Edit tour

Windows Analysis Report
45brrQrxwH.exe

Overview

General Information

Sample name:	45brrQrxwH.exe renamed because original name is a hash value
Original sample name:	cfaf6fedf4a8954df63b75e1574e66b3.exe
Analysis ID:	1427156
MD5:	cfaf6fedf4a8954df63b75e1574e66b3
SHA1:	dc5d8ed078cf6225e133c228670edac311af28b2
SHA256:	64c3f8bf923b9869c7b0f2a77eb1b1db64eae1caec23fa0da3da85c2c885b139
Tags:	32exetrojan
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

45brrQrxwH.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\45brrQrxwH.exe" MD5: CFAF6FEDF4A8954DF63B75E1574E66B3)

powershell.exe (PID: 7616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XEWKUH.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8024 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7756 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

45brrQrxwH.exe (PID: 7876 cmdline: "C:\Users\user\Desktop\45brrQrxwH.exe" MD5: CFAF6FEDF4A8954DF63B75E1574E66B3)

45brrQrxwH.exe (PID: 7892 cmdline: "C:\Users\user\Desktop\45brrQrxwH.exe" MD5: CFAF6FEDF4A8954DF63B75E1574E66B3)

XEWKUH.exe (PID: 8160 cmdline: C:\Users\user\AppData\Roaming\XEWKUH.exe MD5: CFAF6FEDF4A8954DF63B75E1574E66B3)

schtasks.exe (PID: 7216 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp4771.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

XEWKUH.exe (PID: 5996 cmdline: "C:\Users\user\AppData\Roaming\XEWKUH.exe" MD5: CFAF6FEDF4A8954DF63B75E1574E66B3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "viorel5000@yandex.ru", "Password": "fknhxyuavrcsphhd"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.2875685208.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2875685208.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2876066217.0000000003031000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2876066217.0000000003031000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 45brrQrxwH.exe PID: 7432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 45brrQrxwH.exe PID: 7432	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 45brrQrxwH.exe PID: 7432	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 45brrQrxwH.exe PID: 7892	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 45brrQrxwH.exe PID: 7892	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: XEWKUH.exe PID: 8160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: XEWKUH.exe PID: 8160	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: XEWKUH.exe PID: 8160	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: XEWKUH.exe PID: 5996	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: XEWKUH.exe PID: 5996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.45brrQrxwH.exe.49a9810.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.45brrQrxwH.exe.49a9810.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.45brrQrxwH.exe.49a9810.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33127:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33243:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3331f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33445:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.45brrQrxwH.exe.496d1f0.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.45brrQrxwH.exe.496d1f0.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.45brrQrxwH.exe.496d1f0.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33127:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33243:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3331f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33445:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
14.2.XEWKUH.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.XEWKUH.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
14.2.XEWKUH.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34eb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34f27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34fb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35043:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x350ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3511f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x351b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35245:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.XEWKUH.exe.3d62190.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.XEWKUH.exe.3d62190.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.XEWKUH.exe.3d62190.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33127:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33243:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3331f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33445:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.XEWKUH.exe.3d9e7b0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.XEWKUH.exe.3d9e7b0.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.XEWKUH.exe.3d9e7b0.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33127:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33243:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3331f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33445:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.45brrQrxwH.exe.49a9810.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.45brrQrxwH.exe.49a9810.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.45brrQrxwH.exe.49a9810.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34eb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x712d5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34f27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x71347:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34fb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x713d1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35043:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x71463:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x350ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x714cd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3511f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x7153f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x351b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x715d5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35245:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x71665:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
11.2.XEWKUH.exe.3d9e7b0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.XEWKUH.exe.3d9e7b0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.XEWKUH.exe.3d9e7b0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34eb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x712d5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34f27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x71347:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34fb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x713d1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35043:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x71463:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x350ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x714cd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3511f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x7153f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x351b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x715d5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35245:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x71665:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.45brrQrxwH.exe.496d1f0.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.45brrQrxwH.exe.496d1f0.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.45brrQrxwH.exe.496d1f0.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34eb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x714d5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xad8f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34f27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x71547:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xad967:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34fb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x715d1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xad9f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35043:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x71663:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xada83:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x350ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x716cd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xadaed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3511f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x7173f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xadb5f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x351b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x717d5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xadbf5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
11.2.XEWKUH.exe.3d62190.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.XEWKUH.exe.3d62190.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.XEWKUH.exe.3d62190.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34eb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x714d5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xad8f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34f27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x71547:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xad967:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34fb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x715d1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xad9f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35043:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x71663:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xada83:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x350ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x716cd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xadaed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3511f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x7173f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xadb5f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x351b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x717d5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xadbf5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\45brrQrxwH.exe", ParentImage: C:\Users\user\Desktop\45brrQrxwH.exe, ParentProcessId: 7432, ParentProcessName: 45brrQrxwH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe", ProcessId: 7616, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp4771.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp4771.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\XEWKUH.exe, ParentImage: C:\Users\user\AppData\Roaming\XEWKUH.exe, ParentProcessId: 8160, ParentProcessName: XEWKUH.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp4771.tmp", ProcessId: 7216, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\45brrQrxwH.exe, Initiated: true, ProcessId: 7892, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\45brrQrxwH.exe", ParentImage: C:\Users\user\Desktop\45brrQrxwH.exe, ParentProcessId: 7432, ParentProcessName: 45brrQrxwH.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp", ProcessId: 7756, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\45brrQrxwH.exe", ParentImage: C:\Users\user\Desktop\45brrQrxwH.exe, ParentProcessId: 7432, ParentProcessName: 45brrQrxwH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe", ProcessId: 7616, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\45brrQrxwH.exe", ParentImage: C:\Users\user\Desktop\45brrQrxwH.exe, ParentProcessId: 7432, ParentProcessName: 45brrQrxwH.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp", ProcessId: 7756, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 45brrQrxwH.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\XEWKUH.exe

Avira: detection malicious, Label: TR/AD.GenSteal.kgogp

Found malware configuration

Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "viorel5000@yandex.ru", "Password": "fknhxyuavrcsphhd"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Virustotal: Detection: 70%			Perma Link

Multi AV Scanner detection for submitted file

Source: 45brrQrxwH.exe	ReversingLabs: Detection: 68%
Source: 45brrQrxwH.exe	Virustotal: Detection: 69%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\XEWKUH.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 45brrQrxwH.exe

Joe Sandbox ML: detected

Source: 45brrQrxwH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: 45brrQrxwH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: GrPo.pdbSHA256 source: 45brrQrxwH.exe, XEWKUH.exe.0.dr
Source:	Binary string: GrPo.pdb source: 45brrQrxwH.exe, XEWKUH.exe.0.dr

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 4x nop then jmp 0CB3AC99h		0_2_0CB3AECB
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 4x nop then jmp 07469F41h		11_2_0746A173

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 77.88.21.158:587

Source: Joe Sandbox View	IP Address: 77.88.21.158 77.88.21.158
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 77.88.21.158:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: 45brrQrxwH.exe, XEWKUH.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 45brrQrxwH.exe, XEWKUH.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.glob
Source: 45brrQrxwH.exe, 00000009.00000002.2873182692.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065F7000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065AC000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000003114000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000003044000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
Source: 45brrQrxwH.exe, 00000009.00000002.2873182692.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065F7000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891722056.0000000006560000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065AC000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000003114000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000003044000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 45brrQrxwH.exe, 00000009.00000002.2873182692.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065F7000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000003114000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000003044000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: 45brrQrxwH.exe, 00000009.00000002.2873182692.0000000001277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: 45brrQrxwH.exe, XEWKUH.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 45brrQrxwH.exe, 00000009.00000002.2873182692.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065F7000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065AC000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000003114000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000003044000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
Source: 45brrQrxwH.exe, 00000009.00000002.2873182692.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065F7000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000003114000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000003044000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: 45brrQrxwH.exe, 00000009.00000002.2873182692.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065F7000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891722056.0000000006560000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065AC000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000003114000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000003044000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 45brrQrxwH.exe, 00000000.00000002.1676007009.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000B.00000002.1715474200.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 45brrQrxwH.exe, 00000009.00000002.2873182692.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065F7000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065AC000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000003114000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000003044000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
Source: 45brrQrxwH.exe, 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000003114000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000003044000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.yandex.com
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 45brrQrxwH.exe, 00000000.00000002.1682481464.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com-u
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 45brrQrxwH.exe, 00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: 45brrQrxwH.exe, 00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: 45brrQrxwH.exe, XEWKUH.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: 45brrQrxwH.exe, 00000009.00000002.2873182692.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065F7000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891722056.0000000006560000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2891881314.00000000065AC000.00000004.00000020.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000003114000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000003044000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2872028506.00000000010F7000.00000004.00000020.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2893047901.0000000006A25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49739 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, K6raBsUk6.cs

.Net Code: dY0HHDevtD

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.45brrQrxwH.exe.49a9810.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.45brrQrxwH.exe.496d1f0.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.XEWKUH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.XEWKUH.exe.3d62190.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.XEWKUH.exe.3d9e7b0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.XEWKUH.exe.3d9e7b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.45brrQrxwH.exe.496d1f0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.XEWKUH.exe.3d62190.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.45brrQrxwH.exe.7460000.12.raw.unpack, -Module-.cs	Large array initialization: _206A_200E_202E_206C_206B_206B_202B_206A_206B_200C_202D_200E_206D_200C_200E_206E_206D_202C_202C_200C_206A_206F_200B_206D_202E_206A_200E_206F_200E_202B_206B_202A_202B_206D_206D_202A_206B_200B_202C_200E_202E: array initializer size 2976
Source: 0.2.45brrQrxwH.exe.2c46998.0.raw.unpack, -Module-.cs	Large array initialization: _206A_200E_202E_206C_206B_206B_202B_206A_206B_200C_202D_200E_206D_200C_200E_206E_206D_202C_202C_200C_206A_206F_200B_206D_202E_206A_200E_206F_200E_202B_206B_202A_202B_206D_206D_202A_206B_200B_202C_200E_202E: array initializer size 2976

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_012AFC18	0_2_012AFC18
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_012AFC09	0_2_012AFC09
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_012ADCD4	0_2_012ADCD4
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB318B8	0_2_0CB318B8
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB3AB88	0_2_0CB3AB88
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB3C7E0	0_2_0CB3C7E0
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB34D30	0_2_0CB34D30
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB318AB	0_2_0CB318AB
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB348F8	0_2_0CB348F8
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB348E8	0_2_0CB348E8
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB36810	0_2_0CB36810
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB36800	0_2_0CB36800
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB344C0	0_2_0CB344C0
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB38049	0_2_0CB38049
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB3117B	0_2_0CB3117B
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_0CB363D8	0_2_0CB363D8
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_013AA1AA	9_2_013AA1AA
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_013A41C8	9_2_013A41C8
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_013AE67F	9_2_013AE67F
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_013AAA3A	9_2_013AAA3A
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_013A4A98	9_2_013A4A98
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_013A3E80	9_2_013A3E80
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_06C165D0	9_2_06C165D0
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_06C17D58	9_2_06C17D58
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_06C15578	9_2_06C15578
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_06C1B20A	9_2_06C1B20A
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_06C13040	9_2_06C13040
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_06C17678	9_2_06C17678
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_06C15CC7	9_2_06C15CC7
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_06C1E380	9_2_06C1E380
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_06C10040	9_2_06C10040
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_06C10007	9_2_06C10007
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_02B0FC18	11_2_02B0FC18
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_02B0DCD4	11_2_02B0DCD4
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_02B0FC09	11_2_02B0FC09
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_07469E32	11_2_07469E32
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_0746B9D0	11_2_0746B9D0
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_074618B8	11_2_074618B8
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_074644C0	11_2_074644C0
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_074663D8	11_2_074663D8
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_07464D30	11_2_07464D30
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_07466800	11_2_07466800
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_07466810	11_2_07466810
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_074648F8	11_2_074648F8
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_074618AA	11_2_074618AA
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_02EF41C8	14_2_02EF41C8
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_02EF4A98	14_2_02EF4A98
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_02EFE811	14_2_02EFE811
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_02EF3E80	14_2_02EF3E80
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_02EFA980	14_2_02EFA980
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_06C565D0	14_2_06C565D0
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_06C57D58	14_2_06C57D58
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_06C55578	14_2_06C55578
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_06C5B20A	14_2_06C5B20A
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_06C53040	14_2_06C53040
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_06C57678	14_2_06C57678
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_06C55CC7	14_2_06C55CC7
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_06C5E380	14_2_06C5E380
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_06C50040	14_2_06C50040
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_06C50006	14_2_06C50006

Source: 45brrQrxwH.exe

Static PE information: invalid certificate

Source: 45brrQrxwH.exe, 00000000.00000000.1618818899.0000000000912000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGrPo.exeF vs 45brrQrxwH.exe
Source: 45brrQrxwH.exe, 00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb02e2ec5-9746-46a0-b9cb-1759d306bdf4.exe4 vs 45brrQrxwH.exe
Source: 45brrQrxwH.exe, 00000000.00000002.1671993163.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 45brrQrxwH.exe
Source: 45brrQrxwH.exe, 00000000.00000002.1678240025.00000000045FE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 45brrQrxwH.exe
Source: 45brrQrxwH.exe, 00000000.00000002.1685312412.000000000CE10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 45brrQrxwH.exe
Source: 45brrQrxwH.exe, 00000000.00000002.1676007009.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameb02e2ec5-9746-46a0-b9cb-1759d306bdf4.exe4 vs 45brrQrxwH.exe
Source: 45brrQrxwH.exe, 00000009.00000002.2871786317.0000000000DB9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 45brrQrxwH.exe
Source: 45brrQrxwH.exe	Binary or memory string: OriginalFilenameGrPo.exeF vs 45brrQrxwH.exe

Source: 45brrQrxwH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.45brrQrxwH.exe.49a9810.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.45brrQrxwH.exe.496d1f0.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.XEWKUH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.XEWKUH.exe.3d62190.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.XEWKUH.exe.3d9e7b0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.XEWKUH.exe.3d9e7b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.45brrQrxwH.exe.496d1f0.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.XEWKUH.exe.3d62190.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 45brrQrxwH.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: XEWKUH.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, c2bZQnG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, c2bZQnG.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, Q1L0K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, Q1L0K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, uo1UBaEHa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, uo1UBaEHa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, uo1UBaEHa.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, uo1UBaEHa.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, riNAXZ6HF1cuNjfj0y.cs	Security API names: _0020.SetAccessControl
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, riNAXZ6HF1cuNjfj0y.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, riNAXZ6HF1cuNjfj0y.cs	Security API names: _0020.AddAccessRule
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, yPVL7dgAKrCaiOSvIX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.45brrQrxwH.exe.2c85560.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.45brrQrxwH.exe.ca90000.13.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.45brrQrxwH.exe.2c66388.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/2

Source: C:\Users\user\Desktop\45brrQrxwH.exe

File created: C:\Users\user\AppData\Roaming\XEWKUH.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Mutant created: \Sessions\1\BaseNamedObjects\hXBUVzt

Source: C:\Users\user\Desktop\45brrQrxwH.exe

File created: C:\Users\user\AppData\Local\Temp\tmp365A.tmp

Jump to behavior

Source: 45brrQrxwH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 45brrQrxwH.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\45brrQrxwH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\45brrQrxwH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\45brrQrxwH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\45brrQrxwH.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\45brrQrxwH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 45brrQrxwH.exe	ReversingLabs: Detection: 68%
Source: 45brrQrxwH.exe	Virustotal: Detection: 69%

Source: C:\Users\user\Desktop\45brrQrxwH.exe

File read: C:\Users\user\Desktop\45brrQrxwH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\45brrQrxwH.exe "C:\Users\user\Desktop\45brrQrxwH.exe"
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XEWKUH.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Users\user\Desktop\45brrQrxwH.exe "C:\Users\user\Desktop\45brrQrxwH.exe"
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Users\user\Desktop\45brrQrxwH.exe "C:\Users\user\Desktop\45brrQrxwH.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XEWKUH.exe C:\Users\user\AppData\Roaming\XEWKUH.exe
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp4771.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process created: C:\Users\user\AppData\Roaming\XEWKUH.exe "C:\Users\user\AppData\Roaming\XEWKUH.exe"
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XEWKUH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Users\user\Desktop\45brrQrxwH.exe "C:\Users\user\Desktop\45brrQrxwH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Users\user\Desktop\45brrQrxwH.exe "C:\Users\user\Desktop\45brrQrxwH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp4771.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process created: C:\Users\user\AppData\Roaming\XEWKUH.exe "C:\Users\user\AppData\Roaming\XEWKUH.exe"	Jump to behavior

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\45brrQrxwH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\45brrQrxwH.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\45brrQrxwH.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 45brrQrxwH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 45brrQrxwH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 45brrQrxwH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: GrPo.pdbSHA256 source: 45brrQrxwH.exe, XEWKUH.exe.0.dr
Source:	Binary string: GrPo.pdb source: 45brrQrxwH.exe, XEWKUH.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 45brrQrxwH.exe, Form1.cs	.Net Code: InitializeComponent
Source: XEWKUH.exe.0.dr, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, riNAXZ6HF1cuNjfj0y.cs	.Net Code: pCutViC4ZA System.Reflection.Assembly.Load(byte[])
Source: 0.2.45brrQrxwH.exe.7460000.12.raw.unpack, -Module-.cs	.Net Code: _206A_200E_202E_206C_206B_206B_202B_206A_206B_200C_202D_200E_206D_200C_200E_206E_206D_202C_202C_200C_206A_206F_200B_206D_202E_206A_200E_206F_200E_202B_206B_202A_202B_206D_206D_202A_206B_200B_202C_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.45brrQrxwH.exe.7460000.12.raw.unpack, Dill.cs	.Net Code: Justy
Source: 0.2.45brrQrxwH.exe.7460000.12.raw.unpack, Dill.cs	.Net Code: _200C_202B_202A_200B_200F_202E_202D_202A_206F_202A_202A_206D_202D_200F_202E_206C_206C_200B_202B_200E_202B_200E_200C_200C_206F_202E_202D_200F_202E_202B_200E_206C_202A_202D_202A_206E_202B_206A_200C_200F_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.45brrQrxwH.exe.2c46998.0.raw.unpack, -Module-.cs	.Net Code: _206A_200E_202E_206C_206B_206B_202B_206A_206B_200C_202D_200E_206D_200C_200E_206E_206D_202C_202C_200C_206A_206F_200B_206D_202E_206A_200E_206F_200E_202B_206B_202A_202B_206D_206D_202A_206B_200B_202C_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.45brrQrxwH.exe.2c46998.0.raw.unpack, Dill.cs	.Net Code: Justy
Source: 0.2.45brrQrxwH.exe.2c46998.0.raw.unpack, Dill.cs	.Net Code: _200C_202B_202A_200B_200F_202E_202D_202A_206F_202A_202A_206D_202D_200F_202E_206C_206C_200B_202B_200E_202B_200E_200C_200C_206F_202E_202D_200F_202E_202B_200E_206C_202A_202D_202A_206E_202B_206A_200C_200F_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 0_2_012AF1D0 push esp; iretd	0_2_012AF1D1
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_013A0C3D push edi; ret	9_2_013A0CC2
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Code function: 9_2_013A0C95 push edi; retf	9_2_013A0C3A
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 11_2_02B0F1D0 push esp; iretd	11_2_02B0F1D1
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_02EFA518 push eax; retf	14_2_02EFA6D9
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_02EF0C95 push edi; retf	14_2_02EF0C3A
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Code function: 14_2_02EF0C3D push edi; ret	14_2_02EF0CC2

Source: 45brrQrxwH.exe	Static PE information: section name: .text entropy: 7.989229462300673
Source: XEWKUH.exe.0.dr	Static PE information: section name: .text entropy: 7.989229462300673

Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, qT3LKKY12RyaEsFwCQ.cs	High entropy of concatenated method names: 'rgMDQY8NsD', 'EDEDn8UAyR', 'KMsBqSZfbf', 'LhGBjSgZOL', 'wJJDiofuf8', 'mk1DZs5Z7J', 'FIJDE5EpJx', 'dx6DdSrcZp', 'QF7DoCFJxm', 'daMDvv7NKF'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, FrqrXuntsRY4dQ12m3.cs	High entropy of concatenated method names: 'ob4kjykZ5O', 'I7ikGDo2EA', 'm9KktriXEi', 'PXBkXW61XP', 'EkxkpCDnSp', 'iO9k2l9t2n', 'JIsk3dMvaR', 'k8yBOfZ25Y', 'M4YBQtNs7Z', 'R4ZBsRauKf'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, r9uiNR592kIU8jstUu.cs	High entropy of concatenated method names: 'OeJJXVVkRM', 'd0dJAtVWxf', 'JNLJ3Pw3hs', 'Les3nu8dTx', 'dRs3zjnOAM', 'Cq5JquivCT', 'WlLJjoTu1c', 'FbHJ7tPmjy', 'kcOJG22iB2', 'uPqJt26D4a'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, zvrtm7dQhHRB5nuN5A.cs	High entropy of concatenated method names: 'z8NU4sS22E', 'SMpUZoj8gX', 'xodUdV4wpE', 'QnyUoK9VIP', 'xJRUKtdMyf', 'BrJUwCOMxv', 'cmZUcLZoMa', 'R5SUWxjefm', 'GSkURSWeH5', 'oLUU5ihob2'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, jblDDrjG64QnQWFhj1x.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'G9N8de7Hvv', 'xoQ8oBj3Be', 'OtT8vt907c', 'PhH8rr57ik', 'HcF8CLs6cV', 'sRR8YDM6AS', 'gqD8OBIfl0'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, CiHXoLHpM6OChBDZwg.cs	High entropy of concatenated method names: 'mZX31rhmsX', 'dpS3pSqrAG', 'Orl32HTDp6', 'yLc3JnbXKq', 'S1n36nxsap', 'cxa2CphKqs', 'N1K2YN38pE', 'kDX2OBMOIt', 'Vb12QeEime', 'sLf2saINeu'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, kom4uK7RDLsv0gMB33.cs	High entropy of concatenated method names: 'C6yVeVuTU', 'ceGbHG0fm', 'mQ1hAmAjp', 'Nd9yZUnjE', 'wSWuI73mM', 'f67TGuuwt', 'fBkytDD3fuDVBfuNFN', 'LXSXWr7M7SIkSFglt2', 'QROB2OeVW', 'dqg84xl77'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, Jhesgp9D5oI16DZtfW.cs	High entropy of concatenated method names: 'R1SJNbwAHx', 'lwoJelnlA4', 's7MJVqySuZ', 'IkpJbcSJN1', 'rhMJfLfBFQ', 'ronJhDDBa7', 'iEoJyg5JcN', 'HuFJgvTcoO', 'jxbJuyEHYP', 'FFJJTwPmn7'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, HeM0FJKgQhnrdHrB3b.cs	High entropy of concatenated method names: 'sFGb1c1SXclmjg0KRDx', 'POLGsY1Ax9vwr2qBm0u', 'a393BMaqfW', 'egH3k8VW0G', 'xOE38OrSIj', 'WCPLxU1E5n1ljZQvcoF', 'f1dO681vtSflvb7VQF2'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, yaZic2T9SZ4uucIGZ0.cs	High entropy of concatenated method names: 'VMf2flaBu4', 'XEC2ytEI76', 'cylAwaXqtN', 'MebAcoo8A4', 'LskAWDGI8Y', 'q5YARrJ7kI', 'dnxA52tZjP', 'dNaAI0F4I8', 'Kn4A9tYtNZ', 'AiAA4wAsc4'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, riNAXZ6HF1cuNjfj0y.cs	High entropy of concatenated method names: 'eHsG1E63wj', 'TvNGXXAcgP', 'zuIGp9GkmT', 'APtGAEUN8B', 'dkNG2a15Ri', 'MJCG3ccPhh', 'O4hGJ5Eiyo', 'kTwG6xP1Ln', 'IpcGmaxLtD', 'pK0G0196PM'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, sTQKbZEmg7O4w4HHge.cs	High entropy of concatenated method names: 'IchxgDIyUR', 'xD9xuqFqu6', 'mdVxHWVkPL', 'dmSxK7LneS', 'Pxvxcuwfow', 't79xWels4t', 'wnPx5QQJpV', 'daMxIZuHcj', 'TFAx4bju8g', 'r1oxiMZMA7'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, ta9mSRQsG1OWUofc1C.cs	High entropy of concatenated method names: 'WPVBXvsc74', 'ihlBpoRthF', 'fmeBAb4J68', 'GT4B2AUn5S', 'tg4B34NIpv', 'WIbBJscVwa', 'zJhB6mA9Fx', 'sQkBmThV6V', 'XsnB0f0tpw', 'KOLBL70dty'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, cnrwLjtT72mgvPT8Px.cs	High entropy of concatenated method names: 'JeejJPVL7d', 'hKrj6CaiOS', 'kX3j01vDt1', 'BZjjLReaZi', 'IIGjUZ0hiH', 'foLjSpM6OC', 'eZUmMCmYP5M3sKlpYb', 'AohLhwWyTAnWm1ExL9', 'yW2jjgNtOs', 'dNdjGkXONP'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, zDsIOopUytTPMLukrI.cs	High entropy of concatenated method names: 'Dispose', 'k0fjsDkVTA', 'Gnt7Kr2rER', 'uJCoocSYRP', 'DMajn9mSRs', 'c1OjzWUofc', 'ProcessDialogKey', 'eCF7qdLaP4', 'znO7jTR5Cw', 'VG077TrqrX'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, yPVL7dgAKrCaiOSvIX.cs	High entropy of concatenated method names: 'UXFpdyhN85', 'hIYpo7gm2P', 'IGKpvu2nAq', 'KnXprjfwJY', 'Gx2pC0eXCt', 'VSxpYDmdPY', 'RdfpOldiRv', 'moDpQsILqJ', 'OKCpsGIVXd', 'RQFpnF8QG5'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, udLaP4senOTR5CwYG0.cs	High entropy of concatenated method names: 'oLIBHvrMK1', 'QOvBKrPwyP', 'AsFBwjnxtL', 'FrRBc8fFKn', 'po7BdyTorn', 'slYBW6qNCP', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, sme82evSWIDqGFNKs9.cs	High entropy of concatenated method names: 'ToString', 'lr8SilOZVh', 'wbRSKcIFqC', 'UbUSwall1O', 'EkMScJKXHo', 'qCjSWAKU1F', 'hthSRvLj69', 'lssS5bPrLZ', 'wf8SIRv1C3', 'AsDS9neIS2'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, NcbY96uX31vDt1hZjR.cs	High entropy of concatenated method names: 'oQVAbieoIj', 'UsBAh1UOci', 'zf1AgUVol7', 'YECAucm2pu', 'msgAU7m0wB', 'rUvASU9q8E', 'DmyAD2X3Zo', 'XPdABoXoH3', 'StYAkEaD6v', 'cMUA81UWTx'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, V3KwlAjqK6huwGZedNF.cs	High entropy of concatenated method names: 'yNokNGakmF', 'pH7ke7oKYj', 'TqmkV4Kmvr', 'RqnkbX38AK', 'E3jkfww971', 'EnokhKWKGU', 'vNNky2y5Sa', 'gXJkgYFRTj', 'c8fkuTfLju', 'IaokTtba0r'
Source: 0.2.45brrQrxwH.exe.ce10000.14.raw.unpack, C22dikztXFeTmP6Oyu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LDnkxJNPU5', 'uIekURhIEd', 'yxikScph46', 'Xa9kDytuW4', 'VPBkBb8vCM', 'OTnkkiZ3BW', 'Kbuk8IFm68'

Source: C:\Users\user\Desktop\45brrQrxwH.exe

File created: C:\Users\user\AppData\Roaming\XEWKUH.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\45brrQrxwH.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 45brrQrxwH.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XEWKUH.exe PID: 8160, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\45brrQrxwH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 12A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 4C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 75C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 85C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 8760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 9760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 9A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: AA90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: BA90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: CE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: DE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: EE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: F4E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory allocated: 1600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 73E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 70D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 83E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 93E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: A6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 7720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: A6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory allocated: 4F10000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7182	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 819	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8546	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1077	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Window / User API: threadDelayed 4446	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Window / User API: threadDelayed 5403	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Window / User API: threadDelayed 6856
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Window / User API: threadDelayed 2993

Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 7452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7932	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8152	Thread sleep count: 4446 > 30	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8152	Thread sleep count: 5403 > 30	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -198124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98491s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98146s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -97788s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -97672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -97547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -97433s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -97314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -96969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -96641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -96313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -96188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -96063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -95938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -99303s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe TID: 8136	Thread sleep time: -98515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 8180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7252	Thread sleep count: 6856 > 30
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7252	Thread sleep count: 2993 > 30
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99781s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99671s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99562s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99343s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99234s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99125s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99015s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98906s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98796s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98680s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98568s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98437s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98328s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -97968s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -97749s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -97640s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -97531s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -97421s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -97312s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -97093s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -96874s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -96765s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -96655s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -96544s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -96437s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -96328s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99999s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99891s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99657s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99532s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99407s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99187s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -99078s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98969s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98860s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98735s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98610s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98358s >= -30000s
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe TID: 7244	Thread sleep time: -98223s >= -30000s

Source: C:\Users\user\Desktop\45brrQrxwH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\45brrQrxwH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\45brrQrxwH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\45brrQrxwH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99844	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99719	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99609	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98952	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98719	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98491	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98266	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98146	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 97788	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 97547	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 97433	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 97314	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 97188	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 96641	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 96313	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 96188	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 96063	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 95938	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99984	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 99303	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98843	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99781
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99671
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99562
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99453
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99343
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99234
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99125
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99015
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98906
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98796
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98680
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98568
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98437
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98328
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98187
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 97968
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 97859
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 97749
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 97640
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 97531
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 97421
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 97312
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 97203
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 97093
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 96874
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 96765
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 96655
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 96544
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 96437
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 96328
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99999
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99891
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99657
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99532
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99407
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99187
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 99078
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98969
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98860
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98735
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98610
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98358
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Thread delayed: delay time: 98223

Source: 45brrQrxwH.exe, 00000009.00000002.2873182692.00000000012DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB12
Source: XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>

Source: C:\Users\user\Desktop\45brrQrxwH.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\45brrQrxwH.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe"
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XEWKUH.exe"
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XEWKUH.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Memory written: C:\Users\user\Desktop\45brrQrxwH.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Memory written: C:\Users\user\AppData\Roaming\XEWKUH.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XEWKUH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Users\user\Desktop\45brrQrxwH.exe "C:\Users\user\Desktop\45brrQrxwH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Process created: C:\Users\user\Desktop\45brrQrxwH.exe "C:\Users\user\Desktop\45brrQrxwH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp4771.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Process created: C:\Users\user\AppData\Roaming\XEWKUH.exe "C:\Users\user\AppData\Roaming\XEWKUH.exe"	Jump to behavior

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Users\user\Desktop\45brrQrxwH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Users\user\Desktop\45brrQrxwH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Users\user\AppData\Roaming\XEWKUH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Users\user\AppData\Roaming\XEWKUH.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\45brrQrxwH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.45brrQrxwH.exe.49a9810.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.45brrQrxwH.exe.496d1f0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.XEWKUH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d62190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d9e7b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d9e7b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.45brrQrxwH.exe.496d1f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d62190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2875685208.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2876066217.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 45brrQrxwH.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 45brrQrxwH.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XEWKUH.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XEWKUH.exe PID: 5996, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\45brrQrxwH.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\45brrQrxwH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\45brrQrxwH.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\XEWKUH.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.45brrQrxwH.exe.49a9810.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.45brrQrxwH.exe.496d1f0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.XEWKUH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d62190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d9e7b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d9e7b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.45brrQrxwH.exe.496d1f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d62190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2875685208.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2876066217.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 45brrQrxwH.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 45brrQrxwH.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XEWKUH.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XEWKUH.exe PID: 5996, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.45brrQrxwH.exe.49a9810.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.45brrQrxwH.exe.496d1f0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.XEWKUH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d62190.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d9e7b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.45brrQrxwH.exe.49a9810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d9e7b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.45brrQrxwH.exe.496d1f0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.XEWKUH.exe.3d62190.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2875685208.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2876066217.0000000003031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 45brrQrxwH.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 45brrQrxwH.exe PID: 7892, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XEWKUH.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XEWKUH.exe PID: 5996, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
45brrQrxwH.exe	68%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
45brrQrxwH.exe	69%	Virustotal		Browse
45brrQrxwH.exe	100%	Avira	TR/AD.GenSteal.kgogp
45brrQrxwH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\XEWKUH.exe	100%	Avira	TR/AD.GenSteal.kgogp
C:\Users\user\AppData\Roaming\XEWKUH.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\XEWKUH.exe	68%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
C:\Users\user\AppData\Roaming\XEWKUH.exe	70%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://go.mic	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
smtp.yandex.ru	77.88.21.158	true	false	high
api.ipify.org	172.67.74.152	true	false	high
smtp.yandex.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://account.dyn.com/	45brrQrxwH.exe, 00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.glob	XEWKUH.exe, 0000000E.00000002.2872028506.000000000114C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	45brrQrxwH.exe, 00000009.00000002.2876066217.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	45brrQrxwH.exe, XEWKUH.exe.0.dr	false	URL Reputation: safe	unknown
http://go.mic	45brrQrxwH.exe, 00000009.00000002.2873182692.0000000001277000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://smtp.yandex.com	45brrQrxwH.exe, 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000003114000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000003044000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.galapagosdesign.com/staff/dennis.htm	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	45brrQrxwH.exe, 00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers/frere-user.html	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com-u	45brrQrxwH.exe, 00000000.00000002.1682481464.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.jiyu-kobo.co.jp/	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	45brrQrxwH.exe, 00000000.00000002.1676007009.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp, 45brrQrxwH.exe, 00000009.00000002.2876066217.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000B.00000002.1715474200.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, XEWKUH.exe, 0000000E.00000002.2875685208.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	45brrQrxwH.exe, 00000000.00000002.1682521586.0000000006D82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.88.21.158	smtp.yandex.ru	Russian Federation		13238	YANDEXRU	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427156
Start date and time:	2024-04-17 06:23:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	45brrQrxwH.exe renamed because original name is a hash value
Original Sample Name:	cfaf6fedf4a8954df63b75e1574e66b3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 172 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:23:56	Task Scheduler	Run new task: XEWKUH path: C:\Users\user\AppData\Roaming\XEWKUH.exe
06:23:51	API Interceptor	73x Sleep call for process: 45brrQrxwH.exe modified
06:23:54	API Interceptor	38x Sleep call for process: powershell.exe modified
06:23:57	API Interceptor	68x Sleep call for process: XEWKUH.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77.88.21.158	Order_ OFI-MAR-2024-000019_ Valve pdf.exe	Get hash	malicious	AgentTesla	Browse
	PO No.109480 Dt.18Mar2024 pdf.exe	Get hash	malicious	AgentTesla	Browse
	https://cdn.discordapp.com/attachments/1219079930122338327/1219193029647274034/PO_No.109480_Dt.18Mar2024_pdf.7z?ex=660a68fd&is=65f7f3fd&hm=c1267cdec3cb72a30ed3524db2c95f7e2274d988486fe24145ef7f3d03bd1e0b&	Get hash	malicious	AgentTesla	Browse
	TT_payment_swift_copy_#11-03-2024.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.BackDoor.SpyBotNET.75.7639.3836.exe	Get hash	malicious	AgentTesla	Browse
	18uCIUfRfU.exe	Get hash	malicious	AgentTesla	Browse
	sZ3v675Idu.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	NUEVA_PO_AC71189.doc	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.22690.19845.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	jdc9ITsf3v.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
smtp.yandex.ru	RFQ.doc	Get hash	malicious	AgentTesla	Browse	77.88.21.158
	Order_ OFI-MAR-2024-000019_ Valve pdf.exe	Get hash	malicious	AgentTesla	Browse	77.88.21.158
	PO No.109480 Dt.18Mar2024 pdf.exe	Get hash	malicious	AgentTesla	Browse	77.88.21.158
	https://cdn.discordapp.com/attachments/1219079930122338327/1219193029647274034/PO_No.109480_Dt.18Mar2024_pdf.7z?ex=660a68fd&is=65f7f3fd&hm=c1267cdec3cb72a30ed3524db2c95f7e2274d988486fe24145ef7f3d03bd1e0b&	Get hash	malicious	AgentTesla	Browse	77.88.21.158
	TT_payment_swift_copy_#11-03-2024.exe	Get hash	malicious	AgentTesla	Browse	77.88.21.158
	PO-45728-10876.doc	Get hash	malicious	AgentTesla	Browse	77.88.21.158
	SecuriteInfo.com.BackDoor.SpyBotNET.75.7639.3836.exe	Get hash	malicious	AgentTesla	Browse	77.88.21.158
	18uCIUfRfU.exe	Get hash	malicious	AgentTesla	Browse	77.88.21.158
	sZ3v675Idu.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	77.88.21.158
	NUEVA_PO_AC71189.doc	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	77.88.21.158
api.ipify.org	Quotation 0048484.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	msXkgFIUyS.rtf	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	remittance payment of invoice DMWW24009.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	NOA, BL and invoice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://worker-royal-sun-1090.nipocas604.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	z158xIuvhauCQiddTe.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	z34PDnVzyEItkXaInw.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://webex-install.com	Get hash	malicious	NetSupport RAT	Browse	104.26.13.205
	SecuriteInfo.com.Win64.PWSX-gen.6289.18727.exe	Get hash	malicious	CredGrabber, Meduza Stealer, PureLog Stealer	Browse	172.67.74.152
	gKN4xIjj5o.exe	Get hash	malicious	CredGrabber, PureLog Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
YANDEXRU	http://www.makefun.online	Get hash	malicious	Captcha Phish	Browse	213.180.204.90
	http://marvin-occentus.net	Get hash	malicious	Unknown	Browse	87.250.251.119
	http://h.top4top.io	Get hash	malicious	Unknown	Browse	77.88.55.60
	https://www.tb-parts.ru/	Get hash	malicious	Unknown	Browse	77.88.55.60
	https://goo.su/mwrmX	Get hash	malicious	Unknown	Browse	77.88.55.60
	http://discovus.com	Get hash	malicious	Unknown	Browse	87.250.251.119
	https://telegra.ph/BTC-Transaction--702210-03-14?x85r	Get hash	malicious	Unknown	Browse	87.250.251.134
	https://steamfiller.ru/	Get hash	malicious	Unknown	Browse	93.158.134.119
	https://cchcontent.com/?k=d779c440edb57bd974c500d65f843657&type=mainstream&subtype=global&data1=pc	Get hash	malicious	Unknown	Browse	5.255.255.77
	https://clck.ru/38QShT	Get hash	malicious	Unknown	Browse	213.180.204.24
CLOUDFLARENETUS	Quotation 0048484.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	3otr19d5Oq.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.77.31
	msXkgFIUyS.rtf	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://bookstopbuzz.com	Get hash	malicious	Unknown	Browse	23.227.38.65
	remittance payment of invoice DMWW24009.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	2llKbb9pR7.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	172.67.177.98
	NOA, BL and invoice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Hays_compiled_documents.ZIP.js	Get hash	malicious	Unknown	Browse	104.21.95.148
	https://telegra.ph/Stephen-M-Hickey-04-10	Get hash	malicious	HTMLPhisher	Browse	172.66.47.93
	https://bestohiomortgagerate.com/dream/mer/7/nobody@nobody.org	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Quotation 0048484.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	remittance payment of invoice DMWW24009.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	2llKbb9pR7.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	172.67.74.152
	NOA, BL and invoice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Hays_compiled_documents.ZIP.js	Get hash	malicious	Unknown	Browse	172.67.74.152
	MdeeRbWvqe.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	172.67.74.152
	bCsfnThSOV.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.74.152
	bCsfnThSOV.exe	Get hash	malicious	Phemedrone Stealer	Browse	172.67.74.152
	z158xIuvhauCQiddTe.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	z34PDnVzyEItkXaInw.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\45brrQrxwH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XEWKUH.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\XEWKUH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	F9B7CF60C22DBE6B73266580FFD54629
SHA1:	05ED734C0A5EF2ECD025D4E39321ECDC96612623
SHA-256:	880A3240A482AB826198F84F548F4CB5B906E4A2D7399D19E3EF60916B8D2D89
SHA-512:	F55EFB17C1A45D594D165B9DC4FA2D1364B38AA2B0D1B3BAAE6E1E14B8F3BD77E3A28B7D89FA7F6BF3EEF3652434228B1A42BF9851F2CFBB6A7DCC0254AAAE38
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_42je1sfx.03f.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcgfpzw5.w3t.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_go252xjx.txz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hycgfdcy.xlg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okpkk2nj.ahp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_se303tbl.oa0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xputypb2.s4g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuvhpig3.ge3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp365A.tmp

Download File

Process:	C:\Users\user\Desktop\45brrQrxwH.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.115151980727059
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtau+xvn:cge1wYrFdOFzOzN33ODOiDdKrsuT7yv
MD5:	7F2259387FF098B9D338AC7BA7DFF967
SHA1:	79F6576A883BFD5EA0B54F7BA0D52D629E31EFEF
SHA-256:	64824EFE7AD415A19F331008C3EB1D1BEF318208321B72961939A534BC743756
SHA-512:	939999FF6C2393320191CE34647CA3EF71F5A4627D9532F9CABC6785B07BA5763EA3800F60D8A5AC5824B89A524F2D89DB381B9C05C4DDB78EED17AD3D57F0BF
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp4771.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\XEWKUH.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.115151980727059
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtau+xvn:cge1wYrFdOFzOzN33ODOiDdKrsuT7yv
MD5:	7F2259387FF098B9D338AC7BA7DFF967
SHA1:	79F6576A883BFD5EA0B54F7BA0D52D629E31EFEF
SHA-256:	64824EFE7AD415A19F331008C3EB1D1BEF318208321B72961939A534BC743756
SHA-512:	939999FF6C2393320191CE34647CA3EF71F5A4627D9532F9CABC6785B07BA5763EA3800F60D8A5AC5824B89A524F2D89DB381B9C05C4DDB78EED17AD3D57F0BF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\XEWKUH.exe

Download File

Process:	C:\Users\user\Desktop\45brrQrxwH.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	666120
Entropy (8bit):	7.984133069410215
Encrypted:	false
SSDEEP:	12288:kkvq31eoWxRl1d7EmIsoY+rq5hUo22vKY8kALxwtOzfnzRxaMpTjAB8d45VIo6w3:keqF8d4mIn6UoVvKY8BGCfnzR3pTM8Sx
MD5:	CFAF6FEDF4A8954DF63B75E1574E66B3
SHA1:	DC5D8ED078CF6225E133C228670EDAC311AF28B2
SHA-256:	64C3F8BF923B9869C7B0F2A77EB1B1DB64EAE1CAEC23FA0DA3DA85C2C885B139
SHA-512:	280184ECC259C57D4F09D53C3A71F648049539FE864FBC108FC806F8E4578CF13E25EDA98FFAF4E7170ED9B5EAB4A5FC1CFE9306E90B05AF5DC9430C6F0B94A8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 70%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?c.f..............0.............z.... ... ....@.. .......................`............@.................................%...O.... ..d................6...@......t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...d.... ......................@..@.reloc.......@......................@..B................Y.......H...........$............M..............................................^..}.....(.......(......0..+.........,..{.......+....,...{....o........(.....v..(......r...p(.......(.....^..}.....(.......(........{....r...p.o.....1....o.....1...(....o......0..+.........,..{.......+....,...{....o........(.......0................( ...s!.....s"...}.....s....}.....s....}.....s....}.....s....}.....(......{.....o#.....{......s$...o%.....{....r%..po......{........s&...o'.....{.....o(..

C:\Users\user\AppData\Roaming\XEWKUH.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\45brrQrxwH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.984133069410215
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	45brrQrxwH.exe
File size:	666'120 bytes
MD5:	cfaf6fedf4a8954df63b75e1574e66b3
SHA1:	dc5d8ed078cf6225e133c228670edac311af28b2
SHA256:	64c3f8bf923b9869c7b0f2a77eb1b1db64eae1caec23fa0da3da85c2c885b139
SHA512:	280184ecc259c57d4f09d53c3a71f648049539fe864fbc108fc806f8e4578cf13e25eda98ffaf4e7170ed9b5eab4a5fc1cfe9306e90b05af5dc9430c6f0b94a8
SSDEEP:	12288:kkvq31eoWxRl1d7EmIsoY+rq5hUo22vKY8kALxwtOzfnzRxaMpTjAB8d45VIo6w3:keqF8d4mIn6UoVvKY8BGCfnzR3pTM8Sx
TLSH:	D6E423C78B0A37A7D69E8F34229B3983B77270D3546CC524509AC34CDF89B65F8EA506
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?c.f..............0.............z.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4a067a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6618633F [Thu Apr 11 22:25:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
inc edi
xor eax, 34473538h
add byte ptr [eax], al
xor byte ptr [ebp+32h], al
aaa
dec eax
inc ecx
cmp byte ptr [edx+ebx*2], dh
push ebx
xor eax, 344E5A35h
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0625	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa2000	0x664	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9f400	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9f574	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9e698	0x9e800	9a350399aad964eec4eb828dc4a4cab0	False	0.9855718281742902	data	7.989229462300673	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa2000	0x664	0x800	6c0e890396653d614673af460e70e758	False	0.3583984375	data	3.620325238809423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0xc	0x200	82825439a25a4dd8f7827d68590cfb36	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa2090	0x3d4	data			0.4346938775510204
RT_MANIFEST	0xa2474	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 06:23:56.013379097 CEST	49735	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:56.013427973 CEST	443	49735	172.67.74.152	192.168.2.4
Apr 17, 2024 06:23:56.013499975 CEST	49735	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:56.059544086 CEST	49735	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:56.059568882 CEST	443	49735	172.67.74.152	192.168.2.4
Apr 17, 2024 06:23:56.289104939 CEST	443	49735	172.67.74.152	192.168.2.4
Apr 17, 2024 06:23:56.289192915 CEST	49735	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:56.291548967 CEST	49735	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:56.291574955 CEST	443	49735	172.67.74.152	192.168.2.4
Apr 17, 2024 06:23:56.292090893 CEST	443	49735	172.67.74.152	192.168.2.4
Apr 17, 2024 06:23:56.354423046 CEST	49735	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:56.400160074 CEST	443	49735	172.67.74.152	192.168.2.4
Apr 17, 2024 06:23:56.590723991 CEST	443	49735	172.67.74.152	192.168.2.4
Apr 17, 2024 06:23:56.590881109 CEST	443	49735	172.67.74.152	192.168.2.4
Apr 17, 2024 06:23:56.593692064 CEST	49735	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:56.620454073 CEST	49735	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:57.622833967 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:23:57.870889902 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:57.871016026 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:23:58.359106064 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:58.359380007 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:23:58.608015060 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:58.608078957 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:58.608283043 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:23:58.857125998 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:58.857187986 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:58.857774019 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:23:59.107819080 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:59.107882977 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:59.107923031 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:59.107961893 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:59.108000040 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:59.108009100 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:23:59.108072996 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:23:59.114706993 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:23:59.363138914 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:59.369801044 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:23:59.617777109 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:59.619210005 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:23:59.849961996 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:59.850056887 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 17, 2024 06:23:59.850171089 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:59.853635073 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:23:59.853674889 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 17, 2024 06:23:59.867738962 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:23:59.868058920 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:00.075949907 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 17, 2024 06:24:00.076050997 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:24:00.077299118 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:24:00.077315092 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 17, 2024 06:24:00.077651978 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 17, 2024 06:24:00.120475054 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:24:00.139475107 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:00.139760971 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:00.168126106 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 17, 2024 06:24:00.385725021 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 17, 2024 06:24:00.385807037 CEST	443	49739	172.67.74.152	192.168.2.4
Apr 17, 2024 06:24:00.385947943 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:24:00.388385057 CEST	49739	443	192.168.2.4	172.67.74.152
Apr 17, 2024 06:24:00.394982100 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:00.395215034 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:00.658359051 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:00.658610106 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:00.790458918 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:00.906681061 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:00.907418013 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:00.907483101 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:00.907483101 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:00.907509089 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:01.029488087 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:01.029588938 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:01.155054092 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:01.155095100 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:01.410382986 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:01.450493097 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:01.611490965 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:01.611839056 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:01.698776960 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:01.698831081 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:01.698894024 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:01.699172974 CEST	49737	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:01.700293064 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:01.850788116 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:01.850831032 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:01.851675034 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:01.943831921 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:01.943954945 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:01.944509983 CEST	587	49737	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.092072964 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.092174053 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.092801094 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:02.331428051 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.334466934 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.334506989 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.334544897 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.334583044 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.334603071 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:02.334696054 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:02.336421013 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:02.403868914 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.404160976 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:02.575649977 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.581136942 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:02.646739960 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.646789074 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.647103071 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:02.820987940 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.821279049 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:02.890311956 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:02.891381025 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:03.060379982 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.060698032 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:03.135292053 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.135340929 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.135380983 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.135416985 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.135528088 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:03.135528088 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:03.137015104 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:03.315227032 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.315536022 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:03.379689932 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.380786896 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:03.564917088 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.567121983 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:03.623578072 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.623811007 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:03.811012983 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.811235905 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:03.866688013 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:03.866933107 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.050335884 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:04.051100016 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.051100016 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.051129103 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.051129103 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.120632887 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:04.120973110 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.290014982 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:04.290071011 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:04.370598078 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:04.370830059 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.531738997 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:04.563497066 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.618993044 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:04.619281054 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.802258015 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:04.802315950 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:04.802632093 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.802722931 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.804030895 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.861916065 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:04.863641977 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.863641977 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.863686085 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.863734961 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.863905907 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.863985062 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.864036083 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.864125967 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:04.864162922 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:05.053473949 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.053664923 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:05.106102943 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.106493950 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.106548071 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.109575033 CEST	49740	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:05.147150040 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.355885983 CEST	587	49740	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.357671022 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.407259941 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:05.431519985 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.431665897 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:05.680994034 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.681025982 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.681274891 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:05.930581093 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.930612087 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:05.931164026 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:06.181330919 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:06.182596922 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:06.182657957 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:06.182698965 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:06.182738066 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:06.182770967 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:06.182813883 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:06.184756041 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:06.434786081 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:06.436192989 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:06.686754942 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:06.687190056 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:06.936945915 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:06.942423105 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:07.215262890 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:07.215562105 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:07.475883007 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:07.531563044 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:07.808267117 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.073126078 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:08.125197887 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.361109972 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.610768080 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:08.611732006 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.611819983 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.611819983 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.611846924 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.612219095 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.612310886 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.612338066 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.612358093 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.612386942 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:24:08.861372948 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:08.861691952 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:09.207182884 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:24:09.250324965 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:25:20.358364105 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:25:20.358645916 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:25:24.212025881 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:25:24.212136030 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:25:37.313410997 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:25:37.314881086 CEST	49741	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:25:37.564208984 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:25:37.565247059 CEST	587	49741	77.88.21.158	192.168.2.4
Apr 17, 2024 06:25:40.813376904 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:25:40.813704014 CEST	49742	587	192.168.2.4	77.88.21.158
Apr 17, 2024 06:25:41.047753096 CEST	587	49742	77.88.21.158	192.168.2.4
Apr 17, 2024 06:25:41.047817945 CEST	587	49742	77.88.21.158	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 06:23:55.886976004 CEST	62862	53	192.168.2.4	1.1.1.1
Apr 17, 2024 06:23:55.991487026 CEST	53	62862	1.1.1.1	192.168.2.4
Apr 17, 2024 06:23:57.296144009 CEST	55898	53	192.168.2.4	1.1.1.1
Apr 17, 2024 06:23:57.618470907 CEST	53	55898	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 17, 2024 06:23:55.886976004 CEST	192.168.2.4	1.1.1.1	0xd42c	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 17, 2024 06:23:57.296144009 CEST	192.168.2.4	1.1.1.1	0x76f6	Standard query (0)	smtp.yandex.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 17, 2024 06:23:55.991487026 CEST	1.1.1.1	192.168.2.4	0xd42c	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 17, 2024 06:23:55.991487026 CEST	1.1.1.1	192.168.2.4	0xd42c	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 17, 2024 06:23:55.991487026 CEST	1.1.1.1	192.168.2.4	0xd42c	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 17, 2024 06:23:57.618470907 CEST	1.1.1.1	192.168.2.4	0x76f6	No error (0)	smtp.yandex.com	smtp.yandex.ru		CNAME (Canonical name)	IN (0x0001)	false
Apr 17, 2024 06:23:57.618470907 CEST	1.1.1.1	192.168.2.4	0x76f6	No error (0)	smtp.yandex.ru		77.88.21.158	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	172.67.74.152	443	7892	C:\Users\user\Desktop\45brrQrxwH.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-17 04:23:56 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-17 04:23:56 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 04:23:56 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8759a481ea21adcf-ATL
2024-04-17 04:23:56 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	172.67.74.152	443	5996	C:\Users\user\AppData\Roaming\XEWKUH.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-17 04:24:00 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-17 04:24:00 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 04:24:00 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8759a499a9b2673f-ATL
2024-04-17 04:24:00 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32 Data Ascii: 81.181.57.52

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 17, 2024 06:23:58.359106064 CEST	587	49737	77.88.21.158	192.168.2.4	220 mail-nwsmtp-smtp-production-main-17.iva.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1713327838-vN5ueh5Vr8c0
Apr 17, 2024 06:23:58.359380007 CEST	49737	587	192.168.2.4	77.88.21.158	EHLO 405464
Apr 17, 2024 06:23:58.608078957 CEST	587	49737	77.88.21.158	192.168.2.4	250-mail-nwsmtp-smtp-production-main-17.iva.yp-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 53477376 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES
Apr 17, 2024 06:23:58.608283043 CEST	49737	587	192.168.2.4	77.88.21.158	STARTTLS
Apr 17, 2024 06:23:58.857187986 CEST	587	49737	77.88.21.158	192.168.2.4	220 Go ahead
Apr 17, 2024 06:24:01.611490965 CEST	587	49740	77.88.21.158	192.168.2.4	220 mail-nwsmtp-smtp-production-main-19.sas.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1713327841-1O5XhK08huQ0
Apr 17, 2024 06:24:01.611839056 CEST	49740	587	192.168.2.4	77.88.21.158	EHLO 405464
Apr 17, 2024 06:24:01.850831032 CEST	587	49740	77.88.21.158	192.168.2.4	250-mail-nwsmtp-smtp-production-main-19.sas.yp-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 53477376 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES
Apr 17, 2024 06:24:01.851675034 CEST	49740	587	192.168.2.4	77.88.21.158	STARTTLS
Apr 17, 2024 06:24:02.092174053 CEST	587	49740	77.88.21.158	192.168.2.4	220 Go ahead
Apr 17, 2024 06:24:02.403868914 CEST	587	49741	77.88.21.158	192.168.2.4	220 mail-nwsmtp-smtp-production-main-39.vla.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1713327842-2O5UpSBOg8c0
Apr 17, 2024 06:24:02.404160976 CEST	49741	587	192.168.2.4	77.88.21.158	EHLO 405464
Apr 17, 2024 06:24:02.646789074 CEST	587	49741	77.88.21.158	192.168.2.4	250-mail-nwsmtp-smtp-production-main-39.vla.yp-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 53477376 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES
Apr 17, 2024 06:24:02.647103071 CEST	49741	587	192.168.2.4	77.88.21.158	STARTTLS
Apr 17, 2024 06:24:02.890311956 CEST	587	49741	77.88.21.158	192.168.2.4	220 Go ahead
Apr 17, 2024 06:24:05.431519985 CEST	587	49742	77.88.21.158	192.168.2.4	220 mail-nwsmtp-smtp-production-main-46.myt.yp-c.yandex.net (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1713327845-5O5sD666PeA0
Apr 17, 2024 06:24:05.431665897 CEST	49742	587	192.168.2.4	77.88.21.158	EHLO 405464
Apr 17, 2024 06:24:05.681025982 CEST	587	49742	77.88.21.158	192.168.2.4	250-mail-nwsmtp-smtp-production-main-46.myt.yp-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 53477376 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES
Apr 17, 2024 06:24:05.681274891 CEST	49742	587	192.168.2.4	77.88.21.158	STARTTLS
Apr 17, 2024 06:24:05.930612087 CEST	587	49742	77.88.21.158	192.168.2.4	220 Go ahead

Target ID:	0
Start time:	06:23:50
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\45brrQrxwH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\45brrQrxwH.exe"
Imagebase:	0x870000
File size:	666'120 bytes
MD5 hash:	CFAF6FEDF4A8954DF63B75E1574E66B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1678240025.000000000496D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:23:52
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\45brrQrxwH.exe"
Imagebase:	0x50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:23:52
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:23:53
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XEWKUH.exe"
Imagebase:	0x50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:23:53
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:23:53
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp365A.tmp"
Imagebase:	0xad0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:23:53
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:23:53
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\45brrQrxwH.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\45brrQrxwH.exe"
Imagebase:	0x1a0000
File size:	666'120 bytes
MD5 hash:	CFAF6FEDF4A8954DF63B75E1574E66B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:23:54
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\45brrQrxwH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\45brrQrxwH.exe"
Imagebase:	0xb80000
File size:	666'120 bytes
MD5 hash:	CFAF6FEDF4A8954DF63B75E1574E66B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2876066217.000000000305B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2876066217.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2876066217.0000000003031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	06:23:55
Start date:	17/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:23:56
Start date:	17/04/2024
Path:	C:\Users\user\AppData\Roaming\XEWKUH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\XEWKUH.exe
Imagebase:	0x900000
File size:	666'120 bytes
MD5 hash:	CFAF6FEDF4A8954DF63B75E1574E66B3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1717424225.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs Detection: 70%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:23:57
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\user\AppData\Local\Temp\tmp4771.tmp"
Imagebase:	0xad0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:23:57
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:23:58
Start date:	17/04/2024
Path:	C:\Users\user\AppData\Roaming\XEWKUH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\XEWKUH.exe"
Imagebase:	0xbc0000
File size:	666'120 bytes
MD5 hash:	CFAF6FEDF4A8954DF63B75E1574E66B3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2870535189.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2875685208.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2875685208.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2875685208.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.8%
Total number of Nodes:	209
Total number of Limit Nodes:	14

Executed Functions

Function 0CB3C7E0 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111dda31bd8d7f311f1d4f5004cbe0515ce2f9f90496825dab69f1b349c99b25
Instruction ID: 0b151e98973be6cb05bb54ade80220d4d6f6a3577d6b5418e9dff210ae54f089
Opcode Fuzzy Hash: 111dda31bd8d7f311f1d4f5004cbe0515ce2f9f90496825dab69f1b349c99b25
Instruction Fuzzy Hash: B332BD31B012048FDB19DBB9C550BAEBBF6EF89700F2445A9E146AB3A1CB35ED05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012AFC18 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18a42807a8c51a86e19b0b46d217a5e4fc7f3c2f31693388d0d324c272c7b44
Instruction ID: f651c73edf9461e59e0b97771e689a776da721b385b694ddb4bd6349ebfdccb8
Opcode Fuzzy Hash: d18a42807a8c51a86e19b0b46d217a5e4fc7f3c2f31693388d0d324c272c7b44
Instruction Fuzzy Hash: 6291B470E116198BDB54EFA9C9406DDFBB2FF89300F20C169D518BB251EB346A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0CB3AB88 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc3085f8d40661230428ab95a78c5d2d75ded7b246170150eef772ffa40924b
Instruction ID: b887a28b9f25e8a677047e587b28a72580469d06fa5c36f8253a3ffb32548769
Opcode Fuzzy Hash: bfc3085f8d40661230428ab95a78c5d2d75ded7b246170150eef772ffa40924b
Instruction Fuzzy Hash: 8E810675E052288FDB24CFA6CC407EDBBB6BF89300F2491EAD409A6255EB715A85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 012AFC09 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a55d7a3eb100b7908bfda99d5cf07081f626bf9abc01620456a69c70ac0519
Instruction ID: f4f6d6995ae40d3261732be1628ab2dd43a2e48d2cafb26306511b41aebcd917
Opcode Fuzzy Hash: 60a55d7a3eb100b7908bfda99d5cf07081f626bf9abc01620456a69c70ac0519
Instruction Fuzzy Hash: 2681D471E102198BDB14EFA9C9406DDFBB2FF89300F61C169D518BB251EB346A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0CB38049 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104c79d836d3ff445207d53ebe7ab6aec022f84220482b135182358dd03634af
Instruction ID: 552ecd18fcf2e2aaa77d700a3d70643a68dde169b0abdf46c5fb4d2e365a5c29
Opcode Fuzzy Hash: 104c79d836d3ff445207d53ebe7ab6aec022f84220482b135182358dd03634af
Instruction Fuzzy Hash: E6414A74E49A08CBDB14CFAAD4442EDFBF9AF8D300F24B06AE40AA7295DB754445CE42

Uniqueness

Uniqueness Score: -1.00%

Function 0CB3117B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e57447e502f6538c127734bc4f5a92728833e29c174eabe3caa6772ad2a27e
Instruction ID: 838399849422c018d088234d1a58f6d24f75295a31a7e915f0f403b11861ecd4
Opcode Fuzzy Hash: 71e57447e502f6538c127734bc4f5a92728833e29c174eabe3caa6772ad2a27e
Instruction Fuzzy Hash: AE412E74E096088FDB04CFAED8406EEBBFAAF8D300F14E0A9E419A7251DB345941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0CB318AB Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086d777628b4b7cf7d6d3660d80169b993c733d8792a21d65bc1048e7b559b05
Instruction ID: e4f47f50521c3ee067146831939a7c5c530fb056f7dfaf3329526f7937283fea
Opcode Fuzzy Hash: 086d777628b4b7cf7d6d3660d80169b993c733d8792a21d65bc1048e7b559b05
Instruction Fuzzy Hash: 17316DB1D056488FEB19CFAAC8443DEBFF6AF89300F14D4AAD4086B255DB740549CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0CB318B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ae56cac9b29e9ba24567834d23c424e1e07a10baeeff30dc41462119749fed
Instruction ID: 4a7840bf8286d46f196fef40b9b80f071599bc510eda0da5bf9ca307258a2db1
Opcode Fuzzy Hash: 34ae56cac9b29e9ba24567834d23c424e1e07a10baeeff30dc41462119749fed
Instruction Fuzzy Hash: D321A2B1D006188BEB18CF9BD8457DEFAFBAFC8300F14D06AD40866264DB74094ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0CB3AECB Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c10b4650b32858b5bc840b6b6d1fa52b669365cf05f96376d35d581e7c38c7
Instruction ID: c2abba8b3f60b8fd9ab1f65283d761e678814429cae7672abb661b0cecb6ebcb
Opcode Fuzzy Hash: 55c10b4650b32858b5bc840b6b6d1fa52b669365cf05f96376d35d581e7c38c7
Instruction Fuzzy Hash: 40A00290C9E148C385011C6049454F4F23C675B450D6034C8044E3301A0801C008500C

Uniqueness

Uniqueness Score: -1.00%

Function 012AD108 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 012AD196
GetCurrentThread.KERNEL32 ref: 012AD1D3
GetCurrentProcess.KERNEL32 ref: 012AD210
GetCurrentThreadId.KERNEL32 ref: 012AD269

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9bde343ee41f3250f06879fce9b445553629fd21a0161b7488e03fbdd1c17d81
Instruction ID: 184d6d6e02cc399a86feaaf7d685a6477234c4f4f5f19ed30120edf40e6999db
Opcode Fuzzy Hash: 9bde343ee41f3250f06879fce9b445553629fd21a0161b7488e03fbdd1c17d81
Instruction Fuzzy Hash: C45175B0D002498FDB04DFA9D988B9EBBF1EF88304F20C569E159A73A1DB349944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 012AD118 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 012AD196
GetCurrentThread.KERNEL32 ref: 012AD1D3
GetCurrentProcess.KERNEL32 ref: 012AD210
GetCurrentThreadId.KERNEL32 ref: 012AD269

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 49a7096d6672064fc1fda9a79ee79a1bad1b8ba4e6191be8f0805395d58cc750
Instruction ID: 247db11a80efb26bfb6de2953d5ca299c2683360aa92c4706efa122f535f8de8
Opcode Fuzzy Hash: 49a7096d6672064fc1fda9a79ee79a1bad1b8ba4e6191be8f0805395d58cc750
Instruction Fuzzy Hash: AE5155B09002098FDB14DFA9D988B9EBBF1EF88314F20C559E519A7261DB34A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0CB374FD Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0CB3773E

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 717754f0c2686a7c36d1b7519962612eebbf86d7861d557203e5b83a4f532a0f
Instruction ID: 6acbc5afca09f33d4e9998617d53f8a288ca3be39da187015544c9aa7efcfc43
Opcode Fuzzy Hash: 717754f0c2686a7c36d1b7519962612eebbf86d7861d557203e5b83a4f532a0f
Instruction Fuzzy Hash: 10A148B1E00259CFDB24CF68C945BEDBBB2FB48314F1485AAD848B7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0CB37508 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0CB3773E

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 38414a030501a36826c2f2f246ab95dabf9fe7776798117d78010a6ab4220282
Instruction ID: 5e0bd33675eb227a38ce93a66afc59f18b70c8ff99622c542fa184e8b169e3ff
Opcode Fuzzy Hash: 38414a030501a36826c2f2f246ab95dabf9fe7776798117d78010a6ab4220282
Instruction Fuzzy Hash: 499138B1E00219DFDB14CF69C945BAEBBB2FF48314F1485AAD808B7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 012AAE90 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012AB0E6

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2b6011f1d11866df9620d36b5dd15f55c0fe2bbb66ec4776b959173ff6d98a89
Instruction ID: cb80f8981794e2248e6d9580ad32e758055fcfacdb99e2dcb1a251e75b19da4e
Opcode Fuzzy Hash: 2b6011f1d11866df9620d36b5dd15f55c0fe2bbb66ec4776b959173ff6d98a89
Instruction Fuzzy Hash: 097168B0A10B068FDB24DF29D54475ABBF5FF88304F008A2DD58AD7A50DB75E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012A590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012A59C9

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9dcc875f48d0506daa2919ef9880fbb0732c150df1096b993f7a92924c8226d6
Instruction ID: d9a8aaa476afca5dc3065069c7356de60306e824b34ef2a0d199b8a4a9ec51fd
Opcode Fuzzy Hash: 9dcc875f48d0506daa2919ef9880fbb0732c150df1096b993f7a92924c8226d6
Instruction Fuzzy Hash: 7D41F3B0D00719CFDB24DFA9C8847CEBBB5BF49314F2480AAD408AB251DB756986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012A449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012A59C9

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2f5728629525ff926424ec93166a4309c7c83b2603839d5351b09fd2e83d0fa9
Instruction ID: 379ae039fcaafc24f510c4ee24cba5e023869375a3e139682a236e4bfd3f1381
Opcode Fuzzy Hash: 2f5728629525ff926424ec93166a4309c7c83b2603839d5351b09fd2e83d0fa9
Instruction Fuzzy Hash: 6841F2B0D10719DBDB24DFAAC884B8EBBF5BF49304F24806AD408AB251DBB55985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012A5A84 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e282c6de00dbce22f1835509fb1d48affff1474ba49f46a0a335a23f225ef204
Instruction ID: 270520750486ba80c6c866cd46e8cd42ae535ba01de2be5c06fac2019c61b9fb
Opcode Fuzzy Hash: e282c6de00dbce22f1835509fb1d48affff1474ba49f46a0a335a23f225ef204
Instruction Fuzzy Hash: B331DDB1C1434ACFDF11CFA8C8457EEBBB0AF42314F64818AD445AB256D775998ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 012AD421 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012AD3E7

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5d5559ce353612e88a70aeef2f78c656f96f3e118dd2a795237cd1c1cc0d601a
Instruction ID: 482b2694b10b4253de7f966eaa4a3ac376096a12a974726bf67d318d06127fe9
Opcode Fuzzy Hash: 5d5559ce353612e88a70aeef2f78c656f96f3e118dd2a795237cd1c1cc0d601a
Instruction Fuzzy Hash: 55319E38650390CFF7619F60F449BA97FA6F798720F50842AE9128F7D9CAB44885CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0CB37278 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0CB37310

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4486f1c5554c7a019c942cc74f332ce89b754fa38a55799f8e59912b4ac31e1c
Instruction ID: 991371ce3cbcd8336d5e46ad2c9d028509ff8cd4b0bee05261ad27f84e745ea6
Opcode Fuzzy Hash: 4486f1c5554c7a019c942cc74f332ce89b754fa38a55799f8e59912b4ac31e1c
Instruction Fuzzy Hash: 50215AB19003599FCB10DFA9C884BDEBBF4FF48310F108429E958A7250C7749545CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0CB37280 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0CB37310

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7d7df21b08cf6c4c7c715492d361269b52808f281b87ba1d62e49f193bb87e8f
Instruction ID: 65993e57cb1ac4c4f0a6f588dd720f74576364f132f3be42a04da6c2a157e3d9
Opcode Fuzzy Hash: 7d7df21b08cf6c4c7c715492d361269b52808f281b87ba1d62e49f193bb87e8f
Instruction Fuzzy Hash: CA2166B1900349DFCB10CFA9C884BEEBBF4FF48310F10842AE958A7250CB789945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0CB37369 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0CB373F0

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 29d6ace613e7551ea53dd103e4c7c6481820d72908d0ac6d0f6302077b45cee7
Instruction ID: 9be2427b5fb31f51787ddb17e1f1f2e2c09e9413d77d77e0c6df892c7566a590
Opcode Fuzzy Hash: 29d6ace613e7551ea53dd103e4c7c6481820d72908d0ac6d0f6302077b45cee7
Instruction Fuzzy Hash: B62136B18002599FCB10DFAAC840AEEFBF4FF48310F10842AE959A7250C734A545CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0CB370E2 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0CB37166

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6972ea10adfac20a70b1438f5b55ea9d87adc4603b56a9e124b2e0298a397a03
Instruction ID: c0f282004b292b681a7d4c6bb6a2cf81dcf7dbe46a5d80e4c48ba0659a1c835b
Opcode Fuzzy Hash: 6972ea10adfac20a70b1438f5b55ea9d87adc4603b56a9e124b2e0298a397a03
Instruction Fuzzy Hash: C92159B1D002098FCB10DFA9C4447EEBBF4EF48314F208429D558A7240CB789944CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0CB370E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0CB37166

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dc2f2696abef1960a7f5295ebf611549ca795b77671cbe1fabbd234890703fe6
Instruction ID: 6331339d3198b66bab14a75d04f06a31202b68b8f8857aee2e699c9cf8a67946
Opcode Fuzzy Hash: dc2f2696abef1960a7f5295ebf611549ca795b77671cbe1fabbd234890703fe6
Instruction Fuzzy Hash: 872138B29003098FDB10DFAAC9857EEBBF4EF48324F14842AD559A7240CB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0CB37370 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0CB373F0

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6299fe5199a320f198a7c4aa53096c81380b9a54fa37c259baec5c9885e9f93b
Instruction ID: 390c5da6f9e8cec31db196da9175cd9e1c2f4d6489a6a843947cd7ae9b57b5df
Opcode Fuzzy Hash: 6299fe5199a320f198a7c4aa53096c81380b9a54fa37c259baec5c9885e9f93b
Instruction Fuzzy Hash: 4D2128B19003599FCB10DFAAC844AEEFBF5FF48310F10842AE559A7250C7749545CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 012AD358 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012AD3E7

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 17bcb5550b23f3b673be3cbb250ec671cdd8208f1374dbcd2f3c88c36ada3618
Instruction ID: 5a91e9eef3038d27893668694d5c2aaa95136a233a20103a96ca0fe88c76a3bf
Opcode Fuzzy Hash: 17bcb5550b23f3b673be3cbb250ec671cdd8208f1374dbcd2f3c88c36ada3618
Instruction Fuzzy Hash: E22112B5900209DFDB10CFAAD984ADEBFF4FB48324F14802AE918A7310D374A940CF60

Uniqueness

Uniqueness Score: -1.00%

Function 012AD360 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012AD3E7

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d8b23a8dfc8b178f2560a3f50eae86e99687f1d572f289ad2acc2a11dc2ed530
Instruction ID: af25dee69d926956fb74ab8f0da07760498575f62b7e373583ac44004232abbb
Opcode Fuzzy Hash: d8b23a8dfc8b178f2560a3f50eae86e99687f1d572f289ad2acc2a11dc2ed530
Instruction Fuzzy Hash: 3321E2B59002499FDB10CFAAD984ADEFFF8EB48320F14841AE958A7350C374A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0CB371B8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0CB3722E

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f3aac12df0306d8cbc47c63bba4cdec5cba0ca3cd36360ffada4b3309ae35865
Instruction ID: 44003cb7a0638a6c74c57785a80772f620953877e94a8d092c5bad19bb41c46f
Opcode Fuzzy Hash: f3aac12df0306d8cbc47c63bba4cdec5cba0ca3cd36360ffada4b3309ae35865
Instruction Fuzzy Hash: 971144B29002489BCB20DFAAC844ADFBFF5EB89324F208419E559A7250CB75A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 012AA8D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012AB161,00000800,00000000,00000000), ref: 012AB372

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0ac1279e33660c207430db18d3ceee4357269917a04b9dc18f344aea56993f57
Instruction ID: a061ad05ac47e6b9774dce576edbfd6c37502f0e81e49ea8b2774f71cfb339ec
Opcode Fuzzy Hash: 0ac1279e33660c207430db18d3ceee4357269917a04b9dc18f344aea56993f57
Instruction Fuzzy Hash: E31112B69003499FDB20CF9AC844ADEFBF4EB48310F14852AE919A7610C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0CB37030 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0CB3709A

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7970f7ac5311bc4758bbed41088b40a35c153c13fceaa6e02f0cf9a6aab9eaff
Instruction ID: 6c422bc3ea20bcd1371d3c17c4da0a6b09029ca6d95270a3e21ae568b0fb53bb
Opcode Fuzzy Hash: 7970f7ac5311bc4758bbed41088b40a35c153c13fceaa6e02f0cf9a6aab9eaff
Instruction Fuzzy Hash: EA1158B1D002488BCB20DFAAC8457DFFBF5EB88324F208829D559A7250CB79A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0CB371C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0CB3722E

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bc31c09b3dbd0e524bb1d138274dd9e97f834547b53c9c96706b1c7c75d239fc
Instruction ID: c83c7edcd99d1f5e7c677cd096e997ce3b3bfcf6c20af4a25cbb425a2c0f4f83
Opcode Fuzzy Hash: bc31c09b3dbd0e524bb1d138274dd9e97f834547b53c9c96706b1c7c75d239fc
Instruction Fuzzy Hash: 4F1137B29002499FCB20DFAAC844BDEFFF5EF88324F248419E559A7250CB75A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012AB300 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012AB161,00000800,00000000,00000000), ref: 012AB372

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 920df01d89ac9afd5a09a0d74ef1902c5701906a5f2ef5e3da88e161c6bc8318
Instruction ID: a0d9f8df5165bf19772638407f0ebc91b2fe6f768dedcdbe9884c14ccbfdeadc
Opcode Fuzzy Hash: 920df01d89ac9afd5a09a0d74ef1902c5701906a5f2ef5e3da88e161c6bc8318
Instruction Fuzzy Hash: F31123B6900249CFDB10CFAAC948ADEFFF4EB88314F14852AD919A7610C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0CB37038 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0CB3709A

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: eee4176fa62afdf091335052d3879966069eb4050c07f87456f312446d19f68f
Instruction ID: 8d319fa63615bd95fb8b34007b95acf139def3ba42ecb38755bbf81f5a249f97
Opcode Fuzzy Hash: eee4176fa62afdf091335052d3879966069eb4050c07f87456f312446d19f68f
Instruction Fuzzy Hash: AF116AB1D003488FCB20DFAAC8447DEFBF4EB88324F208429C459A7250CB79A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0CB38394 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0CB3BD95

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8bd1ddd94c1be181139f4706d79c3dc97435c33e387d186b7844b28728df8bc6
Instruction ID: a51c2df79edb64d461cb7f3a485c4aceeee4b24a6284ff70313b0257de82a3fe
Opcode Fuzzy Hash: 8bd1ddd94c1be181139f4706d79c3dc97435c33e387d186b7844b28728df8bc6
Instruction Fuzzy Hash: F611F5B58003599FCB10DF99C844BDEBFF8EB48314F208459E558A7210C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AB080 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012AB0E6

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d27c9d3ae88b326f643d86b7cad7d27e16b5d5055ca8aaeeee9ad790889a00f9
Instruction ID: e74e57668abf8d7426d59483ac390d236be5812266044a60c66a8c098ea0c24c
Opcode Fuzzy Hash: d27c9d3ae88b326f643d86b7cad7d27e16b5d5055ca8aaeeee9ad790889a00f9
Instruction Fuzzy Hash: 1E110FB5C003498FDB20CF9AC844ADEFBF4AB89324F10842AD568A7210C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0CB3BD32 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0CB3BD95

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 399e9c2d0b28a4df1ce27e1640ac9e03ea9e73c8a4e12aababdbab3b73873325
Instruction ID: 2ebf1f594ca77c627722ed91b8c0c574c553c25674bef17c87ab946d616fffeb
Opcode Fuzzy Hash: 399e9c2d0b28a4df1ce27e1640ac9e03ea9e73c8a4e12aababdbab3b73873325
Instruction Fuzzy Hash: 3311F2B58002599FCB20CF99C889BEEBFF4EB48314F20845AE558A7210C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673518344.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ffd000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d081be600b3c4b5bd402d74594acec79a401e918dc7da46cf7b5ed8878248d
Instruction ID: 8099a20759270393e52d63f29b4ec3f5038cc39670d253b385bb9ba495c6c7d2
Opcode Fuzzy Hash: e5d081be600b3c4b5bd402d74594acec79a401e918dc7da46cf7b5ed8878248d
Instruction Fuzzy Hash: 26213A72500208DFDB05DF14D9C4B36BF66FF94324F20C169DA094B266C336E856E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0100D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673610089.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36f08757b55ab4bf291d3cb7d9e3055444115d88e39cef495275348ceaeddee
Instruction ID: 0088a7441bbe00897aaf2854a5741722d4029b77014a49536ac5d6fa0493184e
Opcode Fuzzy Hash: b36f08757b55ab4bf291d3cb7d9e3055444115d88e39cef495275348ceaeddee
Instruction Fuzzy Hash: C5210771504200EFEB06DFD8D5C0B2ABBA5FB94324F20C5ADE9894B296C736D446CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0100D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673610089.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45b3f9fe447fa22a0454a6669c7b238234e088713d95f8ec619d4514eefe8e9
Instruction ID: 68d802476f8ba44ba93844c7fc6aa5a8dd7a5d993b656649506c2112c295b9af
Opcode Fuzzy Hash: f45b3f9fe447fa22a0454a6669c7b238234e088713d95f8ec619d4514eefe8e9
Instruction Fuzzy Hash: 8E21F571604200DFEB16DF98D984B16BFA5EB84354F20C5ADE98D4B296C336D447CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673518344.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ffd000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 803295628148726fcb8aa9ef68cda6d90fc44538cfd0a069b63bcf6204071f47
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 51110672804244CFCB05CF00D5C4B26BF72FF94324F24C2A9D9090B666C33AD456DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0100D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673610089.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 44911f9d491f95544893abfcef7905d32e9690f1fdd31aca27cb2dae417c199a
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: C2119075504280DFDB16CF94D5C4B15FFA2FB44314F24C6AAE84D4B696C33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0100D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673610089.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_100d000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 6b2a6ae5ae6cba8fcbfeeaf0af7207f02dc1127a6503fda2c4fd61e80d9d90fb
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: BA11BB75504280DFEB02CF98C5C4B15BFA1FB84224F24C6AAD8894B696C33AD40ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673518344.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ffd000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81268956029c7048b3e11276761ca174740c551c81f2a2d5e6caad31306a48b8
Instruction ID: 562286f04121ad310ba327cb1f8d36a4eb037b41d333ee3ed6a238549e5d4ac0
Opcode Fuzzy Hash: 81268956029c7048b3e11276761ca174740c551c81f2a2d5e6caad31306a48b8
Instruction Fuzzy Hash: 7B012B334083489AE7116E26CD84B77FFD9DF41334F18C56AEE080E2A6C679D840D671

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673518344.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ffd000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e926601f81ca1a6017f45018b65f58a847981c70c4c2cf0fd6d89847360ae3c
Instruction ID: d2aa1b09fa5295965dfccc83a1aa51684f64a05eb5d314e29f36313b5ac081a7
Opcode Fuzzy Hash: 3e926601f81ca1a6017f45018b65f58a847981c70c4c2cf0fd6d89847360ae3c
Instruction Fuzzy Hash: BBF0C2724083449AE7109E16C888B62FFA8EF51334F18C45AED080E2A6C2799840CBB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0CB344C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a870e8d368c5939f39c1f12e1a85401fb56a1ac3a923ebc8c615f5e882e022
Instruction ID: a1738f1d8c4ff278378db1010b24d65abf92e36ef94f170559c5570f9dc8623e
Opcode Fuzzy Hash: 98a870e8d368c5939f39c1f12e1a85401fb56a1ac3a923ebc8c615f5e882e022
Instruction Fuzzy Hash: EFE10974E011198FDB14DFA9C5809AEFBB2FF89304F2491A9E415AB356D730AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0CB34D30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f0bf9243cf9747b69a9ca7e7e129b8b82181f31fca9fccabb4b5367947350a
Instruction ID: 9477ad5769b67ced3bf9f9239357f0bb060e63be74d0ff36909503b9a4889c79
Opcode Fuzzy Hash: b9f0bf9243cf9747b69a9ca7e7e129b8b82181f31fca9fccabb4b5367947350a
Instruction Fuzzy Hash: 8DE12974E001198FDB14DFA9C5809AEFBB2FF89304F2491A9E419AB356D731AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0CB348F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9b9cdf392ece773b7929d93098a9e80ef67b6d8a4c096b6cdf4a3363366b2e
Instruction ID: ca0d34146f0360cc6e9954bcdddff537fcd0cbd6d67e5b94077edb752451ce6f
Opcode Fuzzy Hash: 0f9b9cdf392ece773b7929d93098a9e80ef67b6d8a4c096b6cdf4a3363366b2e
Instruction Fuzzy Hash: 96E11974E011198FDB14DFA9C580AAEFBB2FF89304F249169E415AB35AD730AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0CB36810 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821b18058a6d2e85eb68463ce81eacfc0dd3ed30ed8dc259f1b4c7600375b0a4
Instruction ID: f0cbea2e256459c7bcdd1383f8c7f9ead58b5aa10db37fcddf732b45091cf1f2
Opcode Fuzzy Hash: 821b18058a6d2e85eb68463ce81eacfc0dd3ed30ed8dc259f1b4c7600375b0a4
Instruction Fuzzy Hash: B8E11874E011199FDB14DFA9C580AAEFBB2FF88304F249169E815AB356D730AD41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0CB363D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c60ab80b318f4a742a6e873085e8c361a470a3ec479c0168878ad0a43a7a4d
Instruction ID: 64382ae93bf44dc9fe370f7b36b4055895835452330fd46949698edfe83cf5cb
Opcode Fuzzy Hash: 18c60ab80b318f4a742a6e873085e8c361a470a3ec479c0168878ad0a43a7a4d
Instruction Fuzzy Hash: 56E12A74E011199FDB14DFA9C5809AEFBB2FF88304F249169E815AB35AD730AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012ADCD4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1674042546.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12a0000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8809ff548035e597869f3f3be2ac115dabaa24502c67bc612c5ba929119969
Instruction ID: 90bd615d162b3e8beed0b010c175103d88628e163ac653a3d0a34d48b05cce12
Opcode Fuzzy Hash: 7c8809ff548035e597869f3f3be2ac115dabaa24502c67bc612c5ba929119969
Instruction Fuzzy Hash: 77A19D32A1060A8FCF15DFB8D9445EEBBB2FF84300B54456AE905AB265DB35E906CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0CB348E8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b516e9951df5f3fc7238227899974df3e70f465ed571a42d738b1a373cfaf47
Instruction ID: b64234e69d4e4f1dd3d1af59c4ba93806a08c0a65c595bfe55a2b6d7c99c1046
Opcode Fuzzy Hash: 7b516e9951df5f3fc7238227899974df3e70f465ed571a42d738b1a373cfaf47
Instruction Fuzzy Hash: 21510770E016198FDB15CFA9C5805AEFBF2FF89300F2491A9D418AB356D7319A42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0CB36800 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685209864.000000000CB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0CB30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb30000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136e78f22b77cff1677e10b861eb1b9526aadf56ff3d920b4923e9b813d30522
Instruction ID: 6a87f734825233e17c2aa6d9f0ae958dea416497fcd1181135d4d0c50d098bbf
Opcode Fuzzy Hash: 136e78f22b77cff1677e10b861eb1b9526aadf56ff3d920b4923e9b813d30522
Instruction Fuzzy Hash: 9751FC70E012198FDB14DFA9C5805AEFBF2FF89304F2495AAE418AB356D7319941CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 45brrQrxwH.exePID: 7892, Parent PID: 7432COMMON

Execution Graph

Execution Coverage:	14%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	31
Total number of Limit Nodes:	4

Executed Functions

Function 06C13040 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C1374B
$^q, xrefs: 06C1373F
$^q, xrefs: 06C13774
$^q, xrefs: 06C13768
$^q, xrefs: 06C13798
$^q, xrefs: 06C1378C

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 040dcf7cecc1209137b80b613b007e8d68547b0d1917cf2c623ba8634e33baec
Instruction ID: 0f7e4988fb49335c7c3f17af61525c568e0ff8cb7b230cbeea0c5a58fb35d045
Opcode Fuzzy Hash: 040dcf7cecc1209137b80b613b007e8d68547b0d1917cf2c623ba8634e33baec
Instruction Fuzzy Hash: 35323D35E1065ACFCB14DF75C99459DB7B2FFC9304F1086AAD409AB264EF30AA85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06C17D58 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C180A1
$^q, xrefs: 06C18095

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 964b89dc27b7c01e148f65affcc312257ab828803e230d99997e3b639ee73b87
Instruction ID: e89a687dc026b47c1b7315efa2853c7e1b1b838d278528d622af221ac38a828f
Opcode Fuzzy Hash: 964b89dc27b7c01e148f65affcc312257ab828803e230d99997e3b639ee73b87
Instruction Fuzzy Hash: F502BD30B0120A9FDB54DF68D990AAEB7E2FF85300F148569E406DB394DB35ED86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C165D0 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f1a654414ea440ec8344af88e6b84a90c3d5fba22e4150a09a71ea98778ba9
Instruction ID: aaa8f976ca1737b3394acc76eef5d53e11cb4f2d45c9174c9e72e93dca533cd7
Opcode Fuzzy Hash: 85f1a654414ea440ec8344af88e6b84a90c3d5fba22e4150a09a71ea98778ba9
Instruction Fuzzy Hash: 0562CC34B002058FDB54DB69D594AAEB7F2EF8A314F148469E40AEF390DB35ED46DB80

Uniqueness

Uniqueness Score: -1.00%

Function 06C15578 Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dc34b8942a56ecdd704f4e02fc42d3cd70e690039e7ec814d7e927aabcbf21
Instruction ID: fa0fa21dee73713b8b797bc6173f760efa90eb0a19b31c5c76269e77e9456a4a
Opcode Fuzzy Hash: 05dc34b8942a56ecdd704f4e02fc42d3cd70e690039e7ec814d7e927aabcbf21
Instruction Fuzzy Hash: 6A22D2B5E102058FDB60DF64C4906AEBBF2EF8A320F50846AD459EF385DA35DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C1B20A Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04643cf95d4b04bd5430c3b5b3e9227f220df8926604be25d9dad633771144b6
Instruction ID: 4fbc472d04facdda6d23f717c9bf0aa51626e66de0afee4925db9b681e9eb54b
Opcode Fuzzy Hash: 04643cf95d4b04bd5430c3b5b3e9227f220df8926604be25d9dad633771144b6
Instruction Fuzzy Hash: 01227434E102098FDF64DB68D5907AEB7B2FB86310F208929E409EF391DA35DD869F51

Uniqueness

Uniqueness Score: -1.00%

Function 06C1ACA8 Relevance: 10.4, Strings: 8, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C1AE4B
$^q, xrefs: 06C1AE1C
$^q, xrefs: 06C1ADC9
$^q, xrefs: 06C1AE28
$^q, xrefs: 06C1AE57
$^q, xrefs: 06C1AE74
$^q, xrefs: 06C1ADD5
$^q, xrefs: 06C1AE80

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: c941e372b85d763c750c100395a8839662cc4e219c63749ecab344e5f1c7d5ce
Instruction ID: 56e11dee909670c456d521412beb40a8c693241acfbd9d25016ba71c0b2a6c23
Opcode Fuzzy Hash: c941e372b85d763c750c100395a8839662cc4e219c63749ecab344e5f1c7d5ce
Instruction Fuzzy Hash: 41E16F30E1120A8FCB59EFA9D5906AEB7B2EF86300F208529E405AF354DB35DD46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C1B630 Relevance: 8.0, Strings: 6, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C1BBE1
$^q, xrefs: 06C1BB85
$^q, xrefs: 06C1BBB9
$^q, xrefs: 06C1BBED
$^q, xrefs: 06C1BB79
$^q, xrefs: 06C1BBAD

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 8634b4f580f09364bc5c469fffc80a91cd05e2e8af21653f20ceea1c2a0ed27d
Instruction ID: fdaeffd74ec8456c7e5a46292db72ad2fc7fc6841f058d80b277b21889e2f97a
Opcode Fuzzy Hash: 8634b4f580f09364bc5c469fffc80a91cd05e2e8af21653f20ceea1c2a0ed27d
Instruction Fuzzy Hash: 21027D30E0020A8FDB64DB68D5906ADB7B2FB86310F10896AE405DF355DB35ED86DF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C19120 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C19190
$^q, xrefs: 06C191D7
$^q, xrefs: 06C191CB
$^q, xrefs: 06C1919C

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 2ff2cd77758bafe926601f3dd3312cf0c721b39cb5ed4c88a939210c243a8abd
Instruction ID: 6b2ebf86b74d5a51c1a3b1433bc5df175ff3addd31f42d81fba258fa89e2c6d8
Opcode Fuzzy Hash: 2ff2cd77758bafe926601f3dd3312cf0c721b39cb5ed4c88a939210c243a8abd
Instruction Fuzzy Hash: 21914E34F0021A9FDB54DF65D9607AFB3F6EBC9204F108569C409EB344EA74DE468B91

Uniqueness

Uniqueness Score: -1.00%

Function 06C1CF20 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C1D31F
$^q, xrefs: 06C1D317
$^q, xrefs: 06C1D32B

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: a65762a0b2e9f0c4e0f07400f3e0232b5851d49e1f3b8a9834dbaa902d2bf346
Instruction ID: d254c9d5b36d604bd407a923691aaecda221813b1f781193a8482073c31fa27d
Opcode Fuzzy Hash: a65762a0b2e9f0c4e0f07400f3e0232b5851d49e1f3b8a9834dbaa902d2bf346
Instruction Fuzzy Hash: EC627130A0020A9FCB55EF68D590A5EB7F2FF85304F248A29D0199F359DB75ED4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 06C14B50 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06C14B7B
XPcq, xrefs: 06C14CA1
\Ocq, xrefs: 06C14D2B

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 13cd35bbf9e8886f2d1c3b5acaab213a3729fe58f97d9ff2ec79ed0aa512ab58
Instruction ID: 9698f50cfd1516cea1795d7ab2e883311013beb8c9af906cb37f653f5f3783ed
Opcode Fuzzy Hash: 13cd35bbf9e8886f2d1c3b5acaab213a3729fe58f97d9ff2ec79ed0aa512ab58
Instruction Fuzzy Hash: 2A61A030F102199FEB55EFA5C8547AEBBF2FB89700F20842AD10AEB395DB748C058B41

Uniqueness

Uniqueness Score: -1.00%

Function 06C1910F Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C19190
$^q, xrefs: 06C191CB

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: d349f5fe1986571e5e2ffe11ada2f3908931bc780308f31a6523424a6949baf4
Instruction ID: ec7c692ccf16c3179231782d818b2b106a5826badbbcd57214c47c0ec1e743ff
Opcode Fuzzy Hash: d349f5fe1986571e5e2ffe11ada2f3908931bc780308f31a6523424a6949baf4
Instruction Fuzzy Hash: 8751B030B001069FDB54DF79D9A0B6FB3F6EBC9604F148429C80AEB384EA34DD468B91

Uniqueness

Uniqueness Score: -1.00%

Function 06C14B40 Relevance: 2.6, Strings: 2, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06C14B7B
XPcq, xrefs: 06C14CA1

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 700693933ba82fa72970ca568c6d0816a6a0145fc23b5e742ca07be10086d259
Instruction ID: cf2d9925bf999d56700740ca5a6ca5d95928c9924607a60fe6246a76e2ab82df
Opcode Fuzzy Hash: 700693933ba82fa72970ca568c6d0816a6a0145fc23b5e742ca07be10086d259
Instruction Fuzzy Hash: 92519D70B102199FDB05DFA5C8547AEBBF3FF89700F20852AE106AB395DA748C058B91

Uniqueness

Uniqueness Score: -1.00%

Function 013AECA8 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2874871378.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13a0000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1cd574e388c94af2ba8ac0ffc723afcac50edc7a5d67b4a1d2c24b5c37f388
Instruction ID: 1ecc53b6c37246669876a7bc35bb356a89de54d7f78ba48428a413b2436f62be
Opcode Fuzzy Hash: ba1cd574e388c94af2ba8ac0ffc723afcac50edc7a5d67b4a1d2c24b5c37f388
Instruction Fuzzy Hash: CD41F272D003598FCB14DFB9D8042AEBFF2EF99310F14856AE504E7251EB349845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013AED90 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 013AEDF7

Memory Dump Source

Source File: 00000009.00000002.2874871378.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_13a0000_45brrQrxwH.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b3cae51604a91126260c2c107384dac9e322601c3005e0fe994c43dd69d732e7
Instruction ID: ffddff4b63c0306949fdf201f49c66c8a13091fbc6228eca672a5d338ece05de
Opcode Fuzzy Hash: b3cae51604a91126260c2c107384dac9e322601c3005e0fe994c43dd69d732e7
Instruction Fuzzy Hash: B2111FB1C002699BCB10CF9AD444BDEFBF4EB48324F10812AD918A7240D378A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 06C1DA95 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C1DBF1

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: e07c07fc6df33bf3dcd7a6adc2783e9ae8ec187140d00fb5b5737c7fa47c34e0
Instruction ID: bc50d6c4bc25b13e280fcfddb34a2556d2fc7265638b00f27f7ec8ddeed4cd96
Opcode Fuzzy Hash: e07c07fc6df33bf3dcd7a6adc2783e9ae8ec187140d00fb5b5737c7fa47c34e0
Instruction Fuzzy Hash: 9E41A170E0020A9FDB61DFA5D5546AEBBB2FF86300F14452AE407EB340DB74E946DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C121BD Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C1230B

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 70650568d112992961053217e8a3b4a12874add50acb26793b84853e6398f768
Instruction ID: 404d2aa98f787bb11e9188b3fbe79f0283058a44d21ed84a17beef953e40f475
Opcode Fuzzy Hash: 70650568d112992961053217e8a3b4a12874add50acb26793b84853e6398f768
Instruction Fuzzy Hash: 7A31F034B102018FDB59AF74D61866E7BE2AB8A210F10853CD406DF395DE39DE86D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 06C121D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C1230B

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: ec44f53748391fab62ced816532bee57b098f2e8d863a3bba8dc1bab13bb073e
Instruction ID: abdb996f50707e1419db080beaefa717e96f5497c0bc294a354b250c0ff39dbd
Opcode Fuzzy Hash: ec44f53748391fab62ced816532bee57b098f2e8d863a3bba8dc1bab13bb073e
Instruction Fuzzy Hash: 0D31F034B102018FDB599F74D51866E7BE3AB8A210F20843CD406EF394DE39DE86C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 06C12348 Relevance: 1.0, Instructions: 1000COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08791e4dd109f9dbf3194ee088a709f60e255aa4c9770f8099295e3334b6bdc3
Instruction ID: 534e0c175d37a44dac66fa2a4a1a5c7b6db13acc142954464593c090105740d1
Opcode Fuzzy Hash: 08791e4dd109f9dbf3194ee088a709f60e255aa4c9770f8099295e3334b6bdc3
Instruction Fuzzy Hash: D9923838A002048FDB64DF68C584A5DB7F2FB46314F5484AAE459EF361DB39EE85DB80

Uniqueness

Uniqueness Score: -1.00%

Function 06C1C160 Relevance: .6, Instructions: 642COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120a1b80a8519ea8a51c9905335ae4ff406be99dfe0635618e2af49b721a7ebd
Instruction ID: 2013fbca2aeaf7a953ec0983558f44984a486c44f60c53dac68d6c7be1a15096
Opcode Fuzzy Hash: 120a1b80a8519ea8a51c9905335ae4ff406be99dfe0635618e2af49b721a7ebd
Instruction Fuzzy Hash: 1132C434B402098FDB54DF68D990BAEB7B2EF8A310F108529E405EB355DB38DD46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C161D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86087210cd81e0d97ce00a31cd803630998bf7ec9539b3f6afd53c64bff19fb3
Instruction ID: edbfd4e43d1d848e3164e1ab1b44683b4e04dd57c0b8e856f7c192bf011e5caf
Opcode Fuzzy Hash: 86087210cd81e0d97ce00a31cd803630998bf7ec9539b3f6afd53c64bff19fb3
Instruction Fuzzy Hash: 4461A171F001214FDB55AB7EC88866FAAD7AFC5620B25443AD80EDB364EE65DD0287C2

Uniqueness

Uniqueness Score: -1.00%

Function 06C14281 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08728b0d8bc10c8a0243e1e32f0ec95197f9a6a5cf3775ee364184b7b87801a
Instruction ID: b7b6c1b1780ef64adfe8e0be83e96f8ea599f5183b5c0ff49a6e759a111a05fb
Opcode Fuzzy Hash: e08728b0d8bc10c8a0243e1e32f0ec95197f9a6a5cf3775ee364184b7b87801a
Instruction Fuzzy Hash: D1814F34B1020A9FDB58DFA9D55466EB7F6AF89304F108429D40AEF394EB34ED428B91

Uniqueness

Uniqueness Score: -1.00%

Function 06C145A0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8346865da475c2830172936b90ef5553219d8c4be8a4dbeb57e7b151ca4626
Instruction ID: fe616a251a18e349c323f4763d2c7a82383aabcc00b733534ac9f6916c4b4c5d
Opcode Fuzzy Hash: 2d8346865da475c2830172936b90ef5553219d8c4be8a4dbeb57e7b151ca4626
Instruction Fuzzy Hash: B4915030E102198FDB54DF68C890B9DB7B1FF86300F20C59AD449EB295DB70AE85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C145B8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d395f945a47fe2b6d7e6bd44371b1fb8ef031563cff0285b41032c72a64d75ac
Instruction ID: 7032d5a76fddfe301bbb930f7d4952b403b4189dd2216872c439a24633476b2a
Opcode Fuzzy Hash: d395f945a47fe2b6d7e6bd44371b1fb8ef031563cff0285b41032c72a64d75ac
Instruction Fuzzy Hash: 9B913D30E102198BDB64DF68C880B9DB7B1FF8A304F20C699D549AB355DB70AA85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C1EAE0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d429e33c6a5277d6c35c57b3cf51d99360cbb94e8742efad4ec7bf525c72a627
Instruction ID: 2d3f3806d19cefd7a76ad9ebd418089a141e5ab1a99abf383d0966a69095295f
Opcode Fuzzy Hash: d429e33c6a5277d6c35c57b3cf51d99360cbb94e8742efad4ec7bf525c72a627
Instruction Fuzzy Hash: 94715D30A002099FDB55EFA9D990A9DBBF6FF89300F148529E419EB355DB30ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C1EAF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fc9c0889f1364887e89247e4e7221c0b4beb4601800c915224d7fd24386de5
Instruction ID: 5ebe516c7b2865f7a68553946f206aded6ea04882cb43e2437eea94d3f0baea1
Opcode Fuzzy Hash: 13fc9c0889f1364887e89247e4e7221c0b4beb4601800c915224d7fd24386de5
Instruction Fuzzy Hash: 66713C30A002099FDB55EFA9D990AADBBF6FF89300F148529E409EB355DB30ED46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C1FC59 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e1aad48c7da2d422a85f2429a8c48209c7a240dc1cfedf212f8d391937ed7b
Instruction ID: ec567d2b9e26b00e0ff46d705181971b384644a17e20ddf64458adf7ad2afe4f
Opcode Fuzzy Hash: d2e1aad48c7da2d422a85f2429a8c48209c7a240dc1cfedf212f8d391937ed7b
Instruction Fuzzy Hash: 9151D131E00105DFDB64EF78E4546ADBBB2FF86315F10886EE52ADB251DB358A45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06C1FA08 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f45c0417f83d3b069a78c3d1686e38712c125c8e8e4caf0dff259b5084af2a
Instruction ID: 811767bc1b8b1aee951efa957f6d1267541e99fadbf4e6f0327b4a0bf84b1f2d
Opcode Fuzzy Hash: f7f45c0417f83d3b069a78c3d1686e38712c125c8e8e4caf0dff259b5084af2a
Instruction Fuzzy Hash: D4511C30B102189FEF60666CD96077F369ED78A310F20482FD01ADB399CA6DCD8657A2

Uniqueness

Uniqueness Score: -1.00%

Function 06C1FA18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74badb636a41e61e575a9c81a674c2ac30c73e2ff247b15156280f53b7b3e59
Instruction ID: da662bb071c8dffa97a3f390d3f74e64d5f20a516c00e2f96266d83425d5fee0
Opcode Fuzzy Hash: e74badb636a41e61e575a9c81a674c2ac30c73e2ff247b15156280f53b7b3e59
Instruction Fuzzy Hash: F3512C30B102189FEF60666CD96477F369FD78A310F20482EE11ADB3D9CA6DCD8557A2

Uniqueness

Uniqueness Score: -1.00%

Function 06C153F8 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48e4a38e2b8f71c3562bfda2b61f1d642b8a38974b853e51814550a6ec153a2
Instruction ID: 298d4832e27a207d45baad77edaf6b0f8335aea33016ab3f29de5c14f4cdf42a
Opcode Fuzzy Hash: f48e4a38e2b8f71c3562bfda2b61f1d642b8a38974b853e51814550a6ec153a2
Instruction Fuzzy Hash: 12417CB1E006098FDF70CEA9D880AAFFBF2FB85310F50492AE156DB254D330E9559B91

Uniqueness

Uniqueness Score: -1.00%

Function 06C15567 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a5594465835c4fff96a6b157780785c0e070bdf1ba5f727e8830cde92f7482
Instruction ID: 073fd629841e4bc174b72c7eaba3d81979793f51797e927983229dac42ab705c
Opcode Fuzzy Hash: d5a5594465835c4fff96a6b157780785c0e070bdf1ba5f727e8830cde92f7482
Instruction Fuzzy Hash: C64192B5E101098FDF60CB69C4C0ABEBBB1EB86310FA1896ED059DF251C634DA41DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06C12080 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85a9bf2fa588654090d8e2b4e44e8f8c907d3f53edb1727d689ec9e40f8f69a
Instruction ID: 9eb62c68d29cf3799a60bb6af71bc6845fb426a6b8cbf82b95d7d5608b4dd136
Opcode Fuzzy Hash: a85a9bf2fa588654090d8e2b4e44e8f8c907d3f53edb1727d689ec9e40f8f69a
Instruction Fuzzy Hash: C8318C35E102559FCF45DF64D89469EB7B2BF8A300F208529E906AB340DB75EE86CB40

Uniqueness

Uniqueness Score: -1.00%

Function 06C12090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec23a69836a491f2bdc51fb602541077460ff59e7db9901b24ae469f90512291
Instruction ID: 19775e49773dfa119496e86ffc0a7f187ca6e9d703cd87f388e2f5b48ddffe7e
Opcode Fuzzy Hash: ec23a69836a491f2bdc51fb602541077460ff59e7db9901b24ae469f90512291
Instruction Fuzzy Hash: FF317C35E102199FCF45DFA5D85469EB7B2BF8A300F208529E906EB340DB75EE86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C13A81 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef43555bfdbccd3580ed3332f2445ce132bebc16f5edeb0aef8d287c75b8c28
Instruction ID: 4eca959dc6017549f901946680587c5753a282a97109703bc7cc9135460299da
Opcode Fuzzy Hash: eef43555bfdbccd3580ed3332f2445ce132bebc16f5edeb0aef8d287c75b8c28
Instruction Fuzzy Hash: 8C219179F102059FDB50CF78D940AAEBBF5EB48714F108039E909EB340EB34D9018B95

Uniqueness

Uniqueness Score: -1.00%

Function 06C13A90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753b595b1c1fa495036dad9a0bf1e2b3657a6ff3b11d9b030a8137f9a2ceadf5
Instruction ID: e15ba82094f38d74b1a0aaf3f128b661b6ffe8aa1208edd5add1cca8c31d3c46
Opcode Fuzzy Hash: 753b595b1c1fa495036dad9a0bf1e2b3657a6ff3b11d9b030a8137f9a2ceadf5
Instruction Fuzzy Hash: 39217C75E102159FDB40CFA9D980AAEB7F5EB88714F108039EA09EB350EB34DD018B94

Uniqueness

Uniqueness Score: -1.00%

Function 06C16CE0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26fee812273e8eba8e4e2217d15c5bab56c11ace45b7272b4f377d29f8d41c6
Instruction ID: 6efbce8a9a1d9edc7143f7d01a0ae50490609305b5d4a3fb392c3771ca5a378e
Opcode Fuzzy Hash: c26fee812273e8eba8e4e2217d15c5bab56c11ace45b7272b4f377d29f8d41c6
Instruction Fuzzy Hash: 1A21D130B11119AFDF54EB69E8506AEB7B7EB85250F208429E409EF340DB31ED428BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0121D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2872488063.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_121d000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6130d4a1bc7ad0da8ddb2662a610b2b9d04dc0a7dd99b8465fc4d22afe68052
Instruction ID: 92e8296dd2cfb31b443e22731f73508ddcd759682c81908fb5867f27f6719371
Opcode Fuzzy Hash: e6130d4a1bc7ad0da8ddb2662a610b2b9d04dc0a7dd99b8465fc4d22afe68052
Instruction Fuzzy Hash: BD217671110208DFCB01DF68C9C8B26BBE1FB94314F20C6ADE9494B35AC77BD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 06C16CF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7195c053b936dec95ec91a0b0f08b2650a2ff2223171030a1d8f8c29f8a5de0
Instruction ID: be42f45ddb35794532d874c65275c2bad089fadf7cc0c95f01d47164dc86da9f
Opcode Fuzzy Hash: f7195c053b936dec95ec91a0b0f08b2650a2ff2223171030a1d8f8c29f8a5de0
Instruction Fuzzy Hash: 7121D331B101199FDF54EB6AE9506AEB7B7EB85310F248439E409EF344EB31ED428B94

Uniqueness

Uniqueness Score: -1.00%

Function 06C13BA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2a1bbfae963d9f5e6fd4364b08869dfda72a240cc63bff157a443c4629560e
Instruction ID: 2b3b4a0dac773ca9e10f738013f2790c1f9aeca9cf796293e41598beaa9e962f
Opcode Fuzzy Hash: 4b2a1bbfae963d9f5e6fd4364b08869dfda72a240cc63bff157a443c4629560e
Instruction Fuzzy Hash: A111A131B141259FDF54AA68DC14AAF73AAEBC9314B00453AD40EEB340EE24DC029BD1

Uniqueness

Uniqueness Score: -1.00%

Function 06C141E2 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c510cc9291977010a53c19668f97adcf767ec57ebb1ee1c00ec2e5ef89e6381b
Instruction ID: 89f088121391c68652aa05d52baaebef666ca1c405daed7ccf4a9b01c30704d9
Opcode Fuzzy Hash: c510cc9291977010a53c19668f97adcf767ec57ebb1ee1c00ec2e5ef89e6381b
Instruction Fuzzy Hash: 9C01B131B000105FDB69A6BDA814B2BB6DBDBCA714F24C43DE50ACB385D925DD434395

Uniqueness

Uniqueness Score: -1.00%

Function 06C13858 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a8852ebe2ace9fcd7c28944a524c692e2246993889fabe5c1d552a100d85ab
Instruction ID: 11db7a6bc55d97a8199507f47ab534aa0669a1c65409f51029bfe8e085978aca
Opcode Fuzzy Hash: 10a8852ebe2ace9fcd7c28944a524c692e2246993889fabe5c1d552a100d85ab
Instruction Fuzzy Hash: 5621F4B1D01259EFCB10CF9AD884ACEFFB4FB49314F10812AE918A7200C374A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0121D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2872488063.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_121d000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 2f87737d2e98228e6872e0ed2cae01cb29633b5f292037ed3f91154e00106dbc
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 8111D075504244CFDB12CF64C5C8B15BFA1FB44314F24C6A9D9494B256C33AD44ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 06C1A2D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f50fec5f766efe56907bd07457d39669f377f5efc607372265d7f56b412dd15
Instruction ID: ce59bbdd75e3acc6ad0f26b4cf394d95439c7cc00064f71f149c37c8b2f5f530
Opcode Fuzzy Hash: 8f50fec5f766efe56907bd07457d39669f377f5efc607372265d7f56b412dd15
Instruction Fuzzy Hash: 18017170B104111FD765EA69E96072A77D7EB8B610F10843DE50ECB381EA66DE034391

Uniqueness

Uniqueness Score: -1.00%

Function 06C1ED61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328f6d193f544a9aeb96a4c07f481cb867b063c0200b180f1b2975a855b6e4ff
Instruction ID: 9abd51a0d6d1aebb970ca8efb336e90a843a7108b48ced1177e03833998424c4
Opcode Fuzzy Hash: 328f6d193f544a9aeb96a4c07f481cb867b063c0200b180f1b2975a855b6e4ff
Instruction Fuzzy Hash: 4F01DF31B101201FCB65EA3D9850B2F77DBEBCA610F24843DF50ACB344DA21DD028395

Uniqueness

Uniqueness Score: -1.00%

Function 06C13860 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5558db20e49ab1dbfcdc81c62a0fbf07b78e133793ceddfc3cfcd9f9d6201228
Instruction ID: fac8dcfe7d607351ee1933df95880c37ba3477f499d245135ae4075249cd60de
Opcode Fuzzy Hash: 5558db20e49ab1dbfcdc81c62a0fbf07b78e133793ceddfc3cfcd9f9d6201228
Instruction Fuzzy Hash: A011D3B1D01259AFCB00DF9AD884BDEFFB4FB49314F10812AE918A7240C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C13B8F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6b0ea70ce0a905aa00cd2a81986e5a82037f4cebf717609c3fcd6436940fb4
Instruction ID: 4f0e1de08436fe8efbc00a33a69c7828064dd4007716f0d6fc3e1035ba94b8fd
Opcode Fuzzy Hash: ac6b0ea70ce0a905aa00cd2a81986e5a82037f4cebf717609c3fcd6436940fb4
Instruction Fuzzy Hash: D3018F76B141259FEF54DA699D206EF36ABDBC9314F04413ED90EEB280EE648C0397D1

Uniqueness

Uniqueness Score: -1.00%

Function 06C141F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583fccce17fca3cc540f443468d61b31b660874b706c8434ac6de61fc7339d41
Instruction ID: 24de5fb723680a78341edb2907b0300a2d882a5e5592bdae6607f479bc5a657a
Opcode Fuzzy Hash: 583fccce17fca3cc540f443468d61b31b660874b706c8434ac6de61fc7339d41
Instruction Fuzzy Hash: FF016D31B100201FDB69A6ADE854B2BB2DADBCA711F24C43DE50ECB344DA65DE434395

Uniqueness

Uniqueness Score: -1.00%

Function 06C1ED70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7359a79877be26e074539f7c3fc4ab912a2dd205dd446b68b4a9769336ebb4
Instruction ID: d00a036c64db3c712589481368da4cc3d20f65676ae1268d7d85537f484b613e
Opcode Fuzzy Hash: dc7359a79877be26e074539f7c3fc4ab912a2dd205dd446b68b4a9769336ebb4
Instruction Fuzzy Hash: 62016931B105201FCBA5A66D985472E62DADBCAA24F24882DFA0ACB344DA21DD024385

Uniqueness

Uniqueness Score: -1.00%

Function 06C1A2E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b6178ed08411ed5506eaa9dd5befe5b093d59ce4ac2db1211cfdc4d6068007
Instruction ID: 247e9ffeed8299c22211b7575bcddb8b1c31fa429727df242194b1995b92d2fc
Opcode Fuzzy Hash: 18b6178ed08411ed5506eaa9dd5befe5b093d59ce4ac2db1211cfdc4d6068007
Instruction Fuzzy Hash: 2F018130B100114FDB55EABDD95072E73D6EB8A710F10843DE60ECB341EA25EE034385

Uniqueness

Uniqueness Score: -1.00%

Function 06C16451 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e27f76b43f5f99f9b0063128850b63468ae18659c7f2c08f2c005026e7e331
Instruction ID: bf20369c438f414d5fa55e5f973fd6cb9c3fd3b19decbaf7f65fa9c35d78bac5
Opcode Fuzzy Hash: d7e27f76b43f5f99f9b0063128850b63468ae18659c7f2c08f2c005026e7e331
Instruction Fuzzy Hash: 94E092B1A193486FDB50CA75C90564A7A6E9703218F1045A9D504CB242E236CE51A391

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06C17678 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C17B4E
$^q, xrefs: 06C17C0F
$^q, xrefs: 06C17C03
$^q, xrefs: 06C17B5A
$^q, xrefs: 06C17791
$^q, xrefs: 06C1779D
$^q, xrefs: 06C17BED
$^q, xrefs: 06C17BF9
$^q, xrefs: 06C177C2
$^q, xrefs: 06C177CE

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 9b45b39a13a2b083d0a155440a9faaac854f08b2179566afcae58abb44929cdc
Instruction ID: 1c598c7175daacb499d45ae88f790639dd0df32e7294a21934d741767b644e83
Opcode Fuzzy Hash: 9b45b39a13a2b083d0a155440a9faaac854f08b2179566afcae58abb44929cdc
Instruction Fuzzy Hash: 0C120A30E002198FDB68DF69C954A9EB7F2FF89304F2085A9D409AB354DB359D86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C1A910 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C1AACE
$^q, xrefs: 06C1AAC2
$^q, xrefs: 06C1AA98
$^q, xrefs: 06C1AA06
$^q, xrefs: 06C1AA6D
$^q, xrefs: 06C1AA61
$^q, xrefs: 06C1AA8C
$^q, xrefs: 06C1AA12

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 178d81e0a3ed49df70095e1787a3b84535a86fad6eba3bc07e17ba6f1612eb6d
Instruction ID: 37c95a376ae6a637f3b31e18e9eb42a41cdc46e69bcf23e85b5829e5828e4803
Opcode Fuzzy Hash: 178d81e0a3ed49df70095e1787a3b84535a86fad6eba3bc07e17ba6f1612eb6d
Instruction Fuzzy Hash: C0917E30E0120ADFDB68EFA9DA94B6E77B2EF85300F108529E405AF394DB359D45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C17078 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C173C0
$^q, xrefs: 06C1735A
$^q, xrefs: 06C1758C
$^q, xrefs: 06C17514
.5vq, xrefs: 06C170D3
$^q, xrefs: 06C173B4
$^q, xrefs: 06C17580

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 3387f52feabb8cada0287ab62e0d682cbb82d195cd992f84340f913c59b8cde4
Instruction ID: 43956e0d7943dc9ea6f7dff43bf7f4469b5bc59cb5b574248976ab48eea1c957
Opcode Fuzzy Hash: 3387f52feabb8cada0287ab62e0d682cbb82d195cd992f84340f913c59b8cde4
Instruction Fuzzy Hash: F6F13A34A00209CFDB59EF69C594A6EB7B3FF89304F608568D405AB368DB35ED86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C183A8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C1860E
$^q, xrefs: 06C18602
$^q, xrefs: 06C18673
$^q, xrefs: 06C18667

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: afe1e122ddea1ec9993aa3042cdf3bc8717bf00263d1a89c4a0c0759256217d1
Instruction ID: dcd2c536ec53fcd20d10afa123c96556cb45fd0495e1cbf46fd6cdb26f649de1
Opcode Fuzzy Hash: afe1e122ddea1ec9993aa3042cdf3bc8717bf00263d1a89c4a0c0759256217d1
Instruction Fuzzy Hash: C0B14C30E112098FDB58EF69D5946AEB7B2EF85300F248929E406EF355DB35DD86CB80

Uniqueness

Uniqueness Score: -1.00%

Function 06C187C0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C1883F
$^q, xrefs: 06C1884B
LR^q, xrefs: 06C18902
LR^q, xrefs: 06C188B3

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: c42b9d4c5b47831ff8ff4a8b127bd525ba0797b222cf10dd803dde689f43df41
Instruction ID: d3835c3c4cf03c9195462a789ce5b5fda972d291dab12273b9ed2ba76b5af105
Opcode Fuzzy Hash: c42b9d4c5b47831ff8ff4a8b127bd525ba0797b222cf10dd803dde689f43df41
Instruction Fuzzy Hash: A851D430B012059FDB58EF29C950A6AB7E6FF85304F10856DE4069F395DB70ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C1AC9A Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C1AE4B
$^q, xrefs: 06C1AE1C
$^q, xrefs: 06C1ADC9
$^q, xrefs: 06C1AE74

Memory Dump Source

Source File: 00000009.00000002.2894502210.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6c10000_45brrQrxwH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 9ad9f72e78d4940de3d8758c172d14d61b32411ee8c8157dacba47f6edef65b1
Instruction ID: a1b3e8f9d63f034c174d55c7b6a57f77e22abd23b31e9884d403bfca3f5860d9
Opcode Fuzzy Hash: 9ad9f72e78d4940de3d8758c172d14d61b32411ee8c8157dacba47f6edef65b1
Instruction Fuzzy Hash: 88519130E122099FDB69EFA8D5805AEB3B2EF8A300F108529D405DF354DB31DE41DB91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: XEWKUH.exePID: 8160, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	210
Total number of Limit Nodes:	6

Executed Functions

Function 074674FD Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0746773E

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 083833fc05653949347675621e7ae535e8fc9b6fbe9bd3291ca0e5980f7eb721
Instruction ID: ac5a026a29c45fb6da9f30c16cbd3821dfb52639847198c8d6c744892e1ff0be
Opcode Fuzzy Hash: 083833fc05653949347675621e7ae535e8fc9b6fbe9bd3291ca0e5980f7eb721
Instruction Fuzzy Hash: ACA17DB1D0021ADFDF21CF68C845BEEBBB2BF44314F1485AAD849A7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07467508 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0746773E

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7e5f6058aac9daaf852dd063180fb6ab099eb1181dc1e126922b1fb7d6dfde97
Instruction ID: 051b68b613eadb4a05cdad825c1362da7064f461cfc79979cd8be7d452fc9eba
Opcode Fuzzy Hash: 7e5f6058aac9daaf852dd063180fb6ab099eb1181dc1e126922b1fb7d6dfde97
Instruction Fuzzy Hash: 89916DB1D0021ADFDF11CF68C845BEEBBB2BF44314F1485AAE808A7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02B0AE90 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.1715167347.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b00000_XEWKUH.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 513cd4e5dd22796496c7216359f8d2d33aee06d889d941d4a49a1adb235c1e30
Instruction ID: 8ac559b3468d999913d6d49f291ae7226700f463925fc596ad17ab6da269525f
Opcode Fuzzy Hash: 513cd4e5dd22796496c7216359f8d2d33aee06d889d941d4a49a1adb235c1e30
Instruction Fuzzy Hash: C87138B0A00B058FDB25DF29D19075ABBF2FF48304F108A6DD186D7A90DB75E945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02B0449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B059C9

Memory Dump Source

Source File: 0000000B.00000002.1715167347.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b00000_XEWKUH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 66a202436cc987cac75adf666a55dd3d875bbb0878a24753fd1f0529004a0c97
Instruction ID: 98948c3e8c177740550d5143635d00c284b3249a12368fb9bca92c196636d4ec
Opcode Fuzzy Hash: 66a202436cc987cac75adf666a55dd3d875bbb0878a24753fd1f0529004a0c97
Instruction Fuzzy Hash: CF41E3B0C0071DCFDB24DFA9C98479DBBB5BF48304F6480AAD409AB255DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B0590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02B059C9

Memory Dump Source

Source File: 0000000B.00000002.1715167347.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b00000_XEWKUH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 244e7fb47d18c7bbf3a37da3c5e02dce215cb24a23166038b5e7351f293ff10d
Instruction ID: 70d7c2e6c21969e953b010c48f0223e9bceab1d55d16408355fee6de4ff8a5b5
Opcode Fuzzy Hash: 244e7fb47d18c7bbf3a37da3c5e02dce215cb24a23166038b5e7351f293ff10d
Instruction Fuzzy Hash: 0141F2B0C00619CFDB24DFA9C98479DBBB5BF48304F2480AAD418AB295DB756989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02B0D421 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B0D326,?,?,?,?,?), ref: 02B0D3E7

Memory Dump Source

Source File: 0000000B.00000002.1715167347.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b00000_XEWKUH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 28631e963391db8a91b2a241909658b339502089d643d394f902da3902f7f150
Instruction ID: c89e2dc84822a7dbb3656ba7ee440782180a894b4561238704fe4479cd89ce17
Opcode Fuzzy Hash: 28631e963391db8a91b2a241909658b339502089d643d394f902da3902f7f150
Instruction Fuzzy Hash: 8F315A74A513818FF7009FA4F446B693FAAF788310F11852AF9128B7D4CEB84D95CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02B0A8B8 Relevance: 1.6, APIs: 1, Instructions: 79
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B0B161,00000800,00000000,00000000), ref: 02B0B372

Memory Dump Source

Source File: 0000000B.00000002.1715167347.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b00000_XEWKUH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8181fb67f7d25a2e6a1ccf1b95069b30c01014bf2d02fdda6cb97868a2bea0c4
Instruction ID: e1c5bf5e7894bd436afa1bcf77fc54e9f6d57ba7d3ad968ef0b9a5f447eab773
Opcode Fuzzy Hash: 8181fb67f7d25a2e6a1ccf1b95069b30c01014bf2d02fdda6cb97868a2bea0c4
Instruction Fuzzy Hash: 9631EEB68043888FDB11DFA9C894BDEBFF4EF49314F05809AD494A7251C3749644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07467278 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07467310

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0241f36448d50ce7f9702b69ae7ca33b8cc1180de063933ab87675565b70a295
Instruction ID: 8fb2b21916c2af84661f6d139e0bf7c9fdfda1ff346704a61c8b1d2db3f80bd3
Opcode Fuzzy Hash: 0241f36448d50ce7f9702b69ae7ca33b8cc1180de063933ab87675565b70a295
Instruction Fuzzy Hash: 3E2126B19003599FCB10CFA9C885BEEBBF1FF88314F10842AE959A7250D7789945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07467280 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07467310

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1b517a3b9846a0b33e52273a4feda648f90831158a58c6831e962006331c475e
Instruction ID: 8b650924d8552e0682bd5f097470800291a06e99157a1c5964761141a4e45d27
Opcode Fuzzy Hash: 1b517a3b9846a0b33e52273a4feda648f90831158a58c6831e962006331c475e
Instruction Fuzzy Hash: EF2136B1900359DFCB10CFA9C885BEEBBF5FF48314F10842AE959A7250C7789944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07467369 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074673F0

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cc1dced351e7b2fca52ef1cf0491868621803989b28915591017b353e18c2667
Instruction ID: f6e3eaf61f50eec3603fce09db50c8483290bf13228cc4a6628673f396d6f4ee
Opcode Fuzzy Hash: cc1dced351e7b2fca52ef1cf0491868621803989b28915591017b353e18c2667
Instruction Fuzzy Hash: 952125B1D002599FCB10DFA9C985AEEFBF1FF48324F10842EE959A7250C7389945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B0CA00 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B0D326,?,?,?,?,?), ref: 02B0D3E7

Memory Dump Source

Source File: 0000000B.00000002.1715167347.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b00000_XEWKUH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 356400163cd4a1c3474a931354a6aee60c3ba0519192d16d7f7f91679e398527
Instruction ID: 3c880e6c1988eea3a34616e693783b59c10b1c1b1518dcf6afdcf1a317c1dc81
Opcode Fuzzy Hash: 356400163cd4a1c3474a931354a6aee60c3ba0519192d16d7f7f91679e398527
Instruction Fuzzy Hash: DF2103B59002099FDB10CF9AD584AEEBFF8FB48310F10805AE914A3350C374A940CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 074670E2 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07467166

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c8521782335f3524a0cdb9fd89180990e57583a1878083e86e2a778f6e13422a
Instruction ID: 029db1c245a7f2fc6bdee4d09b4ba6084b526ced24d63ce13a32078b8026da40
Opcode Fuzzy Hash: c8521782335f3524a0cdb9fd89180990e57583a1878083e86e2a778f6e13422a
Instruction Fuzzy Hash: CF2107B1D002098FDB10DFAAC4857EEBBF5AF89324F14842AD459A7341CB789985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07467370 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 074673F0

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8c7875951260abfb04222ff35bce435092681423f114afaa7b42dc7aca788223
Instruction ID: ce24ed599d6e4644ade0000eab1faa0ce3d497553705cb7854bc6aef105a9ec6
Opcode Fuzzy Hash: 8c7875951260abfb04222ff35bce435092681423f114afaa7b42dc7aca788223
Instruction Fuzzy Hash: 402139B1C003599FCB10DFAAC844AEEFBF5FF48310F10842AE559A7250C7389944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 074670E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07467166

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f71581df58c8416f4e8078a86b953f069d47c99ca3f26f1032ee0b669908b383
Instruction ID: 1f83bb9faa686548b78011e5fc8ab77ea7ea80ba0f9e7f176839a622e0e00673
Opcode Fuzzy Hash: f71581df58c8416f4e8078a86b953f069d47c99ca3f26f1032ee0b669908b383
Instruction Fuzzy Hash: 522118B19003098FDB10DFAAC4857EEBBF4EF49324F14842AD559A7341CB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B0D358 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B0D326,?,?,?,?,?), ref: 02B0D3E7

Memory Dump Source

Source File: 0000000B.00000002.1715167347.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b00000_XEWKUH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6410f2f7ef749a9b440f55249a237d38b837d96356bb8ca12a0d84a4488124f2
Instruction ID: 5ad4c7758577350ca309624ad1d39d8cdd0069cbbade6b6bec74dc32f0b8c398
Opcode Fuzzy Hash: 6410f2f7ef749a9b440f55249a237d38b837d96356bb8ca12a0d84a4488124f2
Instruction Fuzzy Hash: 4B21E0B59002199FDB11CFA9D984AEEBFF5EB48324F14845AE958B3350D378AA50CF60

Uniqueness

Uniqueness Score: -1.00%

Function 074671B8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0746722E

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 91120513f72625a276096f73e9bf2b4a9fd2a0d0f3ab4f53b014aa8831eae565
Instruction ID: 62fa7e48da0b177e4d513d180a1e19e059b942ab0a5dcfa9869dca425947462f
Opcode Fuzzy Hash: 91120513f72625a276096f73e9bf2b4a9fd2a0d0f3ab4f53b014aa8831eae565
Instruction Fuzzy Hash: 6B116AB19002499FCB20CFA9C845BEFBFF5EF88324F208419E555A7250C7759945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B0A8D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B0B161,00000800,00000000,00000000), ref: 02B0B372

Memory Dump Source

Source File: 0000000B.00000002.1715167347.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b00000_XEWKUH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d424e9cc0f122333f6f30e478e06e6022b22f0c8c32e6d96542c58306192cc4
Instruction ID: 2e33544df435ecf082a64ad8d34460c818a2b6e7417ad9f2c92d6937044ff919
Opcode Fuzzy Hash: 2d424e9cc0f122333f6f30e478e06e6022b22f0c8c32e6d96542c58306192cc4
Instruction Fuzzy Hash: CB1123B69003488FCB20CF9AC584AEEFFF4EB58314F10846EE819A7250C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 074671C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0746722E

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a31a24c4eeb35d55d513ad1f67ffe82efb8aa986280a347b6caf8d07ebc97d83
Instruction ID: 3573053479a9121571d6cc844eee1dc1dcbca047d9882c866ec27b3e6fe0b907
Opcode Fuzzy Hash: a31a24c4eeb35d55d513ad1f67ffe82efb8aa986280a347b6caf8d07ebc97d83
Instruction Fuzzy Hash: 0C1137B19002499FCB10DFAAC844BEFBFF5EF88324F10841AE559A7250C775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B0B300 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B0B161,00000800,00000000,00000000), ref: 02B0B372

Memory Dump Source

Source File: 0000000B.00000002.1715167347.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b00000_XEWKUH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f41c948373de3a45f5789345316e7331e9b31fa312db0b2d4a8d9af8d120d63
Instruction ID: e9320327c7d1477c1014316145f67321813bc581f6daf649774905fc308e1a39
Opcode Fuzzy Hash: 6f41c948373de3a45f5789345316e7331e9b31fa312db0b2d4a8d9af8d120d63
Instruction Fuzzy Hash: 841112B69003098FDB10CFAAC584AEEFBF4EB48324F14846AD459A7250C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07467030 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0746709A

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 51aca7a77c8fa5aa3ede37c8d09031eabd7c3fdc139aa5c0ac4f55809dbd68e2
Instruction ID: 382cafb0f217f06bff8380719a723ccdf3d73e72574ea8f87c55ad08b5510b80
Opcode Fuzzy Hash: 51aca7a77c8fa5aa3ede37c8d09031eabd7c3fdc139aa5c0ac4f55809dbd68e2
Instruction Fuzzy Hash: 191158B1D002488FCB20DFAAC8457EEFBF5AB88324F20841AC459A7250CB75A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B09898 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02B0AEAC), ref: 02B0B0E6

Memory Dump Source

Source File: 0000000B.00000002.1715167347.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2b00000_XEWKUH.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4a0fed06c3c3430a02f75b8ea4ef4d48d84bd34e527fbb97d4c4b7b81a98561e
Instruction ID: 7711c3a2b648833985cccbcd4ed8a81d071d2d1e4ddec76a37221a31dbbb2fa9
Opcode Fuzzy Hash: 4a0fed06c3c3430a02f75b8ea4ef4d48d84bd34e527fbb97d4c4b7b81a98561e
Instruction Fuzzy Hash: A21120B19003098BCB20CF9AC484A9EFBF4EB88314F10846AD469B7250D375A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07467038 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0746709A

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 809df2a644b3401619cc48e739f40fe62fc97925847ea5997182451c4f219407
Instruction ID: 8b260483318c8d3511656373bae6c8675784248b8734e6856a7698b0684d0bc4
Opcode Fuzzy Hash: 809df2a644b3401619cc48e739f40fe62fc97925847ea5997182451c4f219407
Instruction Fuzzy Hash: BD1128B19002498BCB20DFAAC8457EEFBF4AB88324F20841AD559A7250CB75A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07468360 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0746AF7D

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e4e9fb3ed02b685c2699de6539b2ef34b2f5b72ae5d4952becb08bf17e06d5dd
Instruction ID: c104a523d2bf8660b3e9bdbe233ab920664ead9d4626e62688448b08da299a6a
Opcode Fuzzy Hash: e4e9fb3ed02b685c2699de6539b2ef34b2f5b72ae5d4952becb08bf17e06d5dd
Instruction Fuzzy Hash: D11125B59007489FCB10DF89D448BDEBBF8EB48310F10845AE558B7210C375A940CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0746AF18 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0746AF7D

Memory Dump Source

Source File: 0000000B.00000002.1723431374.0000000007460000.00000040.00000800.00020000.00000000.sdmp, Offset: 07460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7460000_XEWKUH.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 77652282736389afc0db493fe8027dbbc45875656ce49b5723d23c97d303117f
Instruction ID: 1a4fe5000e02d31b560e1fbbfd197ac2a1364083b3d91ae88d18f7e17692f8d5
Opcode Fuzzy Hash: 77652282736389afc0db493fe8027dbbc45875656ce49b5723d23c97d303117f
Instruction Fuzzy Hash: BB11F5B59003499FDB10DF99D489BEEBBF4EB58320F10841AD458A7210C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A2D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1714825629.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2a2d000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5607522c126281becbfc16a67a524ba5ff46792e8f6ed1c70b3dc342bd1df08
Instruction ID: f3f62811e8b3140ba668c51efea1757a80fb5b81475979e0ea58e23bf99f49a5
Opcode Fuzzy Hash: f5607522c126281becbfc16a67a524ba5ff46792e8f6ed1c70b3dc342bd1df08
Instruction Fuzzy Hash: 35212571504640DFDB05DF18D9C0B26BFA9FB88318F20C569E8094B257C776D45ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A2D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1714825629.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2a2d000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f93e446db04bd73fe99f52038cbdc5130b18897b00da291b714823b73002ec3
Instruction ID: c5c5c4b3b6268185761fc84a72e54b3608fffdf5db3006e545359251220f0241
Opcode Fuzzy Hash: 4f93e446db04bd73fe99f52038cbdc5130b18897b00da291b714823b73002ec3
Instruction Fuzzy Hash: 94212571504604DFDB09DF18DAC4B26BF65FB98324F20C169E90A4F257C736E45ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A3D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1714898888.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2a3d000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b265f2a464e5f45c6586f2c8b6fd055223cc538c57574e1a50f6c50f4d36cb60
Instruction ID: 78fcae80d90f3c10080fe56adf148b68e087db41d9a024d13718b663819edd9b
Opcode Fuzzy Hash: b265f2a464e5f45c6586f2c8b6fd055223cc538c57574e1a50f6c50f4d36cb60
Instruction Fuzzy Hash: 16210471504600EFDB06DF94D9C0B26FBA5FB88314F20C66DF8494B256CB36D44ACA61

Uniqueness

Uniqueness Score: -1.00%

Function 02A3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1714898888.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2a3d000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ccf3643d009b23410a8b1f3358b1547dd8e0f9584650fe8266e1c962d4e1b3
Instruction ID: b8d938245e2060cd39fa2055de39c6ffb7cdf3fea852c071a20281aa9cd1e999
Opcode Fuzzy Hash: a4ccf3643d009b23410a8b1f3358b1547dd8e0f9584650fe8266e1c962d4e1b3
Instruction Fuzzy Hash: A8214270604600DFCB12DF24D9C0B26BFA5FB85B14F20C569E80A4B256CB3AC807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 02A3D007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1714898888.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2a3d000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
Instruction ID: 6e2822b3219d76d1fab1395af70c877b5fee92916fb0c62cf8d722d703b989a4
Opcode Fuzzy Hash: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
Instruction Fuzzy Hash: E4216A755097808FCB02CF24D994715BF71EB46214F28C5DAD8898B2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 02A2D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1714825629.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2a2d000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: b22ec0bdf577430c003e13604620a38b21f1158a879b7290baf04515307484b6
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E711D376504680CFDB16CF14D5C4B16BF71FB84318F24C6A9D8494B657C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A2D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1714825629.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2a2d000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e4a3b1515cd078ad360c61919b6bbcfc2a86b7358dd8e15c823f9fb0393dddbd
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: D111E172404680CFDB06CF04D9C4B16BF72FB94324F24C2A9D8090B257C33AE45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A3D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1714898888.0000000002A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2a3d000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ba765785dfe505a708f2159e73ff1cf88d808ef655a133907516bbfd9e0ed701
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 2A11BB75504680DFCB02CF50C5C4B15FBA1FB84218F24C6AAE8494B296C73AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: XEWKUH.exePID: 5996, Parent PID: 8160COMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	31
Total number of Limit Nodes:	4

Executed Functions

Function 06C53040 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C53774
$^q, xrefs: 06C53768
$^q, xrefs: 06C5373F
$^q, xrefs: 06C5374B
$^q, xrefs: 06C5378C
$^q, xrefs: 06C53798

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 52673a2f7d01c2ba2086a0dae45bfa7cc3e5db1191be3fc36bde2931b842e166
Instruction ID: 59d5382ff0ac4a494ccabc3ee64baa01cf06a9d7a6ba871a0c41afe64b9577bf
Opcode Fuzzy Hash: 52673a2f7d01c2ba2086a0dae45bfa7cc3e5db1191be3fc36bde2931b842e166
Instruction Fuzzy Hash: 36322031E1075ACFCB54EF75C89459DB7B2BF89300F11C6AAD409AB224EF709A85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C57D58 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C58095
$^q, xrefs: 06C580A1

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 8ae55c513cd003d6d8d4f02dd5f4dbfdded42745c0fb289a9e3457d7d4317862
Instruction ID: 7e7ec4bb8733c51abcf360a764bf28b3dfd3a481b4e09c27ba657bd5e3b492e8
Opcode Fuzzy Hash: 8ae55c513cd003d6d8d4f02dd5f4dbfdded42745c0fb289a9e3457d7d4317862
Instruction Fuzzy Hash: 5902AE30B012199FDB54EF68D990B6EB7A2FF84300F158569D80ADB394DB31ED82CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06C565D0 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826a677a00f028678f0b0c87a015cf3d1607b92c51f50b170d798e55870952bf
Instruction ID: 824b14486447ec3fdc0efe2d17d74e53e1736559c12f7081036f2f4e411b6d28
Opcode Fuzzy Hash: 826a677a00f028678f0b0c87a015cf3d1607b92c51f50b170d798e55870952bf
Instruction Fuzzy Hash: 4162C034B002048FDB54EB69D994BADB7F2EF84314F558469E806DB3A4DB31ED82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06C55578 Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88eefe462bd50c91af48c64a086335ac9a6799ebe27e6021f4b789fbb3bb5735
Instruction ID: 9c5c74be24cec75f26057f4b442325b3a5a59575b1e2660b833114cc01aff459
Opcode Fuzzy Hash: 88eefe462bd50c91af48c64a086335ac9a6799ebe27e6021f4b789fbb3bb5735
Instruction Fuzzy Hash: 4D22E435E002058FDF60DB64C8906AEBBF2EF49320F51846AD855EB395DB31DD82CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06C5B20A Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daeaf929cf0da60216c24bc5b7e5915466469058e7a3726cb5545c917c6d6f8d
Instruction ID: bdb5be0e0ab70e017d91149ccf89facd131a9d5f508811c5c891bc7b24ea2fdb
Opcode Fuzzy Hash: daeaf929cf0da60216c24bc5b7e5915466469058e7a3726cb5545c917c6d6f8d
Instruction Fuzzy Hash: D5226430E102098FDF64DB68D9A07AEBBB2FB45310F218829E805EB395DB35DDC58B55

Uniqueness

Uniqueness Score: -1.00%

Function 06C5ACA8 Relevance: 10.4, Strings: 8, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C5AE80
$^q, xrefs: 06C5AE4B
$^q, xrefs: 06C5AE28
$^q, xrefs: 06C5AE74
$^q, xrefs: 06C5AE57
$^q, xrefs: 06C5ADD5
$^q, xrefs: 06C5ADC9
$^q, xrefs: 06C5AE1C

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 7ccc8c2a7d3a7b18a0865b0611662ab818a0d461bdbab4c6adfaf77755bf69bf
Instruction ID: c6a82e42297448af83ba49420c19709a11b8039222efcb07b09d2c3970b13a23
Opcode Fuzzy Hash: 7ccc8c2a7d3a7b18a0865b0611662ab818a0d461bdbab4c6adfaf77755bf69bf
Instruction Fuzzy Hash: 31E17030E102098FDB55EFA9D8906AEB7B2EF84300F218629D809DB355DB70DD86CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06C5B630 Relevance: 8.0, Strings: 6, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C5BBE1
$^q, xrefs: 06C5BB85
$^q, xrefs: 06C5BBAD
$^q, xrefs: 06C5BBED
$^q, xrefs: 06C5BBB9
$^q, xrefs: 06C5BB79

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 66454a01eec29b8c6030916acd506a562c51b2de0f032326ae36aefa326629b5
Instruction ID: 427e8dbdfbc84925ca3155d7e5a0114981b2f36de120f84c4a234e2f51a81931
Opcode Fuzzy Hash: 66454a01eec29b8c6030916acd506a562c51b2de0f032326ae36aefa326629b5
Instruction Fuzzy Hash: 9E026230E002098FDBA4DF68D9A06ADBBB2FF45310F11896AD805DB355DB31ED85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 06C59120 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C59190
$^q, xrefs: 06C591CB
$^q, xrefs: 06C591D7
$^q, xrefs: 06C5919C

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 38a5ac238f6d933682370bca5d7fcf087c526b51b0a9ea5f8286f9dabee971c2
Instruction ID: 0c21ac255163c6cf6cca4276f2be4a07b9c9930c0eee1c971ee113d5b6ffde0b
Opcode Fuzzy Hash: 38a5ac238f6d933682370bca5d7fcf087c526b51b0a9ea5f8286f9dabee971c2
Instruction Fuzzy Hash: D8913030F0021A9FDB94DB65DD507AFB3F6AF84204F1084A9C80DEB354EA70DD868B95

Uniqueness

Uniqueness Score: -1.00%

Function 06C5CF20 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C5D317
$^q, xrefs: 06C5D32B
$^q, xrefs: 06C5D31F

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 6004ae8b0dd887ae78b4ebf85441daefe71e0ed4f9243f48369c33304069e2ea
Instruction ID: a15c17446e7a8163bd39340b6d783bb24e1153323599ee6e8cf2416c453eac66
Opcode Fuzzy Hash: 6004ae8b0dd887ae78b4ebf85441daefe71e0ed4f9243f48369c33304069e2ea
Instruction Fuzzy Hash: 55623F30A0020A9FCB55EB68D9A0A5EB7B2FF84304F258569D4059F369DB71ED86CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 06C54B50 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06C54B7B
\Ocq, xrefs: 06C54D2B
XPcq, xrefs: 06C54CA1

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 4e16ae09acff545d31e58e897e55a34f57bace04539b7c1eb6d90d44997e76c5
Instruction ID: 9c42e7594c7a7548a943abc05e667cade1321a8a032be3ee114a30bb61c2d8a2
Opcode Fuzzy Hash: 4e16ae09acff545d31e58e897e55a34f57bace04539b7c1eb6d90d44997e76c5
Instruction Fuzzy Hash: 70616030F102089FEB549FA9C854BAEBBF7FB88700F208429D509AB395DB754D458F95

Uniqueness

Uniqueness Score: -1.00%

Function 06C5910F Relevance: 2.7, Strings: 2, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06C59190
$^q, xrefs: 06C591CB

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 9013bfc74e316fcb15e2c0ca492c2ffd951789821ce41c615020ee16d70261b0
Instruction ID: 972d7d0c2b7c42292d3172e945a01d4250bf96009fd6b1c40d34b4816fb0c83f
Opcode Fuzzy Hash: 9013bfc74e316fcb15e2c0ca492c2ffd951789821ce41c615020ee16d70261b0
Instruction Fuzzy Hash: 03616330B002599FDB94DB64DD90B6FB7F6EF88244F1484A9D809DB394DA30DD428B95

Uniqueness

Uniqueness Score: -1.00%

Function 06C54B40 Relevance: 2.6, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06C54B7B
XPcq, xrefs: 06C54CA1

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: cfaa890ec965722cd4eb9603b7ac1040851e7ec85c82c7b7dcd2e48ae26dda2e
Instruction ID: 64be2d0c6674a0421efd9ba0f681ea578ca87b1d285693fd5d39791cab996635
Opcode Fuzzy Hash: cfaa890ec965722cd4eb9603b7ac1040851e7ec85c82c7b7dcd2e48ae26dda2e
Instruction Fuzzy Hash: BC515E30F102089FDB559FB9C854BAEBBF7FB88700F20C529D506AB395DA718C458B95

Uniqueness

Uniqueness Score: -1.00%

Function 02EFECA8 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2875539972.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2ef0000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8871db09e85bb0a8f37f9ddc9b8586cb4ab99d517bc8c17773f54a7dbb48c4
Instruction ID: 3ed3d25b12e421ebfb3b7a647d3403c1fbd9b9483560fc6cc9463827ddfe6cf6
Opcode Fuzzy Hash: eb8871db09e85bb0a8f37f9ddc9b8586cb4ab99d517bc8c17773f54a7dbb48c4
Instruction Fuzzy Hash: B4413472D003499FCB10DFB9D8046EEBBF1AF89310F14856AE504A7251DB34A885CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02EFED90 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 02EFEDF7

Memory Dump Source

Source File: 0000000E.00000002.2875539972.0000000002EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2ef0000_XEWKUH.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: ed0139d5b60d84377cc98a15c2de8d0a50265b6b29a9ec971b63ad9f5308818c
Instruction ID: 157d79772a9085fc2782a0ea36b4bfdb97c309c12993e48a39a24bebeb6f4eb1
Opcode Fuzzy Hash: ed0139d5b60d84377cc98a15c2de8d0a50265b6b29a9ec971b63ad9f5308818c
Instruction Fuzzy Hash: 171120B2C002699BCB10CFAAD544BDEFBF4AF48324F14816AD918B7250D378A940CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 06C5DA95 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C5DBF1

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 093940b8702a1c28306f9a98cf1e71cf57b4abd8c80be4f8441dbe4a78ca6ad2
Instruction ID: 6ecea2e322f170d7bd7596c0ca832b1d492a9b8b955c8ac57f68b6935d541fde
Opcode Fuzzy Hash: 093940b8702a1c28306f9a98cf1e71cf57b4abd8c80be4f8441dbe4a78ca6ad2
Instruction Fuzzy Hash: 4341B230E0030A9FDB61AF65C95469EBBB2FF85300F254529D802E7340DB71A986CB99

Uniqueness

Uniqueness Score: -1.00%

Function 06C521BD Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C5230B

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 4835c4cb72f4d5fb4f0ed72e1dd92974e3576c8542036d32225ae5201200c3d1
Instruction ID: 77ea3551f2c6cbe2b91017bed6241e8fcfefdbfaed5d69370890b64a2a8584c2
Opcode Fuzzy Hash: 4835c4cb72f4d5fb4f0ed72e1dd92974e3576c8542036d32225ae5201200c3d1
Instruction Fuzzy Hash: E1310330B102048FDB599B74C96466E7BE2EF89310F21442CD806DB394DF79CE86CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C521D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06C5230B

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: a43400ada3523807348f881dbe045e4f3fcaa99d426146fbffe16656d6593abd
Instruction ID: 85f4d9738d9828037607fc73f45f9f51536f22c848cd2487beb5b444609f4a33
Opcode Fuzzy Hash: a43400ada3523807348f881dbe045e4f3fcaa99d426146fbffe16656d6593abd
Instruction Fuzzy Hash: 8D31AF30B102058FDB59AB74C95866F7BE3AF89310F21442CD806DB394DE79DE86CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C52348 Relevance: 1.0, Instructions: 1004COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783e71581afcee81c53d01756efdd262a786f888310893b178fba5218462330f
Instruction ID: 36afe7abfa13f7702837dfbea8b06cd94c6fe219f63387f0ebdf1dd556e5434d
Opcode Fuzzy Hash: 783e71581afcee81c53d01756efdd262a786f888310893b178fba5218462330f
Instruction Fuzzy Hash: A6925934A002048FDBA4DB68C984A5DB7F2FB44314F5684A9D849EB365DB39EE85CF84

Uniqueness

Uniqueness Score: -1.00%

Function 06C5C160 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39cac1510688e080017181b2f609a404c13a16f489cb8fb4f32507f479e0b05
Instruction ID: a950c0880dfe50b53f7004220422c7f72116597f7efdd2e5814f690f8b814800
Opcode Fuzzy Hash: b39cac1510688e080017181b2f609a404c13a16f489cb8fb4f32507f479e0b05
Instruction Fuzzy Hash: BC328F34B003099FDB54EF68DC90AAEB7B2EB88314F118429D905E7395DB30ED86CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06C561D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d335492f42e304c813afa2e6d2f69c7adc9d4773b58dce7e279bed410a6d4e
Instruction ID: 591a890ba0c931e821348bd8a0abfe76e9884a8e59206c6fceeb84fd9fd91267
Opcode Fuzzy Hash: d0d335492f42e304c813afa2e6d2f69c7adc9d4773b58dce7e279bed410a6d4e
Instruction Fuzzy Hash: A461BF71F001114FCB50AA7ECC88A6FEAD7AFC4620B56443AD80EDB364EE65DD4287D6

Uniqueness

Uniqueness Score: -1.00%

Function 06C545A0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839c3c06dab82bfba0b7097a56e93f0fb6ec5ec8f96e0e8e2c541b0e6cb9bdc1
Instruction ID: 481d8d7c807080c059187401b93f11ed93036e01477dd93ed5460088b6d0a284
Opcode Fuzzy Hash: 839c3c06dab82bfba0b7097a56e93f0fb6ec5ec8f96e0e8e2c541b0e6cb9bdc1
Instruction Fuzzy Hash: 89913B30E102198BDB64DF68C890B9DB7B1FF89300F21C59AD549AB295DB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C54281 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1016c93d605dd039d5219785e6fcf9eb03820dc7e3d68d1f7ea487bd73340c
Instruction ID: 6275cefc1a8531e3f68c93f2b7ba5a9872c34190ca903ed6ca815f73dd93110c
Opcode Fuzzy Hash: 7f1016c93d605dd039d5219785e6fcf9eb03820dc7e3d68d1f7ea487bd73340c
Instruction Fuzzy Hash: D9816030B002099FDB58DFB9D95479EB7F2AF89304F118429D80ADB394EB70DD828B95

Uniqueness

Uniqueness Score: -1.00%

Function 06C545B8 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec67621c70feb8b3cd4049c0f5b7485ca5f7580edc0c189b3827fa6f82df0afa
Instruction ID: 2fe9423d7cd954c035bd870866eb825de60227572534dcfe259123df6988fcc3
Opcode Fuzzy Hash: ec67621c70feb8b3cd4049c0f5b7485ca5f7580edc0c189b3827fa6f82df0afa
Instruction Fuzzy Hash: E5913C30E102198BDF64DF68C880B9DB7B1FF89300F20C599D549AB395EB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06C5EAE0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7113357df565454e3347167052a8aa7628fa499249a0f9ce1cd72ade989d0263
Instruction ID: cb767ecf70b8b02a3de7e0618c17044cad4e94117e13ba50d0eec3ac3d1096a6
Opcode Fuzzy Hash: 7113357df565454e3347167052a8aa7628fa499249a0f9ce1cd72ade989d0263
Instruction Fuzzy Hash: 2B711D30A002099FDB54EFA9D990A9DBBF6FF88300F258469D419EB355DB30E986CB54

Uniqueness

Uniqueness Score: -1.00%

Function 06C5EAF0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7160f0f93d7eab1c30a6d240045b67d83a5ecf8fa9c1e2bdd019d010f29a6bc3
Instruction ID: 845cb3ea192ef8025676e53bcce102e49eaf8b84b7421fec9f0564abb73fbe7f
Opcode Fuzzy Hash: 7160f0f93d7eab1c30a6d240045b67d83a5ecf8fa9c1e2bdd019d010f29a6bc3
Instruction Fuzzy Hash: 45710E30A002099FDB54EFA9D990A9DBBF6FF88300F258469D415EB355DB30ED86CB54

Uniqueness

Uniqueness Score: -1.00%

Function 06C5FC59 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfda4fcb92e3e7142208ad27759d1d8ddd6e59424f4cab27b54a1821259ca37c
Instruction ID: 9c5cab532dc9ea261fd4e68946b9ca589bf50c2f32f534528b97d56134d97df9
Opcode Fuzzy Hash: bfda4fcb92e3e7142208ad27759d1d8ddd6e59424f4cab27b54a1821259ca37c
Instruction Fuzzy Hash: 7751F331E00109DFDB68AF78E8586ADB7B2EB84315F11887DE926D7350DB319985CF84

Uniqueness

Uniqueness Score: -1.00%

Function 06C5FA08 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be694ded328591c9dc7dadf69fb0fc1bd64dedb6c9b28a9a56ffd448c55e7204
Instruction ID: 118a4849462299627bc14d93e8f560e0f42f42d5c42f68d3bfc689e779a1d666
Opcode Fuzzy Hash: be694ded328591c9dc7dadf69fb0fc1bd64dedb6c9b28a9a56ffd448c55e7204
Instruction Fuzzy Hash: DF51E730B202089FEF686668DD6472F365FD789310F21082ED51AD7399CA69CDC64BE7

Uniqueness

Uniqueness Score: -1.00%

Function 06C5FA18 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3546dfacb9f64afa9a5ef110a651f4ea4ec2236f8f4fb66ee042980272b363
Instruction ID: a8b95bffc69fb0f47de1ebc68892da3871519843fb79f4ba1a5065fb52cd4a84
Opcode Fuzzy Hash: 5b3546dfacb9f64afa9a5ef110a651f4ea4ec2236f8f4fb66ee042980272b363
Instruction Fuzzy Hash: A751C830B202089BEF686668DD6472F365FD789310F21442ED51AD3398CA69CDC54BE7

Uniqueness

Uniqueness Score: -1.00%

Function 06C553F8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfadeadd12304f63f63d6a582b800b481540012a4581e1c59d99d047d3742f92
Instruction ID: 4b391d2641f0b7774b3c74a76f911fc86a151271dc75b278a2e2eb5180f618e4
Opcode Fuzzy Hash: bfadeadd12304f63f63d6a582b800b481540012a4581e1c59d99d047d3742f92
Instruction Fuzzy Hash: CB419D71E006098FCF70CEA9DC80BAFFBB2EB84310F51492AE516D7251D730E9958B95

Uniqueness

Uniqueness Score: -1.00%

Function 06C55567 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4122a6ea0a0e5a42bf880b2ff70a6a672b8a1634884d180bbe790542d626f5
Instruction ID: f716c6a9382f78ba50edce14dcf36dce1205c05df52cc8a4d49e86fde35212c2
Opcode Fuzzy Hash: 8c4122a6ea0a0e5a42bf880b2ff70a6a672b8a1634884d180bbe790542d626f5
Instruction Fuzzy Hash: F641A731E102458FDF60CB69C8C0A7EFBB1EB45310FA2896ED459DB351C634DA81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06C52080 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33736b72964a9559a9a0998e9d780cac9680bdcf27d6f4a09bbe12fb20a11bd
Instruction ID: c673a83482a8b80422cfb4928dc13883fe3d4e2bb5229bb19d88b86ba84558b7
Opcode Fuzzy Hash: e33736b72964a9559a9a0998e9d780cac9680bdcf27d6f4a09bbe12fb20a11bd
Instruction Fuzzy Hash: 01317931E00209ABCB55DBA5D854A9FB7F2EF89300F158529E906A7354DB71EE82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C52090 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0692a3514a85ece3251babb7234f1b390320c92eb6330e91d3d5d075df27ec7e
Instruction ID: d11e3ac23e8855b333aeb5611bcfe8cf054f28dc62d05a071b67949811b94d70
Opcode Fuzzy Hash: 0692a3514a85ece3251babb7234f1b390320c92eb6330e91d3d5d075df27ec7e
Instruction Fuzzy Hash: B6315A31E002099BCF55DF65D854A9FB7F2AF89300F118529E906A7354DB71ED82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C53A81 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 732471704b78033038de51f70901be443da6676c4fb6b41474e32c25fd4ca717
Instruction ID: 4bee6cb4bb8cf3a280455e5051c1aa56a44108a66a93ca00f91c81c9f4cc4836
Opcode Fuzzy Hash: 732471704b78033038de51f70901be443da6676c4fb6b41474e32c25fd4ca717
Instruction Fuzzy Hash: 8221A175F002099FDB40DFA9DC80AAEBBF6EB48750F118029E909E7380E731D941CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06C53A90 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2891235cf40fe0b60db9d833f68e7230b07922476053251ff5f23feec424a2
Instruction ID: 875c7e0e6d636662708520f1f609109bc0ecf63e1f61bdbd63328b9550008489
Opcode Fuzzy Hash: be2891235cf40fe0b60db9d833f68e7230b07922476053251ff5f23feec424a2
Instruction Fuzzy Hash: F5218E75F002599FDB40DFA9DC90AAEB7F1EB48750F11802AE909E7384E771D941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 06C56CE0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b4a2481524ea491a1c045d23e085a9ebcfe8f1348d69eacd74d1dfd8a02afa
Instruction ID: 8cc70bd78b6593376821ae57f63764f1f3c8bfce5b7e40bd9a660167e33f8646
Opcode Fuzzy Hash: d0b4a2481524ea491a1c045d23e085a9ebcfe8f1348d69eacd74d1dfd8a02afa
Instruction Fuzzy Hash: 2E21D430B101089FDF54DB69E8506AEB7F7EB84350F61843AE805EB351D7319D828B98

Uniqueness

Uniqueness Score: -1.00%

Function 02D1D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2874614272.0000000002D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d1d000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8dc60463a0a4034b9410d85af82b34fa15922cea37723cf5c0101de8de8416c
Instruction ID: 2d818f48c6294f53759e48acae77db9437b68a40c9fb3a34f31b860b56562a97
Opcode Fuzzy Hash: b8dc60463a0a4034b9410d85af82b34fa15922cea37723cf5c0101de8de8416c
Instruction Fuzzy Hash: 1A2107B1504204EFDB14DF24E9C4B26BB66FB84314F30C66DE8494B751C736DC46CA61

Uniqueness

Uniqueness Score: -1.00%

Function 06C53BA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6537b385ae5e6dcd0372c93473b3e8bbff56d5e17d98cb423099f01df022cd
Instruction ID: 3285c487964d71107cc60784fe35bd1704840cee500ea3f897391d9a72f653bf
Opcode Fuzzy Hash: 3d6537b385ae5e6dcd0372c93473b3e8bbff56d5e17d98cb423099f01df022cd
Instruction Fuzzy Hash: ED11A131B042295FDB54A668CC14AAF73EAABC8250F05453AC80EE7344EF64DC428BD5

Uniqueness

Uniqueness Score: -1.00%

Function 06C541E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2122d57e726d1da5f532082fba06eb9c817b50d70945eb3fbf8f7d5622160e
Instruction ID: 4ebb9174981d3b2313c10f1749bd459dc1a420433ba556e645a3169895bf9f2c
Opcode Fuzzy Hash: 9d2122d57e726d1da5f532082fba06eb9c817b50d70945eb3fbf8f7d5622160e
Instruction Fuzzy Hash: CC01DE30B000101FCB65AABDAC28B1BBAEBCB89714F14C43DE90EC7344DA25CD8243A9

Uniqueness

Uniqueness Score: -1.00%

Function 06C53B8F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad576976edf1d94ac0172b5f548165d2a1d8aa165e9f58eb4034d3b332c90820
Instruction ID: 9ae5f3d266f9080495df19aae2239a512e49d31692c1c1055025c790c6ac78d4
Opcode Fuzzy Hash: ad576976edf1d94ac0172b5f548165d2a1d8aa165e9f58eb4034d3b332c90820
Instruction Fuzzy Hash: FA01A731B142295BDB54A569DC20AEF77AFDBC8250F05413ED90ED7284FF609C4247D6

Uniqueness

Uniqueness Score: -1.00%

Function 06C53858 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4e72c6dc63c4e796469620d47d813b9d30dfab92fcc24e921aa81c14c040f7
Instruction ID: 510ad71b36195bce72605ff970127a7ea08aba2427141c4e3dc2763c99f12097
Opcode Fuzzy Hash: da4e72c6dc63c4e796469620d47d813b9d30dfab92fcc24e921aa81c14c040f7
Instruction Fuzzy Hash: E421E2B1D01259AFCB00CF9AD884ACEFBB8FB48310F10812AE918A7240C374A550CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02D1D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2874614272.0000000002D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2d1d000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: c465c259667306c3d892a962ac609b1d9e1e091a974c1a114be5475181ac4db0
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 6A119D75504284DFDB15CF24D9C4B16BFA2FB88318F24C6AAD8494B756C33AD84ACF62

Uniqueness

Uniqueness Score: -1.00%

Function 06C5A2D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be576e1d744444b8ccdb79cf0d7290ac09c9d6cdf3ba576b662e71335e1c439a
Instruction ID: 5462f7b70caa03ad00d19110bcdad84578b1cf3e6a2e3bf12a9efddf0203fd55
Opcode Fuzzy Hash: be576e1d744444b8ccdb79cf0d7290ac09c9d6cdf3ba576b662e71335e1c439a
Instruction Fuzzy Hash: 14018430B001141FD761E67AED61B1E77DADB89714F118439E90EC7355EA11DD424395

Uniqueness

Uniqueness Score: -1.00%

Function 06C5ED61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e1d843c40389332959021c3dc984c8a2f560c41e54e4a9ef23e8b6b5180fa5
Instruction ID: 791dbaac6db740f873007fa8c150581f5ab6c25dbf0443c307fc438281d661ae
Opcode Fuzzy Hash: 69e1d843c40389332959021c3dc984c8a2f560c41e54e4a9ef23e8b6b5180fa5
Instruction Fuzzy Hash: F201DF32B105141FCB64AA3D9C50B2F77DBDBC9610F15883DE90EC7344DA21EE424399

Uniqueness

Uniqueness Score: -1.00%

Function 06C53860 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b08c9f73905adf3403ad9d17bcb80e93e08745d281beed1457c2a685ad178fc
Instruction ID: 3ab8e765dbc728e9b36a1f9418e16faa5df07b91af1c3d0b4ebabc91f116859a
Opcode Fuzzy Hash: 1b08c9f73905adf3403ad9d17bcb80e93e08745d281beed1457c2a685ad178fc
Instruction Fuzzy Hash: C311B3B5D01259AFCB00DF9AD884ADEFFB4FB49310F10812AE918B7240D375A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06C541F0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d366cc10391e48a82a3c328ef7a8df7b05bb65ab454aad25685841b40c739e3
Instruction ID: 2928bc25bf3b5a271ada65d96f2310d082ab56b699eecb3523a8b0c88e0d6c73
Opcode Fuzzy Hash: 1d366cc10391e48a82a3c328ef7a8df7b05bb65ab454aad25685841b40c739e3
Instruction Fuzzy Hash: E8014F31B000201BDB64A5ADAC5472BA6DADBC9710F15C43DE90EC7344DA65DD824799

Uniqueness

Uniqueness Score: -1.00%

Function 06C5ED70 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a387c23c8d0bc562313cfb7ffd9f0238eaff1c6fd6402a81ab8eef45233afca8
Instruction ID: 00f054ce62e5087131887bb07b18effd24b2e95a11e80aa6ae1b390619b5a142
Opcode Fuzzy Hash: a387c23c8d0bc562313cfb7ffd9f0238eaff1c6fd6402a81ab8eef45233afca8
Instruction Fuzzy Hash: 4501AD31B104140BCBA0AA2D985072F72DBD7C9610F148839E50EC7344DA21DE424389

Uniqueness

Uniqueness Score: -1.00%

Function 06C5A2E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fcd010abf45f428cab0910b3185a8498bd7af28d0901de65d6de947aadd304
Instruction ID: a3d6fcab35694a29568dd4d7fb9ca039edf4feb46d9dcd2a97d5d94a9a86e5d8
Opcode Fuzzy Hash: 75fcd010abf45f428cab0910b3185a8498bd7af28d0901de65d6de947aadd304
Instruction Fuzzy Hash: 7E018130B001140FCBA4EABEEC50B2E73DAD789714F10853DE90EC7354EA21DD428789

Uniqueness

Uniqueness Score: -1.00%

Function 06C56451 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b554ea570603d16dba67685b538d6cdc1e92ae0d84d2648dc599774697f58f74
Instruction ID: 0c8c6f2c4fc1b6a6bd835ac658b6765d728676e3e1af1b87948b2f126d8c5054
Opcode Fuzzy Hash: b554ea570603d16dba67685b538d6cdc1e92ae0d84d2648dc599774697f58f74
Instruction Fuzzy Hash: 48E0D8B1D183486BDB50CE75CD1575B7BBDD702214F5245E9D844CB292F336CE818395

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06C57678 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C57B4E
$^q, xrefs: 06C57C03
$^q, xrefs: 06C57C0F
$^q, xrefs: 06C577CE
$^q, xrefs: 06C57791
$^q, xrefs: 06C577C2
$^q, xrefs: 06C57BED
$^q, xrefs: 06C5779D
$^q, xrefs: 06C57B5A
$^q, xrefs: 06C57BF9

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 0ac86fe683499c302588590dc38a122accc108d1d5c25bea61b2ca92619720ad
Instruction ID: 32e6f0d0f56c21bd0980a585258727a9ee19ce7f601dd2882be8f4cf410a4983
Opcode Fuzzy Hash: 0ac86fe683499c302588590dc38a122accc108d1d5c25bea61b2ca92619720ad
Instruction Fuzzy Hash: D2122B30E002198FDB68EF65C954A9EB7F2BF88300F2185A9D509AB354DB309DC6CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06C5A910 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C5AA06
$^q, xrefs: 06C5AACE
$^q, xrefs: 06C5AA12
$^q, xrefs: 06C5AAC2
$^q, xrefs: 06C5AA8C
$^q, xrefs: 06C5AA6D
$^q, xrefs: 06C5AA98
$^q, xrefs: 06C5AA61

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: f38571de172046d048d5f386637e08de2811be12f24db6c2a79ec87f517ba139
Instruction ID: d9a410d2d8ea3a9e45553b66b8b8ff4c3f466c9331d26779f4593bf4071ae7fc
Opcode Fuzzy Hash: f38571de172046d048d5f386637e08de2811be12f24db6c2a79ec87f517ba139
Instruction Fuzzy Hash: DA915130E00209DFEBA4EFA6D994B6E77F2AF84300F118629E8059B355DB359D85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06C57078 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C5735A
.5vq, xrefs: 06C570D3
$^q, xrefs: 06C573C0
$^q, xrefs: 06C57514
$^q, xrefs: 06C57580
$^q, xrefs: 06C5758C
$^q, xrefs: 06C573B4

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 3c96636e288649e0135f21a843cd8b8bad3541707bd61e0b8af164b55baa5446
Instruction ID: 2bc314d21c305395f464654ef44a1c0eb8d3198dbada831cec9f77d7b6a07966
Opcode Fuzzy Hash: 3c96636e288649e0135f21a843cd8b8bad3541707bd61e0b8af164b55baa5446
Instruction Fuzzy Hash: CBF14F34B40208CFDB55EF69D994A6EB7B3BF84300F218568D8059B3A9DB31DD86CB64

Uniqueness

Uniqueness Score: -1.00%

Function 06C583A8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C58667
$^q, xrefs: 06C58673
$^q, xrefs: 06C58602
$^q, xrefs: 06C5860E

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 7e4b08e87f7bfbc341368fb207cb30764ad03efa5f6f9be2931a148770f3b30c
Instruction ID: 3b71bbafcb40ee2a0eb24f745fc3df7a930d4bff001655b6f4339b15af5888e3
Opcode Fuzzy Hash: 7e4b08e87f7bfbc341368fb207cb30764ad03efa5f6f9be2931a148770f3b30c
Instruction Fuzzy Hash: 3DB13D30F012188FDB54EB69D99466EB7B2EF84300F25C829D806DB399DB35DD86CB94

Uniqueness

Uniqueness Score: -1.00%

Function 06C587C0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06C588B3
$^q, xrefs: 06C5884B
$^q, xrefs: 06C5883F
LR^q, xrefs: 06C58902

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 7c03ad4085dbbe0db6cd47f93eb812ab62c9bd175c3be29080daf9973d4d7b7a
Instruction ID: 6f3ed7a314a99d518d5426a3ba464fce629eceadc3968c174ef4e2cdfbdb7921
Opcode Fuzzy Hash: 7c03ad4085dbbe0db6cd47f93eb812ab62c9bd175c3be29080daf9973d4d7b7a
Instruction Fuzzy Hash: F851E730B012159FDB54EF69D954A6AB7E2FF84300F11856DD8069B3A9DB30EC84CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06C5AC9A Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$^q, xrefs: 06C5AE4B
$^q, xrefs: 06C5AE74
$^q, xrefs: 06C5ADC9
$^q, xrefs: 06C5AE1C

Memory Dump Source

Source File: 0000000E.00000002.2895393584.0000000006C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6c50000_XEWKUH.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 0e551ed1ece2676091415bcd3e3ddc167ea5e4a4c8e290013ccb32e5cbca7a9b
Instruction ID: 72c5058f171ff499c8638bcec5440976f35d69f2cdce40f3a4147086dad90fd6
Opcode Fuzzy Hash: 0e551ed1ece2676091415bcd3e3ddc167ea5e4a4c8e290013ccb32e5cbca7a9b
Instruction Fuzzy Hash: D9518330E102089FDFA5EBA5DD9066EB3B2EB88310F118629D8059B355DB31DD81CB94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 45brrQrxwH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\45brrQrxwH.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XEWKUH.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_42je1sfx.03f.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcgfpzw5.w3t.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_go252xjx.txz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hycgfdcy.xlg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_okpkk2nj.ahp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_se303tbl.oa0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xputypb2.s4g.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuvhpig3.ge3.ps1

C:\Users\user\AppData\Local\Temp\tmp365A.tmp

Windows Analysis Report
45brrQrxwH.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre