d9b317f0ad26a23edba70
Instruction Fuzzy Hash: 111167B19002499FCB10DFAAC845ADEBFF5EF88320F208419E519A7250C775A540DFA1

Function 0710D0A3 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0710D10A

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7374689ce02488e8cc21fed47cb9b39a8d477ed0dfc90f89fc4f6c7e949a6869
Instruction ID: 199c4c3cb72fde0492cc281306abda55be129f0819a774fad23980934f036f20
Opcode Fuzzy Hash: 7374689ce02488e8cc21fed47cb9b39a8d477ed0dfc90f89fc4f6c7e949a6869
Instruction Fuzzy Hash: 831128B19003498FDB20DFAAC8457DEFBF9EF88324F248419D519A7340CB79A544CBA5

Function 0710D0A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0710D10A

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 11fe9c2c137cfa348ca6c2219d25d356a1254251d1c7a075645445402d1eb322
Instruction ID: b79fd870904db9ab13d4451daf738dd3b551df50c5a99aee3047d629ba378f29
Opcode Fuzzy Hash: 11fe9c2c137cfa348ca6c2219d25d356a1254251d1c7a075645445402d1eb322
Instruction Fuzzy Hash: 1B1128B19002498FDB20DFAAC44579EFBF5EF88324F248419D519A7240CB79A544CBA5

Function 0CB31D38 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0CB31D9D

Memory Dump Source

Source File: 00000000.00000002.1889603212.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_New Cmr JV2410180005.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1461171c04c959207836495ec8e9b467cc74da6276fb19d547ae5eabfe482238
Instruction ID: 4b7e576ad83bcbfd07c92c5bc4054af88780373c33072f00af84ad19cf7123b7
Opcode Fuzzy Hash: 1461171c04c959207836495ec8e9b467cc74da6276fb19d547ae5eabfe482238
Instruction Fuzzy Hash: EF11F2B58003499FDB10DF9AC985BDEBBF8EB48320F20845AE918A7600C375A944CFA1

Function 016BB698 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016BB6FE

Memory Dump Source

Source File: 00000000.00000002.1881708881.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_New Cmr JV2410180005.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2d98e7b0ea7fbd6aa6c13590b7639082113a23ef507beb91baf865c4913e42d2
Instruction ID: 545e7fc4c97525741b3b50042f04929c23f0494e03558bcc20a72ad8992221ec
Opcode Fuzzy Hash: 2d98e7b0ea7fbd6aa6c13590b7639082113a23ef507beb91baf865c4913e42d2
Instruction Fuzzy Hash: 7B11E0B5C006498FDB10CF9AC884ADEFBF5EF88324F24842AD529A7710D379A545CFA1

Function 0CB31D40 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0CB31D9D

Memory Dump Source

Source File: 00000000.00000002.1889603212.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_New Cmr JV2410180005.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a899a9a2933a25293608ac232644c241ba783bd20f19ebe1624aaf2f13538aab
Instruction ID: e36783bb332621ccf2ae93e77df1e9009553445af869a5e35fc89687f716d59e
Opcode Fuzzy Hash: a899a9a2933a25293608ac232644c241ba783bd20f19ebe1624aaf2f13538aab
Instruction Fuzzy Hash: 241103B58003499FDB10DF9AC985BDEBBF8EB48320F20845AD518A7200C375A544CFA1

Function 0106D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880135681.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b05235d4dfbedf0ec08f5502378bb081fc4cef975d16990e92fb88f48c8844
Instruction ID: ca3cbb4737be074b1664e583228ffefd4aaf8f6fc97653b27355fb7f1542eb03
Opcode Fuzzy Hash: e3b05235d4dfbedf0ec08f5502378bb081fc4cef975d16990e92fb88f48c8844
Instruction Fuzzy Hash: 0E212BB1604201DFDF05DF94D9C0B2ABFA9FB94324F24C5A9ED850B246C336D456CBA1

Function 0107D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880184656.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c89d5cb5642aa6067e8ef705df3509da826ab210dc78305fbf54a14efbbc600
Instruction ID: ff63b5a19a4336c6b92dc1efafdf8a05bd298c5b7372f536620b5f87a8044e75
Opcode Fuzzy Hash: 1c89d5cb5642aa6067e8ef705df3509da826ab210dc78305fbf54a14efbbc600
Instruction Fuzzy Hash: ED2129B1A04200EFDB05DF98D5C0B26BBA5FF94324F24C5ADE9894B252C336D447CB65

Function 0107D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880184656.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43bfb510e4f2745f489fc73fcf51cfc959c4581cba3edb994903cc11ed208a2
Instruction ID: 92fba61d2b14f3e032e07ffa235250e32c8ecb54a3673b538c7624d1be29a729
Opcode Fuzzy Hash: b43bfb510e4f2745f489fc73fcf51cfc959c4581cba3edb994903cc11ed208a2
Instruction Fuzzy Hash: 792125B5A04200DFCB16DF58D9C0B26BBA5FF84354F24C9ADE98A4B246C336D407CBA5

Function 0107D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880184656.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e29a7374dd05c3090169890d38a09763e62a4df668ae7e7a4eeb621f25970ea
Instruction ID: 742f939f5aacdbee79f4e7270ba5a49a2bc4db4694cd1ed4b7aa08ca4c6a8be8
Opcode Fuzzy Hash: 2e29a7374dd05c3090169890d38a09763e62a4df668ae7e7a4eeb621f25970ea
Instruction Fuzzy Hash: CC2183755093808FD713CF64D590715BFB1EF46214F28C5DAD8898B667C33A980ACBA2

Function 0106D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880135681.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
Instruction ID: 245cdb55950cdf7647915b982c9132307beb75eb95f29dfcf35a9675edeabcc9
Opcode Fuzzy Hash: 0198dffcca54c8a327979ca184e18e1179e26769679eb7287e54d642110c921c
Instruction Fuzzy Hash: 9121E176504240CFDB16CF44D9C4B16BFB2FB84324F24C1AADD880B656C33AD46ACBA1

Function 0107D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880184656.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_107d000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 99c8d633d645dfb543d26857fb5d97a9e35301936361e249cff352b47b403982
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: F611BB75904280DFDB12CF54C5C0B15BFA2FF84224F28C6AAD8894B696C33AD44BCB61

Function 0106D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880135681.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37561ef4ad8983cd234dca297018fa6eaab692e9a7a8621ed03ff085f4015d3
Instruction ID: 7ebd9cb1f2c85e35a0b1cfe3dbde93b9795bed61c76b21e5d26bceceb24f738b
Opcode Fuzzy Hash: b37561ef4ad8983cd234dca297018fa6eaab692e9a7a8621ed03ff085f4015d3
Instruction Fuzzy Hash: 4A01F7712043809AE7109EA9CDC4B6ABFDCEF41324F18C55AEDC94A282E67D9840C772

Function 0106D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1880135681.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2514f49213277c697f7f60c3f00e73fd7d92913079ef1e2864f7fcbbc879cbb4
Instruction ID: 7c9aaea125b457064b8d9a02b60ffc65423c7a17ee805d1e99d9d064b64dd2de
Opcode Fuzzy Hash: 2514f49213277c697f7f60c3f00e73fd7d92913079ef1e2864f7fcbbc879cbb4
Instruction Fuzzy Hash: B0F0C2715043809EE7118E1AD8C4B66FFDCEF41634F18C05AED884A286D2799844CBB1

Non-executed Functions

Function 0710061B Relevance: 4.0, Strings: 3, Instructions: 237COMMON

Download Yara Rule

Strings

TJkq, xrefs: 071007CB
xbiq, xrefs: 07100758
Tefq, xrefs: 07100E76

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID: TJkq$Tefq$xbiq
API String ID: 0-2501753584
Opcode ID: 8e088476724c2e4dbb66e4c15919388073ee7bf67068550f6ca03ce7ee645561
Instruction ID: dfaa33dc0cc50cfccc463cd2013d29f69dbabd9515b86c6110ac15f9f21c7d59
Opcode Fuzzy Hash: 8e088476724c2e4dbb66e4c15919388073ee7bf67068550f6ca03ce7ee645561
Instruction Fuzzy Hash: 31B1A3B5E006288FDB18DF6AC9846DDBBF2BF88301F14C1A9D809AB354DB305A85CF40

Function 071002E8 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

4'fq, xrefs: 071003CA

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 3360217162da9126cf739d8bae77a74e8cf20437b8935e9108d0d540e3228e74
Instruction ID: 1c22867974a7039f0dd832a336ce38a6b431e11f1d69ac1e59bf85e8900ba8ea
Opcode Fuzzy Hash: 3360217162da9126cf739d8bae77a74e8cf20437b8935e9108d0d540e3228e74
Instruction Fuzzy Hash: 9F613EB0A152198FD748EF7AE84569E7FF2FB88301F14C529E015AB264EF701945DB81

Function 071002F8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'fq, xrefs: 071003CA

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID: 4'fq
API String ID: 0-2007657732
Opcode ID: 8c7dc06fbc63c6a8490b537df570468f32a413bc903cb07688841509b90039ec
Instruction ID: 20cd78df8fb35ec402134b49cdf379c826581c7b366d20a9d273dd64fe83c6ab
Opcode Fuzzy Hash: 8c7dc06fbc63c6a8490b537df570468f32a413bc903cb07688841509b90039ec
Instruction Fuzzy Hash: AB612BB0A152198FD748EF7AE88569E7FF2FB88300F14C529E014AB268EF705945DB81

Function 0CB332D8 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889603212.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4016ad3594ce9e0f17df4485888024d12a80226177fcc0dc1052d72ac9ff5231
Instruction ID: 36a27ac9a9b8794131fd52355da72a14e214ad157ec437345e4878c1cfb11dd3
Opcode Fuzzy Hash: 4016ad3594ce9e0f17df4485888024d12a80226177fcc0dc1052d72ac9ff5231
Instruction Fuzzy Hash: 26E18D717016059FDB25DBB9C8907AFB7F7AF89200F2484ADD0459B3A1DB35E842CB52

Function 0710B558 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5647d446e0905b91a8208a0b08116e9ba33fa314fe26d22c3e29ca20b2c7a84a
Instruction ID: 47004b1a7b4a91a0fb97deab3ab4f17a024d353679574d1ec6148b5f923976d2
Opcode Fuzzy Hash: 5647d446e0905b91a8208a0b08116e9ba33fa314fe26d22c3e29ca20b2c7a84a
Instruction Fuzzy Hash: C8E12BB4E051198FDB14DFA9C9909AEFBB2FF89300F24C169D814AB395D771A941CFA0

Function 0710D4C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72499c09e35eb1a6c8070693683612741241fbea05e572c254ddb20aa07911b1
Instruction ID: 30576ce3aeb8fad842f3e5c9b3275b260ed3b732fc088acf037b2623b50ddfc8
Opcode Fuzzy Hash: 72499c09e35eb1a6c8070693683612741241fbea05e572c254ddb20aa07911b1
Instruction Fuzzy Hash: BAE13CB4E001198FDB14DFA9D5809AEFBB2FF89304F24C16AD854AB395C771A941CFA0

Function 0710B120 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aab1aaeba5bfd91f9eeebe4f106af8c63855200cb34ac825fe02e4eb0ae2a37
Instruction ID: 1814464fb10c72d0d62d9a2488a48bc3c4d06b3f03cbe25748ef6bbed86f73e9
Opcode Fuzzy Hash: 0aab1aaeba5bfd91f9eeebe4f106af8c63855200cb34ac825fe02e4eb0ae2a37
Instruction Fuzzy Hash: CBE11CB4E051198FDB14DFA9C9909AEFBB2FF49304F24C169D814AB395C771A942CFA0

Function 0710ACE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bd3a3e880e8dd99fc1ab4132781b6d438255555de77639415b916078198883
Instruction ID: 3f33bdc5a8868dd7dd59e86739e987a99a9157f0d79f387635d626fd18d818a0
Opcode Fuzzy Hash: 60bd3a3e880e8dd99fc1ab4132781b6d438255555de77639415b916078198883
Instruction Fuzzy Hash: 95E12CB4E052198FDB14DFA9C5909AEFBB2FF89300F24C16AD414AB395D771A941CFA0

Function 016BDCBC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1881708881.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f90268dc5d3721def36108c49e63c1d532fd85b93f9f117948f7fe3fe06301
Instruction ID: 288d626cf181304d2d2ddc6174ccc855b853959fceb3e7c1101bbf7b92734192
Opcode Fuzzy Hash: c0f90268dc5d3721def36108c49e63c1d532fd85b93f9f117948f7fe3fe06301
Instruction Fuzzy Hash: 70A15032E102159FCF05DFB8CC805EEBBB6FF85300B1545AAE905AB265DB71E995CB40

Function 0710D4B3 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1886634355.0000000007100000.00000040.00000800.00020000.00000000.sdmp, Offset: 07100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7100000_New Cmr JV2410180005.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374eb708133b963ab120b03f953400b437b5a0f52577c4bb6d4dab4ab9de2f5f
Instruction ID: a1e301c59a7a1e90219f045911347ec75deb696e517f5b23e7eb6b424d67cea1
Opcode Fuzzy Hash: 374eb708133b963ab120b03f953400b437b5a0f52577c4bb6d4dab4ab9de2f5f
Instruction Fuzzy Hash: 66513BB5E002198FDB14DFA9D9805AEFBF2BF89304F24C169D858A7355D7319942CFA0

Function 070F5A52 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000022), ref: 070F5AAE
GetSystemMetrics.USER32(00000023), ref: 070F5AE8

Strings

<, xrefs: 070F5A58

Memory Dump Source

Source File: 00000000.00000002.1886598212.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_New Cmr JV2410180005.jbxd

Similarity

API ID: MetricsSystem
String ID: <
API String ID: 4116985748-4251816714
Opcode ID: 3804bc74820a933dc9be818a45b31b04dc85701c94bea6f427711e253903c5c1
Instruction ID: 7a9c3c4319871f2334fcbcb31781cc07e482a35e0d16df842f76951043dda3b7
Opcode Fuzzy Hash: 3804bc74820a933dc9be818a45b31b04dc85701c94bea6f427711e253903c5c1
Instruction Fuzzy Hash: 902136B1C04349CEDB22CF99C94A79ABFF4AF08314F24845AD159A7780C3B85584CFA1

Analysis Process: RegSvcs.exePID: 7236, Parent PID: 7044COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 01309B38 Relevance: 2.8, Instructions: 2811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7f12d7213444133b889c9ad8a5e5212dd0e90f476a2a950ac8ee01fe83f5a2
Instruction ID: 304e3a997b8c04c4ca0d6432753ced5b92c4a8ac0661a7b23b8331c733006ae9
Opcode Fuzzy Hash: 8a7f12d7213444133b889c9ad8a5e5212dd0e90f476a2a950ac8ee01fe83f5a2
Instruction Fuzzy Hash: DA53F631D10B1A8ADB11EF68C8905A9F7B1FF99300F51D79AE458B7125FB70AAC4CB81

Function 0130CDB0 Relevance: 2.3, Instructions: 2301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ddeda22f86ba92b62c5b31b5a1699a743be1c6e4c101acddb09abe86b4d220
Instruction ID: 3394f4f09e2e4c5511e8c901e058adf0ad4a5bef2cc8831377a81a324ea85b77
Opcode Fuzzy Hash: c4ddeda22f86ba92b62c5b31b5a1699a743be1c6e4c101acddb09abe86b4d220
Instruction Fuzzy Hash: B3333031D107198EDB11DFA8C8906ADF7B1FF99300F14C79AE458A7265EB70AAC5CB41

Function 01304A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5859b61c79fa7cc2a4ce2e385ce9a37102b8efb0f14b5caf21ec73c7e152e512
Instruction ID: b9f2daec2ce915b771bf6e675f11af93e551b20df39fda4d0f5e133a31f2bee7
Opcode Fuzzy Hash: 5859b61c79fa7cc2a4ce2e385ce9a37102b8efb0f14b5caf21ec73c7e152e512
Instruction Fuzzy Hash: B6B17E70E00209DFDF11CFADD9A17ADBBF2AF88318F148129D915E7294EB749985CB81

Function 01303E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0037fbc71f25c66dbac352af03082c2e31217e824973ea19b520c3587c543bca
Instruction ID: 21f60fbebaab9d8a22a2ad80130d80ff20a80881a1e17890540355478f796c18
Opcode Fuzzy Hash: 0037fbc71f25c66dbac352af03082c2e31217e824973ea19b520c3587c543bca
Instruction Fuzzy Hash: 2A917C70E00209CFDF15CFA9C9957AEBBF2BF98318F148129E514E7294EB749985CB81

Function 01306EE8 Relevance: 2.6, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRfq, xrefs: 01306F0E
LRfq, xrefs: 01306FE5

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRfq$LRfq
API String ID: 0-2141892265
Opcode ID: 4f309e066f2ba6e6abc8aa7e5886c4a3cf8d7dad6ea77a7de2e4bdd3949bf7ab
Instruction ID: 4b3d2baae4e9d3baa1abd93fe5f618229a8b45c399b38ee0f2e54e0c6274fec8
Opcode Fuzzy Hash: 4f309e066f2ba6e6abc8aa7e5886c4a3cf8d7dad6ea77a7de2e4bdd3949bf7ab
Instruction Fuzzy Hash: 1041C170B002099FDB16DFA8C46179EB7F6EF86314F10856AE405EB294EB71AC46CB91

Function 05E8E288 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 05E8E2EF

Memory Dump Source

Source File: 00000009.00000002.1946958181.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e80000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 32a4867ebced03b2b47d9c2f8c71ca93389c2c4c59bdb226f191ab24b4a866c4
Instruction ID: 4d3f0ac57f6f130bbeac21ab6be1d2764a8d94e63681aa6d980e7c49485da884
Opcode Fuzzy Hash: 32a4867ebced03b2b47d9c2f8c71ca93389c2c4c59bdb226f191ab24b4a866c4
Instruction Fuzzy Hash: 941114B1C002599BDB10DF9AC545B9EFBF8BF48320F14816AE918A7240D378A944CFA5

Function 05E8E287 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 05E8E2EF

Memory Dump Source

Source File: 00000009.00000002.1946958181.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5e80000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c97cc76bc444294570766f7461dfeb44adf9343e71c7bd4051e90ffc5e0153bd
Instruction ID: 83f57f3cb233bd056e238914fb71fed696486819c3bd6e668e34273cf0c0ec12
Opcode Fuzzy Hash: c97cc76bc444294570766f7461dfeb44adf9343e71c7bd4051e90ffc5e0153bd
Instruction Fuzzy Hash: AD1126B1C002599BDB10CF9AC5457EEFBF4BF08320F14815AD518B7240D378A944CFA1

Function 0130F2ED Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHfq, xrefs: 0130F43B

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 6f927f9b7a14baf2ec3d157cec7e39c829a45a8447dd9cf28357fdad7069a2f7
Instruction ID: 91a6cb248d54b271f7f0eaec7711677b25e14ff4d2ad86540abb5a0c6cad2e80
Opcode Fuzzy Hash: 6f927f9b7a14baf2ec3d157cec7e39c829a45a8447dd9cf28357fdad7069a2f7
Instruction Fuzzy Hash: 0031F270B002058FDB2AAB78D56476F7BF6AF89254F144478D406EB38ADE35DC418B90

Function 01306BB0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

LRfq, xrefs: 01306BD7

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRfq
API String ID: 0-2333822924
Opcode ID: 1d2164afb011a0ff0cdf2c0e821b25deeefeda39d989b878a15534721179c11c
Instruction ID: c46090accbc916e7ebca16a3eee6e54688425bc977943b0fa806d412e899adbe
Opcode Fuzzy Hash: 1d2164afb011a0ff0cdf2c0e821b25deeefeda39d989b878a15534721179c11c
Instruction Fuzzy Hash: 7C11DDB17041025FC715EBBDD4607AF7BAAEF86340F4285AAE049CB3E8EE319C418791

Function 01306B8F Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

LRfq, xrefs: 01306BD7

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRfq
API String ID: 0-2333822924
Opcode ID: 076ee65e53313a384266adb6d831ffb38bd32c5cae1a1d14befbcb59b24b96bb
Instruction ID: c8186454030c4cf71b3318dfa0bfebdf1068aa3fe3461d5f460a671c9810f8e2
Opcode Fuzzy Hash: 076ee65e53313a384266adb6d831ffb38bd32c5cae1a1d14befbcb59b24b96bb
Instruction Fuzzy Hash: B101D4B2B001119BD705ABB8D46469E7BE6EFCA701F1184AAD10ACB3D4EE7588418791

Function 01307908 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04c15ec0a0d9bb602b52c2f085b7d35bab5670f96d8e79c1df039e7b1e4da67
Instruction ID: 016ada40dff7f4d59b2353903ae32e0dc610c63f39adbd07e407b8e4e5b60387
Opcode Fuzzy Hash: e04c15ec0a0d9bb602b52c2f085b7d35bab5670f96d8e79c1df039e7b1e4da67
Instruction Fuzzy Hash: EB1262307001028FCB2AAB7CD8A965D76E2FBC9248B505D2DE485CB399CF71ED46DB81

Function 01309364 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feeb090a9906a7d2e115fdf93b9d8a72014b70c03b42f1c5694874668fa1ceb3
Instruction ID: a151fa56b94c831395f21c20f8afe9250425e3029de35a6f04923183d9a54ae4
Opcode Fuzzy Hash: feeb090a9906a7d2e115fdf93b9d8a72014b70c03b42f1c5694874668fa1ceb3
Instruction Fuzzy Hash: 2DE16235B001158FDB16DF68D994B6EBBF2EF88318F148469E50AEB3A6DA35DC41CB40

Function 013096E0 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0c94e43707353a11eb8c88090fda6a11c0a989b499b0aa6051ca57c1ef7a3f
Instruction ID: 0fef178cfd6d0085f970d7cc27af6e1992669beae74d5bb39edbccbf8dea84bb
Opcode Fuzzy Hash: dd0c94e43707353a11eb8c88090fda6a11c0a989b499b0aa6051ca57c1ef7a3f
Instruction Fuzzy Hash: 26C1AE75A002058FEB15CFADD9907AEBBF5FB88318F108569E509EB396D770D841CB90

Function 01304A8E Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8bc29be19e5ebb0ed0de6773ba573ceccdc899d90b94ac7a4f4e2815ecb3fc
Instruction ID: 9b61e70960e9be3316a4f38e01cb387a0614a8eac834a0e8392cf1d39b36e208
Opcode Fuzzy Hash: ec8bc29be19e5ebb0ed0de6773ba573ceccdc899d90b94ac7a4f4e2815ecb3fc
Instruction Fuzzy Hash: 04A16C70E00209DFDF11CFADD9A579DBBF1AF88318F148129D918E7294EB749985CB81

Function 01303E74 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74bd7e51cf8d25aa1b3761ae8ab075e4ad07e83347dc120f8111b828d761cfd
Instruction ID: 21fc54e8603461432afbd2038f308413d24904b1d64e52e453febaa8f57c4096
Opcode Fuzzy Hash: d74bd7e51cf8d25aa1b3761ae8ab075e4ad07e83347dc120f8111b828d761cfd
Instruction Fuzzy Hash: 7E916870E00209CFDB15CFA9C99579EBBF2BF98318F148129E514E7294EB749986CB81

Function 01304810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3364dabdf6862fea6cadc6cfe5c931f4227fb2a6562da5c17c3447d9184fa94
Instruction ID: 1c7ab643bcb5f28ded3c9b6fd5f5461d01042fb90bc487487282e817a407ee52
Opcode Fuzzy Hash: b3364dabdf6862fea6cadc6cfe5c931f4227fb2a6562da5c17c3447d9184fa94
Instruction Fuzzy Hash: 40718C70E00249CFEF15CFA9C99479EBBF2BF88318F148129E514A7294EB349981CB95

Function 01304804 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7213a24650648da506daf6b32c02051c11d02b395f8f03ad962ec93e19ef1713
Instruction ID: 7f0deebf8cb4231ab78847d2270ed6f4b4bb8bc8e5749c546ebf146d2c3623c5
Opcode Fuzzy Hash: 7213a24650648da506daf6b32c02051c11d02b395f8f03ad962ec93e19ef1713
Instruction Fuzzy Hash: 1A718BB0E00249CFEB11CFA9C99079DBFF2AF88318F148129E514A7294EB349981CB95

Function 01306758 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27f3bd5311292a55d9118b3405f4ecc65f6edf118ee099408b38ac69d85c36d
Instruction ID: 8d8f83c1c7e2429da3d9ef228a7aebb93b65fd064bab6ce443c8d53aaceafe70
Opcode Fuzzy Hash: b27f3bd5311292a55d9118b3405f4ecc65f6edf118ee099408b38ac69d85c36d
Instruction Fuzzy Hash: 185102B0D002188FDB19CFA9C999B9DBBF1BF48314F148129E819BB399D774A844CB95

Function 01306774 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2702c527309e53986d7032a169930761dd6746fd0501f64a6a5fde1e45ad71
Instruction ID: e11ea81fb29857c3931be9fad4aaaab3fee5f8384f5980d678d94e4af30a25a4
Opcode Fuzzy Hash: ec2702c527309e53986d7032a169930761dd6746fd0501f64a6a5fde1e45ad71
Instruction Fuzzy Hash: E25114B0D002188FDB19CFA9C999B9DBBF5FF48314F148129E819BB395D774A844CB94

Function 01306CDE Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710ccffbb4992bfe3c167e02ee4bf591042d7881fb47e031dd9096685b899328
Instruction ID: c5ed3221ea7fa9b11e16fb148911650798da5005381f2ee8179d69e6e93c5418
Opcode Fuzzy Hash: 710ccffbb4992bfe3c167e02ee4bf591042d7881fb47e031dd9096685b899328
Instruction Fuzzy Hash: C55123B0D002188FDB19CFA9C999B9DBBF1FF48314F148129E819BB395D774A844CB95

Function 01301128 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b637a4553c172137520551a5623dd98b6194d9e96676c1c00371af0f78abc80
Instruction ID: a64a9479b7c09b958a9021ef287a43bbcf69be2983c7839fefde4026f76181fb
Opcode Fuzzy Hash: 2b637a4553c172137520551a5623dd98b6194d9e96676c1c00371af0f78abc80
Instruction Fuzzy Hash: 395110752062858FC70AFB28F9E4B593FB5FBA67047006969E100D722DEA306E85DB41

Function 01301138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bdff476142761e85a2728b6bd17c1280fc2042782abfa78c8e549dca008a239
Instruction ID: 6ab9e7d39b68dba61681953a5cc1e07e2e0394dfa214ad5fd0bfe7ea402f603b
Opcode Fuzzy Hash: 3bdff476142761e85a2728b6bd17c1280fc2042782abfa78c8e549dca008a239
Instruction Fuzzy Hash: 8A51FE742062858FC719FB28F9E4B553FB5FBA6705300A979E100DB62DEA306F85DB81

Function 0130F1B0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cb7873e1ad99b851becba2591ff2775cdb8af6d0cd7945353041382863906e
Instruction ID: ecd20a928aaba7c3b54a57983b433b02dd515a30110cf286c4bf15697f161716
Opcode Fuzzy Hash: c6cb7873e1ad99b851becba2591ff2775cdb8af6d0cd7945353041382863906e
Instruction Fuzzy Hash: D1319479E102059BCB16DFA4D45569EB7FAFF89304F108929E805E7794DB70EC42CB50

Function 013026DC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecfeedeaf596ce6cb72b34761d42b72eae319426915242ce3fcf5166ed87b6b6
Instruction ID: b2ae046c9262432a7e02139f52e4da8f12ed5572ee2cfb78d35d3476ee034839
Opcode Fuzzy Hash: ecfeedeaf596ce6cb72b34761d42b72eae319426915242ce3fcf5166ed87b6b6
Instruction Fuzzy Hash: AB41FEB4D00349DFDB10CFA9C994A9EBFF5EF48314F248029E819AB254DB75A949CF90

Function 0130F1C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40b642dad0058ca89492686ee4a64ac8842c9f038603a14131de7e8635dd2687
Instruction ID: 2d10eb0a639a2dbfd12553fc2c033970de953c6ba83135269857a0d2a4bab67d
Opcode Fuzzy Hash: 40b642dad0058ca89492686ee4a64ac8842c9f038603a14131de7e8635dd2687
Instruction Fuzzy Hash: A7318578E002059BCB16DFA5C45469EB7FAFF88304F10C929E806E7794DB70AC42CB40

Function 013026E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aacf738ee05ac650f91f643ff2a264615e55d2d3cebaa9eca643b6e2bbf69f62
Instruction ID: ad816c7a41f26b4728c7304e4cdb2514f80e14fc25da61941f73461af0af50e0
Opcode Fuzzy Hash: aacf738ee05ac650f91f643ff2a264615e55d2d3cebaa9eca643b6e2bbf69f62
Instruction Fuzzy Hash: 6641EEB4D00349DFDB10CFA9C994A9EBFF5FF48314F208029E819AB254DB75A949CB90

Function 013050A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06e90c15fcc47f2672b86fdf57333e58d8697cbb196f80d583218d5e32a9f98
Instruction ID: c4a988b51306f8e5a0631d9c234b29190ae3e3b54823be2170a701a5e89ab5d8
Opcode Fuzzy Hash: d06e90c15fcc47f2672b86fdf57333e58d8697cbb196f80d583218d5e32a9f98
Instruction Fuzzy Hash: F5311A307002158FDF1AEB78C5646AE77F6AF99248F100869D811EB394DF36DD41CBA1

Function 01305099 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1a1b9d18ab6d602425cf738285f52b56f6639cc6cc3ba9fa516cd7f123013f
Instruction ID: 3837d81524e09667e586a0bacd17b15951df2312a619c4d956693fc967edcf9f
Opcode Fuzzy Hash: 3f1a1b9d18ab6d602425cf738285f52b56f6639cc6cc3ba9fa516cd7f123013f
Instruction Fuzzy Hash: 283109306002158FDF1AEB78C5646AE77F6AF59248F100869D811EB3E5DB36DD41CB91

Function 01309250 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf864723d3d393e4f96c99f467bc54a06cbe848e46b15cc4d509e1c1520e95f
Instruction ID: a78b1f8eba6cf05b9963bebafcc3d1c46d7c7edd5381002e27c6e17f64a3809e
Opcode Fuzzy Hash: 8bf864723d3d393e4f96c99f467bc54a06cbe848e46b15cc4d509e1c1520e95f
Instruction Fuzzy Hash: 0331D271E0020A9BCB06CFA8C59079EF7B2BF49308F54D619E809EB395DB709842CB40

Function 01309260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba049dbafd85830cb5f94fa164c1b9adb92e4df77d5dd1dc1318f75bb81d95f
Instruction ID: d5b104bccce916eaa07aed6b145bc33a34b229b6526876bde23ddc9d18388e8b
Opcode Fuzzy Hash: 8ba049dbafd85830cb5f94fa164c1b9adb92e4df77d5dd1dc1318f75bb81d95f
Instruction Fuzzy Hash: 9D21A630E0020A9BDB06CFA8D59079EF7B6FF89308F54D519E809EB395DB719842CB50

Function 01309150 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ecd37b75652acdde73575fe0fdacac931d0bbcfdf4bbc0b38c73eef4dc215c
Instruction ID: dfbbebfb5297edd577d26d679a72885efb1a1c44b583e80068f41c2047f57f6a
Opcode Fuzzy Hash: 67ecd37b75652acdde73575fe0fdacac931d0bbcfdf4bbc0b38c73eef4dc215c
Instruction Fuzzy Hash: 67217431E0021A9BCB1ACFA4D9556DEF7F6AF89308F10852AE815FB391DB70D946CB50

Function 013016A0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250e8eb8463220e5f1cea6e6a459c47483a2a62605452622de42f837f4e10f16
Instruction ID: b756e2277cc8c5bd4bd0a0b335f68ebd3441538fb2a2651fa2040d3a79e8766f
Opcode Fuzzy Hash: 250e8eb8463220e5f1cea6e6a459c47483a2a62605452622de42f837f4e10f16
Instruction Fuzzy Hash: DA21A4786101415FDF27F72CE89475E3BA5EB41B18F106E29E406C729ADB34DD818BC1

Function 01309160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2dc53a277829e15695c7f612fc2ea852987ef1f5b0d250217bb52c54f463e0
Instruction ID: bde451727636b307d309d89dd8dcdfc94593a68361c0930b90b7ed4917a9a5ca
Opcode Fuzzy Hash: 4e2dc53a277829e15695c7f612fc2ea852987ef1f5b0d250217bb52c54f463e0
Instruction Fuzzy Hash: 63216530E0021A9BCB1ACFA8D9546DEF7F6AF89318F10852AE819F7391DB709945CB50

Function 01301888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbfc516222eb8c6670d6e07c5d17ca1ad0bfe0c70ae522b3350ba8cc5a52d68a
Instruction ID: 3265a833f0c17d40049499d9b7f3f5cca238d2cd4ea5a35ac5b22f3e0af9361f
Opcode Fuzzy Hash: cbfc516222eb8c6670d6e07c5d17ca1ad0bfe0c70ae522b3350ba8cc5a52d68a
Instruction Fuzzy Hash: 34212A30B002158FDB26EB78C5647AE77F6AB49309F100469D506EB394DF36DE41CBA1

Function 013016B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b77fc63b165beccac6d2a20f2e94ec4e130a8ef93e89c5adc84beb340abb6fc
Instruction ID: a3a6d1d1a01a224dca6616904be9d5a4b3385e78a410570d4a8ef87ec7fecb65
Opcode Fuzzy Hash: 2b77fc63b165beccac6d2a20f2e94ec4e130a8ef93e89c5adc84beb340abb6fc
Instruction Fuzzy Hash: BA2193386101414FDF27F72CE894B5E3BA5EB45B18F106A25E406C729ADF34DD858B91

Function 01301380 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de208ebef1ce1fe036e7b57c44a4c2c85ed6bda4766bc0d445d5901095f62d65
Instruction ID: e8240f8693f8286e0fdb88d66701bdf607789b0d5445605509df81693aa729f9
Opcode Fuzzy Hash: de208ebef1ce1fe036e7b57c44a4c2c85ed6bda4766bc0d445d5901095f62d65
Instruction Fuzzy Hash: FE21A2746012408FDB37676CE4A976E3FB1EB03719F51086AF406DB6D6DF29C8818742

Function 0130187A Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1caac250d2e8cf9b12a89ddf8319474c4470b35d9106135df6d6f2741b3f76d
Instruction ID: 41764827c309654664a78363f03c81151bb8cb520ea78236d01a0ef412828498
Opcode Fuzzy Hash: b1caac250d2e8cf9b12a89ddf8319474c4470b35d9106135df6d6f2741b3f76d
Instruction Fuzzy Hash: BF214A30B00215CFDB66EB68C5647AE77F6AB49309F10086AD506EB395DB36CE40CBA1

Function 01301390 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be09d7ae42f5186b3b2d1d5392853cf4b984382f1956e1cd06e2f4bd0a7796cc
Instruction ID: e66c5919dee30aca43f9119be53c177510f0e26eab78de7a9a0fb94d9ac27762
Opcode Fuzzy Hash: be09d7ae42f5186b3b2d1d5392853cf4b984382f1956e1cd06e2f4bd0a7796cc
Instruction Fuzzy Hash: 7F11BB746002108BEB37676CE0A976E3FA1EB03719F510869F406DB7D1DF29C8828782

Function 01300848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b660fff9233c9cf85cc31336f121fa4229bcd5979dc0ebb6df754c776e8b359e
Instruction ID: 378a38829da7324e8f6b8eecab15fc723195bfd7efe461d98f9f7e9edbbea87d
Opcode Fuzzy Hash: b660fff9233c9cf85cc31336f121fa4229bcd5979dc0ebb6df754c776e8b359e
Instruction Fuzzy Hash: 67116031B002088BEF2BA77CC4647693BD1FB45298F109939F016CF292DA25CE814BD1

Function 01300838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350c66f6e1c4ac9ab9452934f39865b1462e04936f5d3e30a1db6020606904b5
Instruction ID: e1e29c96e302ad8d491228b7012bfa0af7a9e4ac77c600cd40c0808a63abe7e4
Opcode Fuzzy Hash: 350c66f6e1c4ac9ab9452934f39865b1462e04936f5d3e30a1db6020606904b5
Instruction Fuzzy Hash: 2811CA35A002048BEF2B577CD4743793BD5F742298F144935F412DF2C2DA25CA814BD2

Function 013080F1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82eaf085698300fcc99268fa1acc96523797562536aa208d3192780874760651
Instruction ID: 6adc66d0d297ea5e054ea82a7a434fc72c4a7559091598a207ffd2e0148ff92a
Opcode Fuzzy Hash: 82eaf085698300fcc99268fa1acc96523797562536aa208d3192780874760651
Instruction Fuzzy Hash: CB110874600146DFCB16EBA8F99479D7BA1EB80304F006AA9D444DB2E5DF319E41DB81

Function 013017C2 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a79766b01f7493655a1318506c8a49c3413b4d3cd59d54abb0264b25b9c88c
Instruction ID: 9a5591202188403d459bb16e41aa6477ea90fb3308d291abbf00083c43ced9a6
Opcode Fuzzy Hash: 13a79766b01f7493655a1318506c8a49c3413b4d3cd59d54abb0264b25b9c88c
Instruction Fuzzy Hash: 1C11E176F002119FCB11ABB9991875F7FF9EB49754F100925EA05D3344EA34DA0287D1

Function 0130148A Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b1e22cd757ba3a6aa2f2c74edee7114acaaae1cd3ed3014302d25fb99c1443
Instruction ID: a21ab28d3e010908cfe7190b78dc93ebd7c49cb819771842632fa7be3c5c188e
Opcode Fuzzy Hash: 70b1e22cd757ba3a6aa2f2c74edee7114acaaae1cd3ed3014302d25fb99c1443
Instruction Fuzzy Hash: 3D116171A002158FCB27EFBC85602AE7BF5EB58359B15047ED405E7381EB36C8418B91

Function 013017D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f95c9bb1f2cb1f3ac8ff401047cb4e5bdaf9da9b1f1f420377f7c4c386bb304
Instruction ID: 71d369aa6e1df46f26d8582e60bfc1f394c9992539931293c73a75a8b73b05fc
Opcode Fuzzy Hash: 4f95c9bb1f2cb1f3ac8ff401047cb4e5bdaf9da9b1f1f420377f7c4c386bb304
Instruction Fuzzy Hash: F701C075B002159FCB11ABB9991875F7FE9AB89754F100925EA09D3344EA34DA028BD0

Function 01301498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3283d513703ecf83e89b206af3fbad8f3f7cec1b6172da6a7b75c35a17866f47
Instruction ID: c2569aacd8adadd1530810559682869291f7041b77d201ba6cf7a4a8eaf7dea0
Opcode Fuzzy Hash: 3283d513703ecf83e89b206af3fbad8f3f7cec1b6172da6a7b75c35a17866f47
Instruction Fuzzy Hash: 0E012D31A002159BCB26EFBD84602AEBBF5EB58259B15047AD905E7381EA36C8418BA1

Function 01307090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565fae18d1814c22896348399dd9fa8e306b7d5770a081159d678d34f0f7fd15
Instruction ID: c655bc90cde37a64ad8808a341dd6afd0716b8797f3b8b75ecb8edc292dd94d4
Opcode Fuzzy Hash: 565fae18d1814c22896348399dd9fa8e306b7d5770a081159d678d34f0f7fd15
Instruction Fuzzy Hash: 4AF0EC39B00204CFC714DB74D5A9B6C77B2EF89715F5044A8E9069B3A4DF35AD42CB40

Function 01308100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1940916409.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae07b11a6cf161012f7089e42a20673fee9805b6583a52cbb5d62875c885a5cc
Instruction ID: 7fc4b0a9a98f3f3ef51dfcbfbb05c999e96870be4d58d79f02018355ac58bb2e
Opcode Fuzzy Hash: ae07b11a6cf161012f7089e42a20673fee9805b6583a52cbb5d62875c885a5cc
Instruction Fuzzy Hash: E8F06274901109EFCB45FBB8F990A9D7BB1FB40300F506A78D404EB268EE312F449B91

Analysis Process: kOtBoy.exePID: 7256, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	234
Total number of Limit Nodes:	13

Executed Functions

Function 075ED9A5 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075EDBE6

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4a0d3acaa8f8d7d75857dc6bc643f829528bbcf2a66a1873f63c9828a21a721a
Instruction ID: ba9dd03ebe8ca1a0d302c724f60b88adafa154b31f1003b33aa40fe2246c6a28
Opcode Fuzzy Hash: 4a0d3acaa8f8d7d75857dc6bc643f829528bbcf2a66a1873f63c9828a21a721a
Instruction Fuzzy Hash: 17A14BB1E0031ADFDB24DF68C9417EDBBB6BF48314F14816AD848A7280DB749A85CF91

Function 075ED9B0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 075EDBE6

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 924855be1a72218d1f9357129420aaf13d14f38cccb013233ac9959d309ee2e1
Instruction ID: bc6e827ec36c55d382711dc6f07bcb689e26d63a749b6de6a48a76f5185ee754
Opcode Fuzzy Hash: 924855be1a72218d1f9357129420aaf13d14f38cccb013233ac9959d309ee2e1
Instruction Fuzzy Hash: E1914BB1E0031ADFDB24DF68C941BDDBBB6BF48314F14816AD809A7290DB749A85CF91

Function 02F3B498 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F3B6FE

Memory Dump Source

Source File: 0000000A.00000002.1946265590.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f30000_kOtBoy.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4250ff795011a67149b374365a141dce77abc71f841912be7fdd0a454b2ec332
Instruction ID: 53a70ca1bbc16b2eadedce4e882c87883f72648494805b47ae3b7d1a0a4552a4
Opcode Fuzzy Hash: 4250ff795011a67149b374365a141dce77abc71f841912be7fdd0a454b2ec332
Instruction Fuzzy Hash: 888142B0A00B498FDB65DF29C56075ABBF1BF88348F04892ED586D7A50DB34E845CB91

Function 02F3590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02F359C9

Memory Dump Source

Source File: 0000000A.00000002.1946265590.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f30000_kOtBoy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b27ec2faa9a96952110e313a63002b478bb2109ef851c46959c0d7c8303d0943
Instruction ID: 8d88ab852e84c5ab11613a4c1034e19db096833aa30cd736196e2f386aa0164e
Opcode Fuzzy Hash: b27ec2faa9a96952110e313a63002b478bb2109ef851c46959c0d7c8303d0943
Instruction Fuzzy Hash: 8841C0B0C00719CBDF25CFA9C984B8EBBF6BF88304F60815AD508AB255DB756949CF90

Function 02F344D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02F359C9

Memory Dump Source

Source File: 0000000A.00000002.1946265590.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f30000_kOtBoy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 41d394705f7cb758b38f4e80b240e6fac08a7beff599d2a83adb899e3fd4756b
Instruction ID: 625cc3c0cc9e4a2a6756b3e13579157cb3a8b889fa2a328f2e7ee05f183065f5
Opcode Fuzzy Hash: 41d394705f7cb758b38f4e80b240e6fac08a7beff599d2a83adb899e3fd4756b
Instruction Fuzzy Hash: 8541BFB0D00619CADB25CFA9C984B9EBBF6BF88304F60806AD508AB255DB756945CF90

Function 075ED2E8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075ED380

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5373ff5b6c86e6a52e764346409e5ba3ade0e5f4ec78c213d6784998dac9de87
Instruction ID: f33590e8e3133aa11919da7bf2b15123b458255043dbe6c5a8b2786b156ff169
Opcode Fuzzy Hash: 5373ff5b6c86e6a52e764346409e5ba3ade0e5f4ec78c213d6784998dac9de87
Instruction Fuzzy Hash: E02126B59003499FCF14CFA9C981BDEBBF5FF48320F10842AE918A7240D778A944DBA0

Function 075ED2F0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 075ED380

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f76f4cdf1b352b2016447fc044f082afece237f26cd74cca5621631343405fde
Instruction ID: 33bbcaa476f81724691fb338501c2758557d372b1788623bb86560dfbd3dcd43
Opcode Fuzzy Hash: f76f4cdf1b352b2016447fc044f082afece237f26cd74cca5621631343405fde
Instruction Fuzzy Hash: A92127B59003499FCB10CFA9C981BDEBBF5FF48320F10842AE918A7240C7789940DBA0

Function 075ED150 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075ED1D6

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: bd93a5935bb4d5e51a55429811a39ab009b5c161cf2289539eeaa72057874b02
Instruction ID: 22efb5da90f8b281af5a4a0eda1627937b0d02adecee2bbd178ca831b54b924a
Opcode Fuzzy Hash: bd93a5935bb4d5e51a55429811a39ab009b5c161cf2289539eeaa72057874b02
Instruction Fuzzy Hash: B0212AB19003099FDB14DFAAC5857EEBBF5EB48324F14842AD519A7240C778A545CF91

Function 02F3D97C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F3DD56,?,?,?,?,?), ref: 02F3DE17

Memory Dump Source

Source File: 0000000A.00000002.1946265590.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f30000_kOtBoy.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a149fb5cc49f0740e18f0c459bb7b7871446ca1548e9d1fce37268b034380ab7
Instruction ID: 7a6bd9dc656099dc19ee0425f72ba76442852d89e918fd680e6b473da0126f1b
Opcode Fuzzy Hash: a149fb5cc49f0740e18f0c459bb7b7871446ca1548e9d1fce37268b034380ab7
Instruction Fuzzy Hash: 0821E5B5D00248DFDB10CF9AD984ADEBFF8EB48314F14845AE914A7310D375A950CFA4

Function 075ED3D8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075ED460

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 111c01bdafed0fe8c2a72050332ab9a221409ca331651e16c1b59bbc70bc2a3a
Instruction ID: 6370c8099af7e84cf786ab3e764074888b6293e04f088d8bc76b0e786dd28824
Opcode Fuzzy Hash: 111c01bdafed0fe8c2a72050332ab9a221409ca331651e16c1b59bbc70bc2a3a
Instruction Fuzzy Hash: 25212AB1D003499FDB10CFAAC981ADEBBF5FF48320F14842AE959A7250D7799900DBA1

Function 075ED3E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075ED460

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f8a6e0ab5511ff2599ca010c69fc0aefd5b1c5237a192e5d15710c4810fd1cf7
Instruction ID: 0c4863ef7e8fb7a2f49f2aaf94570006712f93be48c285e9deb06e6095006ac9
Opcode Fuzzy Hash: f8a6e0ab5511ff2599ca010c69fc0aefd5b1c5237a192e5d15710c4810fd1cf7
Instruction Fuzzy Hash: 032128B1D003499FCB10CFAAC981ADEBBF5FF48320F10842AE559A7240C779A500DBA1

Function 075ED158 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075ED1D6

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4d5e4ae5576e229b8cc1ca39c20437bb395ff7e561498969b2e0de6ec3bc5eef
Instruction ID: eec170f9a9e7afc15cceed6dd6ef283aeec4520fa0f5fe19d6427a65524bbfc0
Opcode Fuzzy Hash: 4d5e4ae5576e229b8cc1ca39c20437bb395ff7e561498969b2e0de6ec3bc5eef
Instruction Fuzzy Hash: 032109B19003098FDB14DFAAC5857EEBBF5AF88324F14842AD559A7240C778A544CFA1

Function 07528BD8 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07529CDA,?,?,?,?,?), ref: 07529D7F

Memory Dump Source

Source File: 0000000A.00000002.1954984872.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7520000_kOtBoy.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: cf09673f816542c36fee38ccbcde468615486cfd84346691edc4d07da1df0b0e
Instruction ID: c1abcddc415a313780b9e8cd05eea9369375ee62f8b6dd3792d65834ae3f2e47
Opcode Fuzzy Hash: cf09673f816542c36fee38ccbcde468615486cfd84346691edc4d07da1df0b0e
Instruction Fuzzy Hash: 391126B68002599FDB10DF9AC844BDEBFF8EB58320F14841AE914A7250C379A954EFA5

Function 075ED22A Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075ED29E

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ab5f9e6d0f724884701fcf97b2d615d821cb307a57d7e159072ab09d15bbc82d
Instruction ID: 660c549676a5bfa5bc485d448096015eccf39ad7640ff4197bc73db37a9605ab
Opcode Fuzzy Hash: ab5f9e6d0f724884701fcf97b2d615d821cb307a57d7e159072ab09d15bbc82d
Instruction Fuzzy Hash: 991159B29002499FCB10DFAAC845ADEBBF9EF88324F108419E519A7250C779A540DFA1

Function 075ED230 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 075ED29E

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ff36741c042e1a4e91afedc881f6a54aef31c1c36d2f0665be76b3c412bf527a
Instruction ID: 6a001c9f89c5cfb29c58d39b551838f3f474ef184fd87606fbdcba6add15cf8e
Opcode Fuzzy Hash: ff36741c042e1a4e91afedc881f6a54aef31c1c36d2f0665be76b3c412bf527a
Instruction Fuzzy Hash: BE113AB19003499FCB10DFAAC945ADEBFF5EF88324F148419E519A7250C775A540DFA1

Function 07529D0A Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07529CDA,?,?,?,?,?), ref: 07529D7F

Memory Dump Source

Source File: 0000000A.00000002.1954984872.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7520000_kOtBoy.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 09fe2491008a885ad8178a863708d33338058e98bfc38b74f8de25e6252c791f
Instruction ID: 6e20e4797946d890b2b7c715aeb5ecc608de88ca0e3684378b0a9a32d7ad4f3d
Opcode Fuzzy Hash: 09fe2491008a885ad8178a863708d33338058e98bfc38b74f8de25e6252c791f
Instruction Fuzzy Hash: 301126B68002599FDB10CF99C944BDEBFF8AB58320F14841AE514A7250C379A954DFA0

Function 075ED0A2 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 075ED10A

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e5bb44848c2584290bfba2626727fb40085a2da1ca24c6404336ded678d5c697
Instruction ID: 80bf9930e7a7cc99ad5035814c429262391019d7a0bf6f4fadef93a4be1096d8
Opcode Fuzzy Hash: e5bb44848c2584290bfba2626727fb40085a2da1ca24c6404336ded678d5c697
Instruction Fuzzy Hash: FE1128B19003498FDB24DFAAC445BDEFBF9EB88324F24841AD519A7240C779A944CF95

Function 075ED0A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 075ED10A

Memory Dump Source

Source File: 0000000A.00000002.1955065645.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_75e0000_kOtBoy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f76c1cbe7aba1276e288d80261fc24f550fa216acaa150c3e9c41615c1bc316e
Instruction ID: 1f58b259e8c2f8f45d8746ff272030505a7ee0de4571c786eb71158422a60112
Opcode Fuzzy Hash: f76c1cbe7aba1276e288d80261fc24f550fa216acaa150c3e9c41615c1bc316e
Instruction Fuzzy Hash: DE1128B19003498BDB24DFAAC4457DEFBF9EB88324F24841AD519A7240C679A540CB95

Function 02F3B698 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02F3B6FE

Memory Dump Source

Source File: 0000000A.00000002.1946265590.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2f30000_kOtBoy.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b11d2a02b2aeb4fc5cb18e38930d1cd57dea4fbbcd01a971361e7679188ee8bf
Instruction ID: 534a29a42d35c30b677c673cb077c9a7bc319a47b2ee01297522c3f1ea4835a3
Opcode Fuzzy Hash: b11d2a02b2aeb4fc5cb18e38930d1cd57dea4fbbcd01a971361e7679188ee8bf
Instruction Fuzzy Hash: 8C11DFB5C006498FCB10CF9AC544ADEFBF5EB88328F14845AD519A7610C379A545CFA1

Function 0C361202 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0C361265

Memory Dump Source

Source File: 0000000A.00000002.1956622278.000000000C360000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c360000_kOtBoy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8c08a13e1e783a34e388e4ff2589f75b21dc394f41ca5de8acfdecf75b470501
Instruction ID: d5ea6b1f2e3e92be0b0eda5cef6cad078f7a1c800e930a4c15f3c7f711fba435
Opcode Fuzzy Hash: 8c08a13e1e783a34e388e4ff2589f75b21dc394f41ca5de8acfdecf75b470501
Instruction Fuzzy Hash: 3711D0B5800349DFDB10CF9AD985BDEBBF8FB48324F20845AE558A7650C379A944CFA1

Function 0C361208 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0C361265

Memory Dump Source

Source File: 0000000A.00000002.1956622278.000000000C360000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c360000_kOtBoy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f83b83d46346902d2a8eda2afc2cccfc3ae00dc3a8bd50712a2c9251da98de84
Instruction ID: 2f33cfb3dfda7a38ed0eb1d5fce3b2a93dc6cc0fb71e76314bd1f5cade36dfb5
Opcode Fuzzy Hash: f83b83d46346902d2a8eda2afc2cccfc3ae00dc3a8bd50712a2c9251da98de84
Instruction Fuzzy Hash: 1F11D0B5800349DFDB10CF9AD985BDEBBF8EB48324F20845AE558A7650C379A944CFA1

Function 0145D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1939773765.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_145d000_kOtBoy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eadf94fe902846e4ba497e3fd5434d707edd5f5ed301daedef8430de467c9a0a
Instruction ID: d4de74610bd012c3e3823c7954c60144d499110ba9e48b694e870ab3612fb244
Opcode Fuzzy Hash: eadf94fe902846e4ba497e3fd5434d707edd5f5ed301daedef8430de467c9a0a
Instruction Fuzzy Hash: 6221E2B1904204DFDB45DF58D9C0B66BF65FF84324F24C56AED090A267C336E456CAA1

Function 0146D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1939992146.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_146d000_kOtBoy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5b0805357624192982fe60ff746bb50aadef30bfcc4e9cf496528e1b82ab48
Instruction ID: 82e7506dba61f5d9a1824c56461563768ce6b784b87ef7960f593ac97fbd11f9
Opcode Fuzzy Hash: 4a5b0805357624192982fe60ff746bb50aadef30bfcc4e9cf496528e1b82ab48
Instruction Fuzzy Hash: E8212CB1B04200DFDB15DF54D5C0B26BB69FB84328F24C56ED9894B362C736D446CB62

Function 0146D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1939992146.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_146d000_kOtBoy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331424b1237f610706f64d8f67b1bfef7e01f6b7dc0068d213b48e7a2f9b1c03
Instruction ID: 6553360407fb85710a254e8622d31f46d819090242abd7f8ebd5bb7de81bf0c9
Opcode Fuzzy Hash: 331424b1237f610706f64d8f67b1bfef7e01f6b7dc0068d213b48e7a2f9b1c03
Instruction Fuzzy Hash: 4B2103B5A04200DFCB15DF58D9C0B26BB69EB8435CF24C56EE98A4B366C336D407CA62

Function 0146D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1939992146.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_146d000_kOtBoy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3340b136d1263a963f93389aa21519bc1708efdcd1ec8666a931feda77ec1e3
Instruction ID: 47c2207e9fe0a3eefc7d6f51e9240f65dcb6e4731fc2b24a1f2969ceeae07f84
Opcode Fuzzy Hash: e3340b136d1263a963f93389aa21519bc1708efdcd1ec8666a931feda77ec1e3
Instruction Fuzzy Hash: 612183755093808FD713CF24D590716BF71EB46218F28C5DBD8898B667C33A980ACB62

Function 0145D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1939773765.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_145d000_kOtBoy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction ID: 3c306642d7b8b4503d1aea07236b8d12aeb381186687e8f4ae84ead8d436ff69
Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
Instruction Fuzzy Hash: 2011CD72804240CFDB16CF44D9C0B56BF62FB84224F24C2AADD090A667C33AE45ACBA1

Function 0146D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1939992146.000000000146D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0146D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_146d000_kOtBoy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction ID: 1b056a910a3cca9274dcd4a358f47c7656209acf4a005983385417d92504b85f
Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
Instruction Fuzzy Hash: D6118E75A04240DFDB16CF54D5C4B16BB61FB84228F28C6AAD8494B766C33AD44ACB52

Analysis Process: RegSvcs.exePID: 7728, Parent PID: 7256COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	4

Executed Functions

Function 01089B38 Relevance: 3.1, Instructions: 3071COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37bbee2348e5cb0c130f3585bfe6acc996ae495dc289ea30efbfab92b80ec31e
Instruction ID: c10d5173d54462682c5e74a8e7f8d795c3cc9eeb9eb0424799cd32c76d00dd51
Opcode Fuzzy Hash: 37bbee2348e5cb0c130f3585bfe6acc996ae495dc289ea30efbfab92b80ec31e
Instruction Fuzzy Hash: 47630A31D14B1A8ADB51EF68C9805E9F7B1FF99300F11C79AE49877121EB70AAD4CB81

Function 01089378 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e624533bd015995169bec5b536cbba19afabb28d655e1e3d205537c216cfd5
Instruction ID: 380e2ba47e151fe5ba08e032039c9ff8f4ae67561fdce19f02d22f23a6cb44fe
Opcode Fuzzy Hash: c0e624533bd015995169bec5b536cbba19afabb28d655e1e3d205537c216cfd5
Instruction Fuzzy Hash: A3328E34A042058FDB54EFA8D584AAEBBF2EF88314F108469E949EB395DB35DC41CB90

Function 01084A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89852933be2567bc2fd980296a7144d277114be8d17b6ae074e65690a60c03d7
Instruction ID: b1e834db13cb994ab80a44ad7bfcb68a3e933feffa5da05bb1e6c9ddbf158bfe
Opcode Fuzzy Hash: 89852933be2567bc2fd980296a7144d277114be8d17b6ae074e65690a60c03d7
Instruction Fuzzy Hash: 47B15E70E0431A8FDB50EFA9C9817DDBBF2AF88314F148529D895EB254EB749845CB81

Function 01083E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ddd05b0fca810e051825144dfc859e9792ac42a66e4c5378b9dbb8e72fb41b
Instruction ID: 73320da1ba69adf0e6a9fe2202840e8b52575424a80058d2bba0ee3786c434a1
Opcode Fuzzy Hash: d2ddd05b0fca810e051825144dfc859e9792ac42a66e4c5378b9dbb8e72fb41b
Instruction Fuzzy Hash: 5B915A70E0420A8FDF50DFA9C9857DEBBF2BF98714F148129E485EB254EB749846CB81

Function 01086ED8 Relevance: 2.6, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LRfq, xrefs: 01086FE5
LRfq, xrefs: 01086F0E

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRfq$LRfq
API String ID: 0-2141892265
Opcode ID: 7b7e1517294ac4edeedc7e72ee19edd019b06abfc641b64922b5df481066e872
Instruction ID: 65823ab2a5d866123f445ae942d73035290bb774924444f8fee690e4ee8c21ca
Opcode Fuzzy Hash: 7b7e1517294ac4edeedc7e72ee19edd019b06abfc641b64922b5df481066e872
Instruction Fuzzy Hash: 7251F530B042198FDB16EF78D85079EBBB5EF86300F208569E485EB296DB75DC42CB90

Function 0604E280 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0604E202), ref: 0604E2EF

Memory Dump Source

Source File: 00000012.00000002.2997488416.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6040000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 792123be9dd19a631fa7205556fc16c95e1d016c7004930da815d776fafb87e7
Instruction ID: cbb79f2ca518a830b647b2364f9d24ba0b4a2c2fc73bcd6544b95f1263c6f40b
Opcode Fuzzy Hash: 792123be9dd19a631fa7205556fc16c95e1d016c7004930da815d776fafb87e7
Instruction Fuzzy Hash: 7E2198B1C0021A9FDB60DFAAD54579EFBF4BF48320F14812AD818B7240E7789940CFA0

Function 0604D5AC Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0604E202), ref: 0604E2EF

Memory Dump Source

Source File: 00000012.00000002.2997488416.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_6040000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d70b4605114d5fb27730ed1c7524b0dc39310b882de7f3723820db288c864328
Instruction ID: adc74f35b7b703fa8441c56ca073faf95e435f699573764e875a52c156b3ca9b
Opcode Fuzzy Hash: d70b4605114d5fb27730ed1c7524b0dc39310b882de7f3723820db288c864328
Instruction Fuzzy Hash: BC1106B1C0065A9BDB10DF9AC544B9EFBF4FF48320F14816AE918B7240D778A940CFA1

Function 0108F2ED Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHfq, xrefs: 0108F43B

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 704eef4594f68f1e27b149ba51025a4902af0b9abcf940588a17b4ff57c1b4a0
Instruction ID: 73c169dcf3d2665ec1f1fce8990b44f55e699a81357023d9fb3e353bee884f58
Opcode Fuzzy Hash: 704eef4594f68f1e27b149ba51025a4902af0b9abcf940588a17b4ff57c1b4a0
Instruction Fuzzy Hash: A431E7307042028FDB19AB38D5946AE7BF2AF89210F1444ADE486DB39ADF35CC42CBD0

Function 0108F300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHfq, xrefs: 0108F43B

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: PHfq
API String ID: 0-2154135885
Opcode ID: 4b39574a1cf0e379013581061553a9511c36be611c117325087b350c7b962ec4
Instruction ID: 44844d445fe4ee47785887621a0a92be5a13210dc90f66230884972afba79421
Opcode Fuzzy Hash: 4b39574a1cf0e379013581061553a9511c36be611c117325087b350c7b962ec4
Instruction Fuzzy Hash: DA31E430B042068BDB19AB38D55476E7BF2AF89200F109469E486EB399DF35DC42CBD0

Function 01086F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LRfq, xrefs: 01086FE5

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRfq
API String ID: 0-2333822924
Opcode ID: ae3d28f70d7cffbee243879ab0ba9ec9e2ee6d1cc2ef149f909e89abfcb01850
Instruction ID: 7e3de4fdc044723952d2aa19c1ea22c455432672b2586df2243de2a3d879cd23
Opcode Fuzzy Hash: ae3d28f70d7cffbee243879ab0ba9ec9e2ee6d1cc2ef149f909e89abfcb01850
Instruction Fuzzy Hash: 5631AF34E10209CBDB25DF68D54479EB7B5FF85300F208569F481EB285EB71A842CF50

Function 01086B87 Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

LRfq, xrefs: 01086BD7

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRfq
API String ID: 0-2333822924
Opcode ID: b202373f60a7bdb3e710890fc13fe2de955142baa86a917af88139fb08ea5321
Instruction ID: 2261a6db4bab2400cf83c461e5ba42035ba1c1370c69e3a3e1421e0bf9466f95
Opcode Fuzzy Hash: b202373f60a7bdb3e710890fc13fe2de955142baa86a917af88139fb08ea5321
Instruction Fuzzy Hash: F92127716083519FC716AB38D0502AA7BF5EF86310F1185EED045CB2A6EF798C46CB91

Function 01087908 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f4c86806b110088c890263fbd176c70c77d78094e5156ae821c239ef285d5d
Instruction ID: a0a2ffdfe51803bdf7cc2bf173c1221e735c149f38673d85e3659f8e73fc9f89
Opcode Fuzzy Hash: 55f4c86806b110088c890263fbd176c70c77d78094e5156ae821c239ef285d5d
Instruction Fuzzy Hash: 32127D347041018BCB5AAB38E48A62C7BE6EB89304F609D2DE149DB35ACF75DC429F95

Function 01087918 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d98789ead3073e337cc804c29c809ff02232df78ec6b46b6d11ad6b79dada89
Instruction ID: b333c91f3b7034eb5161043713b9853064e751353d7e8cf20cd64e47fafb1f15
Opcode Fuzzy Hash: 3d98789ead3073e337cc804c29c809ff02232df78ec6b46b6d11ad6b79dada89
Instruction Fuzzy Hash: 98126E347041018BCB5AAB3CE48A62C7BE6EB89304F609D2DE149DB35ACF75DC429F95

Function 0108CDB0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63310b2f853fa0756eca231339780c936867098c9c076eb7742ca511f6354266
Instruction ID: 1a2e50e4578abf112d087e57f7081f75df13098f61a0960e80a95215542f7565
Opcode Fuzzy Hash: 63310b2f853fa0756eca231339780c936867098c9c076eb7742ca511f6354266
Instruction Fuzzy Hash: 1EC1F671B042169FDB55EB78C980A6EBBB6EF84310F148569D585CB296CB31EC42C790

Function 01084A90 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c926bb393ed87e27e86298bac59c234423b951f27cce1daae484d83555eea8c
Instruction ID: 427b9a421d5ca0e29bf0768e93e929629e25f452fa4bbe47f1d919c899caec24
Opcode Fuzzy Hash: 7c926bb393ed87e27e86298bac59c234423b951f27cce1daae484d83555eea8c
Instruction Fuzzy Hash: 7DA15B70E0421A8FDB50EFA9C9817DDBFF1AF88354F148129D898EB254EB749885CF81

Function 01083E74 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7faa7008a27eb901f2fa51b312e86d038f11c73245fbe83d224fa194e584eb9
Instruction ID: 8494b97a89ae4cd1829a370914473df32e7fcd683215e890b7c7a3b4add230da
Opcode Fuzzy Hash: d7faa7008a27eb901f2fa51b312e86d038f11c73245fbe83d224fa194e584eb9
Instruction Fuzzy Hash: E5A14A70E0420A8FDF50DFA8C9857DEBBF2BF98714F148129E485EB254EB749846CB81

Function 01089364 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6aedab523750c0c87525babe6095df2da2a58232215c0160ca3a5569ca901a
Instruction ID: 5452904cf6f3c413822a04dbf8268b30d317a58d29e4382e8492ba4d95d9d3e4
Opcode Fuzzy Hash: 3e6aedab523750c0c87525babe6095df2da2a58232215c0160ca3a5569ca901a
Instruction Fuzzy Hash: B2917E34B042158FDB55EF68D584AAEBBF2EF88314F148469E846EB3A5DB31DC42CB50

Function 01084810 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0e845068b89e5f23607c635cd9a8d8dae3078db8cb41114ac73a520347542b
Instruction ID: 5a714ff755fc5df612d5ddc945d028afa5a940c777d91710a4663e31bc101701
Opcode Fuzzy Hash: fd0e845068b89e5f23607c635cd9a8d8dae3078db8cb41114ac73a520347542b
Instruction Fuzzy Hash: 09716BB0E0424ACFDB50DFA9C9807DEFBF2AF88314F148129E495EB254EB749841CB95

Function 01084804 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d531831bf4cbb8938117973ea39ec42080690628be35d53ec3e7eb74d082837
Instruction ID: 09eafc43d4e2b71c4145e2a78f869ac90eeda7753cc366be088426b9d2f3ce19
Opcode Fuzzy Hash: 7d531831bf4cbb8938117973ea39ec42080690628be35d53ec3e7eb74d082837
Instruction Fuzzy Hash: 2A7169B0E0424ACFDB50DFA9C9817DEFBF2AF88314F148129E495EB254EB749841CB95

Function 01086CE2 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7091559d869836c9e438cde93b2edee6228a8746c935c59e1c90f32a639be786
Instruction ID: ebf43359464e4b8b5cf7f90b7a3673b4c04a102df43c084f4a4042a761753b10
Opcode Fuzzy Hash: 7091559d869836c9e438cde93b2edee6228a8746c935c59e1c90f32a639be786
Instruction Fuzzy Hash: 9A512370D143188FDB14EFA9C884B9DBBF1BF48310F158169E899BB391D775A844CB91

Function 01086CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f9c9779d87a63a0c482e71b4dd30590e5c79a90b8398aacffa49593402fe92
Instruction ID: 3730494397cdbbab7fe104ac0f78ae60e5cf0b356c464e9184b4df0305dcf6d7
Opcode Fuzzy Hash: 47f9c9779d87a63a0c482e71b4dd30590e5c79a90b8398aacffa49593402fe92
Instruction Fuzzy Hash: 8D512370D042188FDB18EFA9C884B9DBBF1BF48310F158129E899BB395DB75A844CF90

Function 01081128 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d884bf25b07bf0b4f79db21d84bb2929e4eb8e56b4f3106ae7083aa1a73f41
Instruction ID: 7495e8023b36a3bade06e1a7dc3aba458634e74e5be300e5c2aa8d4400e404c4
Opcode Fuzzy Hash: 35d884bf25b07bf0b4f79db21d84bb2929e4eb8e56b4f3106ae7083aa1a73f41
Instruction Fuzzy Hash: BF5100702152CA8FC70AFB7DF988B553FB5FB923087066969E100DB27ADA207D49DB41

Function 010896E0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c0a1b6436f4da42427fedc136cb606eb3a4abff0dd19fc752eed1bf73ce1fb
Instruction ID: a719f650ddffd0babe155ab0a1d7051978adb56ff7658fbb72f4589feb67531f
Opcode Fuzzy Hash: 55c0a1b6436f4da42427fedc136cb606eb3a4abff0dd19fc752eed1bf73ce1fb
Instruction Fuzzy Hash: 78418834B04206CBDF61BAA9D98067EB7B2FBC5214F200869D58AE7299D634EC418B81

Function 01081138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078e279ed87694f9b38de3d4babdfbb698af9770870b64e08aaa222b8815a1ae
Instruction ID: f9bb1e3163d7b656ed98ce9a5851474629aa833b191758b0ae33bbb23fb6a224
Opcode Fuzzy Hash: 078e279ed87694f9b38de3d4babdfbb698af9770870b64e08aaa222b8815a1ae
Instruction Fuzzy Hash: AE51ED702151CA8FC709FB7DF988B553FA9FB92308702A969E100EB279DA207D49CB41

Function 010826DC Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abeacd15e9a381b72ebaabd5c4e9add9cfc64857178f6ea38fe95a9efb9a6652
Instruction ID: 3d367c941e56bd36267ac76f46cc4c41afcc430cf91a70b0a35cf07660b856de
Opcode Fuzzy Hash: abeacd15e9a381b72ebaabd5c4e9add9cfc64857178f6ea38fe95a9efb9a6652
Instruction Fuzzy Hash: D241DDB0D00249DFDB14DFA9C580ADEBBF5AF58310F20802AE849AB254DB75A945CB90

Function 0108F1C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d2c58c55ebc5ec59ff30ce1b061e85b85275b1c33967e0e29a57890ce6eaf5
Instruction ID: 70cb58e1f59dc857c32040f8e7062e342c9fdbe39026c7aec6fbc676bef36f53
Opcode Fuzzy Hash: a0d2c58c55ebc5ec59ff30ce1b061e85b85275b1c33967e0e29a57890ce6eaf5
Instruction Fuzzy Hash: 6F316234E142069BCB19DFA8D55469EB7F6BF89300F10C919E846EB754DB70AC42CB50

Function 010826E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9efc0cbdeec8dd4cb901673771b38650bb25f5df64777df01aab7e8f8cb770
Instruction ID: f6e081a49135ff799556cdc78a9000a9395b1367ff925b8323a1ee2c8ea502a3
Opcode Fuzzy Hash: bf9efc0cbdeec8dd4cb901673771b38650bb25f5df64777df01aab7e8f8cb770
Instruction Fuzzy Hash: 0C41EEB0D00349DFDB10DFA9C980A9EBFF5FF48310F20802AE849AB254DB75A945CB90

Function 0108F1BE Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea3f8ec974030bdb152fe7d4f104c79f0e317f25a5bde8dd5e20ea2c7e38eff1
Instruction ID: beb7bda8302045794b12833b452ab98c6364183d7752deee1fc29942de763db3
Opcode Fuzzy Hash: ea3f8ec974030bdb152fe7d4f104c79f0e317f25a5bde8dd5e20ea2c7e38eff1
Instruction Fuzzy Hash: F6316138E142069BCB09DFB8D59469EB7F6BF89300F10C919E846EB754DB70AC42CB50

Function 01089250 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09791b244de42abbc1c9525754c2d5b4493ef5f284a391411b90a2fbb1ea98c4
Instruction ID: cd3048506ddc599c8b311e0c4c2894f53514436220697917ba0abc38070ad35c
Opcode Fuzzy Hash: 09791b244de42abbc1c9525754c2d5b4493ef5f284a391411b90a2fbb1ea98c4
Instruction Fuzzy Hash: 21319331E042059BCB09EFA8D9807AEF7B2FF89304F14C569E445EB355DB719882CB90

Function 01089260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d54e63ac8f8b7c778f5ee22db8fddf3006f1e60d7c8b39e03a9e49e720bff8
Instruction ID: ed1d03b732045ca5088bf5e7052e43f96bc7026918852568668c56d00e4def99
Opcode Fuzzy Hash: 09d54e63ac8f8b7c778f5ee22db8fddf3006f1e60d7c8b39e03a9e49e720bff8
Instruction Fuzzy Hash: 24218230E042099BDF05EFA9D5806AEF7B2FF89304F10C559E845EB255DB719842CB50

Function 01089150 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee40cb0b8f3d26864a11f6d6be0ede35e04ac89551294bc4a6a6b59697e2bebf
Instruction ID: a8afe1aded29e088dd10b40332c832e915571a40ca7899c89777fcd964b3fdca
Opcode Fuzzy Hash: ee40cb0b8f3d26864a11f6d6be0ede35e04ac89551294bc4a6a6b59697e2bebf
Instruction Fuzzy Hash: 5421B234E082069BCB19EFA8D8545EEB7B2AF89304F10855AE895F7350EB709D46CB50

Function 010816A0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2f1a0ad322ba717d2ff12c29ab8eefbf8958d854e33e22da3a7c90f50008dc
Instruction ID: c63fdad4a10aa757f5dd036272ba1d2cbcb355d32d2c72e6ce13e7acd2cd35ab
Opcode Fuzzy Hash: 5f2f1a0ad322ba717d2ff12c29ab8eefbf8958d854e33e22da3a7c90f50008dc
Instruction Fuzzy Hash: 9721D3746041818FDF63FBACF88875937A5FB45318F111AA9E087C726ADA348C828B91

Function 01084F88 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a1baf8879ade5217e5ce575eceb5325eb855d044bcc9a42e59ca6a9c9c6f45
Instruction ID: 93c0d74c165508f6f5e60b735ecff97c26c52a5f4848998634befee57e4a00db
Opcode Fuzzy Hash: c2a1baf8879ade5217e5ce575eceb5325eb855d044bcc9a42e59ca6a9c9c6f45
Instruction Fuzzy Hash: C4213534704245CFCB64EB78C99879D7BF1AF88204F2004A9E586EB3A5EB369D01CF90

Function 00E3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2986525183.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_e3d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c11ff386722b598ef5890d07e4dbc0eedbab83767938439e2d3c5e69d5c361
Instruction ID: 6731f9e9d9edea34848d6205bd694862f6d0abb12f06eb1a114d7a154760426f
Opcode Fuzzy Hash: c4c11ff386722b598ef5890d07e4dbc0eedbab83767938439e2d3c5e69d5c361
Instruction Fuzzy Hash: 482107B5508200DFCB18DF14E9C8B26BF66FB84718F24C56DE94A5B296C336D847CE61

Function 01081380 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb79b52d24619b0a8fbe4f7f41b91261e2e40a4f9a2a4789f8a565dbee89470
Instruction ID: b523832a29c070a2eda2874ea7d0c768811cd8a23bed6dece52ccef0ab14d876
Opcode Fuzzy Hash: 9eb79b52d24619b0a8fbe4f7f41b91261e2e40a4f9a2a4789f8a565dbee89470
Instruction Fuzzy Hash: 6521C370A092414FDB77777CF4987293BA1EF42315F1019A9E4CADB2D7DA3988868742

Function 0108187C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ba04e6c9720d99a6570f917680f5f8112499c22406b72522e921a5593e9686
Instruction ID: 840ce0541e8b0150c2154860a218696fd064f8e62dc0894e3f9aa378615c7865
Opcode Fuzzy Hash: 67ba04e6c9720d99a6570f917680f5f8112499c22406b72522e921a5593e9686
Instruction Fuzzy Hash: EE219A30B08255CFDB65EB78C5147ED7BF2AF49200F1004A9D1C6EB291EB369D42CBA1

Function 01089A30 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6553b0591d02eb55a2f520822b14ea40adef47cda8a814ebef19dbc3547c177
Instruction ID: fe544d8f98b5cd27b56dab9e5e73f21268195bda64dc3e4b879c57affdd88f9c
Opcode Fuzzy Hash: d6553b0591d02eb55a2f520822b14ea40adef47cda8a814ebef19dbc3547c177
Instruction Fuzzy Hash: 8421C671B141158FDB14EB69C954BAEBBF6FFC8714F108065E545EB3A4DAB19C00C790

Function 01089160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783aaf7aa16d402ddee02eff9d2bd905fe6ea0cfbaae1217ab8fc7581e494885
Instruction ID: 9b5b0676c889a81faa2135e91c8a775a73807d339f0d5e5b024864e86ce3241a
Opcode Fuzzy Hash: 783aaf7aa16d402ddee02eff9d2bd905fe6ea0cfbaae1217ab8fc7581e494885
Instruction Fuzzy Hash: A921C534E0420A9BCF19EFA4C5545EEF7B2AF89304F10C56AE855F7344DB709845CB40

Function 01081888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fcf401ab061fc3a72bd825c008bc25ce196a772ea21876b370f830801e7306
Instruction ID: 045974a7b36a897afe8090349e45f0efb15e878ad80026fcbcaf10a8153bcca4
Opcode Fuzzy Hash: d3fcf401ab061fc3a72bd825c008bc25ce196a772ea21876b370f830801e7306
Instruction Fuzzy Hash: B0212730B04215CFDB64EA78C5546AE77F6AF49205F1004A9D186EB294EB369D42CBA1

Function 010816B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d2401b714dacce57d31ecd05bf028acd305e284a34237a452df36b4018eef5
Instruction ID: b7307f81ab185d2861498e976f2f3dab3287325add1cc95a637939b6377067ce
Opcode Fuzzy Hash: 11d2401b714dacce57d31ecd05bf028acd305e284a34237a452df36b4018eef5
Instruction Fuzzy Hash: 0D21C0386041818FDF67F76CF888B1937A9FB45318F115A69E086C726ADA34DC828B91

Function 01084F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae55f5e31893a6fcc2675ad6797f9b6d428e4a0cf595eb13be817736ce5b1ab
Instruction ID: faa586fb571fa0578fcd614477fe8a8e7c8dd0baaff23fb073e2ed82fa69252f
Opcode Fuzzy Hash: cae55f5e31893a6fcc2675ad6797f9b6d428e4a0cf595eb13be817736ce5b1ab
Instruction Fuzzy Hash: 2E213634700205CFCB64EB78C998AAD77F2EF48204F1004A9E586EB3A9DB369D01CB90

Function 00E3D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2986525183.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_e3d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c48c506a4c4e13381858dcd3876f39acdfcf6e635e54b6bbd9679e733c4b42
Instruction ID: a3f30cec72322a5ed813c1c3334c2593bf0328eac6320e77628a3ba085e94455
Opcode Fuzzy Hash: 35c48c506a4c4e13381858dcd3876f39acdfcf6e635e54b6bbd9679e733c4b42
Instruction Fuzzy Hash: 822171755093808FC716CF24D994715BF72EB46214F28C5DAD8498B6A7C33A980ACB62

Function 01080838 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd225b21112ddeb2d459b1cbaab0c22c21511c268da578ff1858d75748f08462
Instruction ID: 3c9c4db0ad59734efe82e0c177042895612a359101645c016bed5371a6e263ac
Opcode Fuzzy Hash: dd225b21112ddeb2d459b1cbaab0c22c21511c268da578ff1858d75748f08462
Instruction Fuzzy Hash: 8211A730A19205CBEFA676B8D4443693791EB41214F1449B9F4C6DB29BEA24CDC94BD2

Function 01080848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb20037351d0b10c7100d1d4fe38127e5b5b78e991d1bae2f081291a51155d6f
Instruction ID: 8e66fa83bf348640d330b1140658741051f0e4e20bc20be73e75096a6e6e94a6
Opcode Fuzzy Hash: eb20037351d0b10c7100d1d4fe38127e5b5b78e991d1bae2f081291a51155d6f
Instruction Fuzzy Hash: DC118230B18204CBEFA6B6BCD4487293291EB45214F1089B9F4C6CF25ADA21CCC95FD1

Function 010880F1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a957fa4283526ca8d07055e498d5ba112e4de2f749c7960e3b5ac56ca13d9c34
Instruction ID: 2046e8fd69af98d0e51ca26db83730457ccf87e7228aa35b2b1cad3b890af179
Opcode Fuzzy Hash: a957fa4283526ca8d07055e498d5ba112e4de2f749c7960e3b5ac56ca13d9c34
Instruction Fuzzy Hash: 2C11D030A04145DFDB45FBA8F98579D7BB1EB40304F108A6EE004DB2A5EF319E458B81

Function 0108148C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d763fb826423d8fe75ea66c71e13cc154288e8fba3858cd0ac8de952f4797d
Instruction ID: afbfe8240298b1bfdd263fbb32643a6341a0caea1030dfdab76e7937a7680a82
Opcode Fuzzy Hash: b9d763fb826423d8fe75ea66c71e13cc154288e8fba3858cd0ac8de952f4797d
Instruction Fuzzy Hash: D9112E31A043159FCB61FFBC94501EEBBF5EF58260F1445BAD885E7206DB35C8428BA5

Function 010817C4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd9493add9c4b027dd686cf5b7ab25db56a23973cb23620e5f34390a5b95f64e
Instruction ID: 6c9a86b92564d43b74995f65b50ca60e499058d40992b2ca2cb8e171955c825e
Opcode Fuzzy Hash: fd9493add9c4b027dd686cf5b7ab25db56a23973cb23620e5f34390a5b95f64e
Instruction Fuzzy Hash: 3111C675F002118FCF61BBB9A90C35E7BF9BB88254F100669D98AD3349E73499418780

Function 01081498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb40a37a0ed9d90fad8556df66337a798aef6018dee2f2dd29c41b68b931268
Instruction ID: 247d012c27cfa399fa9045c3fd6fad1b0724b30d6986b234df7aae2d4e86c341
Opcode Fuzzy Hash: 5cb40a37a0ed9d90fad8556df66337a798aef6018dee2f2dd29c41b68b931268
Instruction Fuzzy Hash: C1012D31A042159FCB61FFBD84502AEBBE5EF58220F1444BAD885E7306EA35C8428BA5

Function 01089898 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852131cdbfa5b63259cbf90b5263ebcb3d3c632fe813ffa5e15ab422bb2891e1
Instruction ID: a46f0c9ea672ce4d47ba2f55d3d7fcd702b91d4b39c086457536e647d613492b
Opcode Fuzzy Hash: 852131cdbfa5b63259cbf90b5263ebcb3d3c632fe813ffa5e15ab422bb2891e1
Instruction Fuzzy Hash: 9201B531A001048BDB44EF99D98479ABBA5FFC4310F54C568D84C6F29AEBB0A945CBA1

Function 01081524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9832569df9bf813d45b685c8118dc77c1c1c638358eecc200164aeb5329b306f
Instruction ID: 7e9136564bbf38b4fdebe82c6a429ef63ffdb57df3dcdb6f2254319f2c933ccf
Opcode Fuzzy Hash: 9832569df9bf813d45b685c8118dc77c1c1c638358eecc200164aeb5329b306f
Instruction Fuzzy Hash: 93F02B73A0C110DFDB22ABAC94901ACBFA1FE6412171C40D7D4C6DB216D735D443C761

Function 01087090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923f596f19dff5d92ddd2fc97913ffd56691903c9830392ab324b55ee726caf7
Instruction ID: c6db7ba23ceaae5ab98e1e8f7d6241b811b8c001b41ca1b0006b90bb92194201
Opcode Fuzzy Hash: 923f596f19dff5d92ddd2fc97913ffd56691903c9830392ab324b55ee726caf7
Instruction Fuzzy Hash: 62F0C939B00104CFCB14DB74D598B6C77B2EF88715F5141A9E5069B3A9DB31AD42CF40

Function 01088100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2988172113.0000000001080000.00000040.00000800.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1080000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96879dab2db6db5fd8bd8064d4ff2fb9ce1c899fff12b34178c4acfbb3d2cc2
Instruction ID: 960b76851a11468d1a1c61de466dedec26346273e29e4f3dfa7e5408f0323d9b
Opcode Fuzzy Hash: f96879dab2db6db5fd8bd8064d4ff2fb9ce1c899fff12b34178c4acfbb3d2cc2
Instruction Fuzzy Hash: A0F03C74900149EFCB09FBF8F980A9D7BB1EB40304F509A68D404A72A8EF312F549B91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New Cmr JV2410180005.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Cmr JV2410180005.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kOtBoy.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43spzwod.fqo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czax2xex.lae.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hbnjeid0.rbu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mpvjau10.ooc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nca1ykdo.x4r.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbxvwhva.fiq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vb10veqf.wzn.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yaiazckf.uvf.ps1

C:\Users\user\AppData\Local\Temp\tmp5941.tmp

C:\Users\user\AppData\Local\Temp\tmp7C89.tmp

C:\Users\user\AppData\Roaming\kOtBoy.exe

Windows Analysis Report
New Cmr JV2410180005.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre