Edit tour

Windows Analysis Report
HCoITD94bW.exe

Overview

General Information

Sample name:	HCoITD94bW.exe renamed because original name is a hash value
Original sample name:	ab4f29a8a4b75804687788d6f228e7f1162173ea7ac8bec283ee178a428b87f9.exe
Analysis ID:	1632384
MD5:	f0788618986f493a4efc60cd0f84379a
SHA1:	872b98d7dc7f1269e93f34ef10105a735265129a
SHA256:	ab4f29a8a4b75804687788d6f228e7f1162173ea7ac8bec283ee178a428b87f9
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to register a low level keyboard hook

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

HCoITD94bW.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\HCoITD94bW.exe" MD5: F0788618986F493A4EFC60CD0F84379A)

HCoITD94bW.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\HCoITD94bW.exe" MD5: F0788618986F493A4EFC60CD0F84379A)

AppData.exe (PID: 7756 cmdline: "C:\Users\user\AppData\Roaming\AppData\AppData.exe" MD5: F0788618986F493A4EFC60CD0F84379A)

AppData.exe (PID: 7820 cmdline: "C:\Users\user\AppData\Roaming\AppData\AppData.exe" MD5: F0788618986F493A4EFC60CD0F84379A)

AppData.exe (PID: 1628 cmdline: "C:\Users\user\AppData\Roaming\AppData\AppData.exe" MD5: F0788618986F493A4EFC60CD0F84379A)

AppData.exe (PID: 3180 cmdline: "C:\Users\user\AppData\Roaming\AppData\AppData.exe" MD5: F0788618986F493A4EFC60CD0F84379A)

AppData.exe (PID: 2404 cmdline: "C:\Users\user\AppData\Roaming\AppData\AppData.exe" MD5: F0788618986F493A4EFC60CD0F84379A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendMessage?chat_id=5632751450"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.1359535705.00000000046A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000002.1359535705.00000000046A9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x241ba:$a20: get_LastAccessed 0x2628e:$a30: set_GuidMasterKey 0x2428b:$a33: get_Clipboard 0x24299:$a34: get_Keyboard 0x25401:$a35: get_ShiftKeyDown 0x25412:$a36: get_AltKeyDown 0x242a6:$a37: get_Password 0x24cd2:$a38: get_PasswordHash 0x25b3e:$a39: get_DefaultCredentials
00000002.00000002.3549792215.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3549792215.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3549792215.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.1359535705.0000000004489000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000002.1359535705.0000000004489000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x244a2:$a20: get_LastAccessed 0x4d4c2:$a20: get_LastAccessed 0x26576:$a30: set_GuidMasterKey 0x4f596:$a30: set_GuidMasterKey 0x24573:$a33: get_Clipboard 0x4d593:$a33: get_Clipboard 0x24581:$a34: get_Keyboard 0x4d5a1:$a34: get_Keyboard 0x256e9:$a35: get_ShiftKeyDown 0x4e709:$a35: get_ShiftKeyDown 0x256fa:$a36: get_AltKeyDown 0x4e71a:$a36: get_AltKeyDown 0x2458e:$a37: get_Password 0x4d5ae:$a37: get_Password 0x24fba:$a38: get_PasswordHash 0x4dfda:$a38: get_PasswordHash 0x25e26:$a39: get_DefaultCredentials 0x4ee46:$a39: get_DefaultCredentials
00000005.00000002.3544840309.0000000000425000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x912:$a20: get_LastAccessed 0x29e6:$a30: set_GuidMasterKey 0x9e3:$a33: get_Clipboard 0x9f1:$a34: get_Keyboard 0x1b59:$a35: get_ShiftKeyDown 0x1b6a:$a36: get_AltKeyDown 0x9fe:$a37: get_Password 0x142a:$a38: get_PasswordHash 0x2296:$a39: get_DefaultCredentials
00000005.00000002.3551197176.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1095948057.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1095948057.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x4501a:$a20: get_LastAccessed 0x470ee:$a30: set_GuidMasterKey 0x450eb:$a33: get_Clipboard 0x450f9:$a34: get_Keyboard 0x46261:$a35: get_ShiftKeyDown 0x46272:$a36: get_AltKeyDown 0x45106:$a37: get_Password 0x45b32:$a38: get_PasswordHash 0x4699e:$a39: get_DefaultCredentials
00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3549792215.00000000030F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1095948057.0000000003EF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1095948057.0000000003EF2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2c57fa:$a20: get_LastAccessed 0x2ee61a:$a20: get_LastAccessed 0x2c78ce:$a30: set_GuidMasterKey 0x2f06ee:$a30: set_GuidMasterKey 0x2c58cb:$a33: get_Clipboard 0x2ee6eb:$a33: get_Clipboard 0x2c58d9:$a34: get_Keyboard 0x2ee6f9:$a34: get_Keyboard 0x2c6a41:$a35: get_ShiftKeyDown 0x2ef861:$a35: get_ShiftKeyDown 0x2c6a52:$a36: get_AltKeyDown 0x2ef872:$a36: get_AltKeyDown 0x2c58e6:$a37: get_Password 0x2ee706:$a37: get_Password 0x2c6312:$a38: get_PasswordHash 0x2ef132:$a38: get_PasswordHash 0x2c717e:$a39: get_DefaultCredentials 0x2eff9e:$a39: get_DefaultCredentials
0000000E.00000002.3548930931.00000000034D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.3551197176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3551197176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3551197176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.3548930931.000000000320F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.3548930931.000000000320F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.3548930931.000000000320F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HCoITD94bW.exe PID: 7268	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: HCoITD94bW.exe PID: 7268	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30b65:$a20: get_LastAccessed 0x6bf84:$a20: get_LastAccessed 0x32303:$a30: set_GuidMasterKey 0x6dd5e:$a30: set_GuidMasterKey 0x30c09:$a33: get_Clipboard 0x6c04b:$a33: get_Clipboard 0x30c17:$a34: get_Keyboard 0x6c059:$a34: get_Keyboard 0x3187b:$a35: get_ShiftKeyDown 0x6d04c:$a35: get_ShiftKeyDown 0x3188c:$a36: get_AltKeyDown 0x6d05d:$a36: get_AltKeyDown 0x30c24:$a37: get_Password 0x6c066:$a37: get_Password 0x31355:$a38: get_PasswordHash 0x6ca00:$a38: get_PasswordHash 0x31da8:$a39: get_DefaultCredentials 0x6d6d9:$a39: get_DefaultCredentials
Process Memory Space: HCoITD94bW.exe PID: 7364	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HCoITD94bW.exe PID: 7364	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: HCoITD94bW.exe PID: 7364	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AppData.exe PID: 7756	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AppData.exe PID: 7820	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AppData.exe PID: 7820	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AppData.exe PID: 7820	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AppData.exe PID: 7820	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31c16:$a20: get_LastAccessed 0x339f0:$a30: set_GuidMasterKey 0x31cdd:$a33: get_Clipboard 0x31ceb:$a34: get_Keyboard 0x32cde:$a35: get_ShiftKeyDown 0x32cef:$a36: get_AltKeyDown 0x31cf8:$a37: get_Password 0x32692:$a38: get_PasswordHash 0x3336b:$a39: get_DefaultCredentials
Process Memory Space: AppData.exe PID: 1628	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AppData.exe PID: 1628	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1da4e:$a20: get_LastAccessed 0x27271:$a20: get_LastAccessed 0x1f828:$a30: set_GuidMasterKey 0x2904b:$a30: set_GuidMasterKey 0x1db15:$a33: get_Clipboard 0x27338:$a33: get_Clipboard 0x1db23:$a34: get_Keyboard 0x27346:$a34: get_Keyboard 0x1eb16:$a35: get_ShiftKeyDown 0x28339:$a35: get_ShiftKeyDown 0x1eb27:$a36: get_AltKeyDown 0x2834a:$a36: get_AltKeyDown 0x1db30:$a37: get_Password 0x27353:$a37: get_Password 0x1e4ca:$a38: get_PasswordHash 0x27ced:$a38: get_PasswordHash 0x1f1a3:$a39: get_DefaultCredentials 0x289c6:$a39: get_DefaultCredentials
Process Memory Space: AppData.exe PID: 2404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AppData.exe PID: 2404	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AppData.exe PID: 2404	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.HCoITD94bW.exe.36ba508.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.HCoITD94bW.exe.36ba508.0.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x23b12:$a20: get_LastAccessed 0x25be6:$a30: set_GuidMasterKey 0x23be3:$a33: get_Clipboard 0x23bf1:$a34: get_Keyboard 0x24d59:$a35: get_ShiftKeyDown 0x24d6a:$a36: get_AltKeyDown 0x23bfe:$a37: get_Password 0x2462a:$a38: get_PasswordHash 0x25496:$a39: get_DefaultCredentials
0.2.HCoITD94bW.exe.36ba508.0.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x272b4:$s10: logins 0x26d42:$s11: credential 0x23be3:$g1: get_Clipboard 0x23bf1:$g2: get_Keyboard 0x23bfe:$g3: get_Password 0x24d49:$g4: get_CtrlKeyDown 0x24d59:$g5: get_ShiftKeyDown 0x24d6a:$g6: get_AltKeyDown
0.2.HCoITD94bW.exe.36ba508.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.HCoITD94bW.exe.36ba508.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x21d12:$a20: get_LastAccessed 0x23de6:$a30: set_GuidMasterKey 0x21de3:$a33: get_Clipboard 0x21df1:$a34: get_Keyboard 0x22f59:$a35: get_ShiftKeyDown 0x22f6a:$a36: get_AltKeyDown 0x21dfe:$a37: get_Password 0x2282a:$a38: get_PasswordHash 0x23696:$a39: get_DefaultCredentials
0.2.HCoITD94bW.exe.36ba508.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x254b4:$s10: logins 0x24f42:$s11: credential 0x21de3:$g1: get_Clipboard 0x21df1:$g2: get_Keyboard 0x21dfe:$g3: get_Password 0x22f49:$g4: get_CtrlKeyDown 0x22f59:$g5: get_ShiftKeyDown 0x22f6a:$g6: get_AltKeyDown
12.2.AppData.exe.44b29b0.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
12.2.AppData.exe.44b29b0.2.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x23b12:$a20: get_LastAccessed 0x25be6:$a30: set_GuidMasterKey 0x23be3:$a33: get_Clipboard 0x23bf1:$a34: get_Keyboard 0x24d59:$a35: get_ShiftKeyDown 0x24d6a:$a36: get_AltKeyDown 0x23bfe:$a37: get_Password 0x2462a:$a38: get_PasswordHash 0x25496:$a39: get_DefaultCredentials
12.2.AppData.exe.44b29b0.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x272b4:$s10: logins 0x26d42:$s11: credential 0x23be3:$g1: get_Clipboard 0x23bf1:$g2: get_Keyboard 0x23bfe:$g3: get_Password 0x24d49:$g4: get_CtrlKeyDown 0x24d59:$g5: get_ShiftKeyDown 0x24d6a:$g6: get_AltKeyDown
12.2.AppData.exe.4489990.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
12.2.AppData.exe.4489990.1.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x21d12:$a20: get_LastAccessed 0x23de6:$a30: set_GuidMasterKey 0x21de3:$a33: get_Clipboard 0x21df1:$a34: get_Keyboard 0x22f59:$a35: get_ShiftKeyDown 0x22f6a:$a36: get_AltKeyDown 0x21dfe:$a37: get_Password 0x2282a:$a38: get_PasswordHash 0x23696:$a39: get_DefaultCredentials
12.2.AppData.exe.4489990.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x254b4:$s10: logins 0x24f42:$s11: credential 0x21de3:$g1: get_Clipboard 0x21df1:$g2: get_Keyboard 0x21dfe:$g3: get_Password 0x22f49:$g4: get_CtrlKeyDown 0x22f59:$g5: get_ShiftKeyDown 0x22f6a:$g6: get_AltKeyDown
0.2.HCoITD94bW.exe.4193ce8.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.HCoITD94bW.exe.4193ce8.2.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x21d12:$a20: get_LastAccessed 0x23de6:$a30: set_GuidMasterKey 0x21de3:$a33: get_Clipboard 0x21df1:$a34: get_Keyboard 0x22f59:$a35: get_ShiftKeyDown 0x22f6a:$a36: get_AltKeyDown 0x21dfe:$a37: get_Password 0x2282a:$a38: get_PasswordHash 0x23696:$a39: get_DefaultCredentials
12.2.AppData.exe.44b29b0.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.HCoITD94bW.exe.4193ce8.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x254b4:$s10: logins 0x24f42:$s11: credential 0x21de3:$g1: get_Clipboard 0x21df1:$g2: get_Keyboard 0x21dfe:$g3: get_Password 0x22f49:$g4: get_CtrlKeyDown 0x22f59:$g5: get_ShiftKeyDown 0x22f6a:$g6: get_AltKeyDown
12.2.AppData.exe.44b29b0.2.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x21d12:$a20: get_LastAccessed 0x23de6:$a30: set_GuidMasterKey 0x21de3:$a33: get_Clipboard 0x21df1:$a34: get_Keyboard 0x22f59:$a35: get_ShiftKeyDown 0x22f6a:$a36: get_AltKeyDown 0x21dfe:$a37: get_Password 0x2282a:$a38: get_PasswordHash 0x23696:$a39: get_DefaultCredentials
12.2.AppData.exe.44b29b0.2.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x254b4:$s10: logins 0x24f42:$s11: credential 0x21de3:$g1: get_Clipboard 0x21df1:$g2: get_Keyboard 0x21dfe:$g3: get_Password 0x22f49:$g4: get_CtrlKeyDown 0x22f59:$g5: get_ShiftKeyDown 0x22f6a:$g6: get_AltKeyDown
0.2.HCoITD94bW.exe.4193ce8.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.HCoITD94bW.exe.4193ce8.2.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x23b12:$a20: get_LastAccessed 0x4c932:$a20: get_LastAccessed 0x25be6:$a30: set_GuidMasterKey 0x4ea06:$a30: set_GuidMasterKey 0x23be3:$a33: get_Clipboard 0x4ca03:$a33: get_Clipboard 0x23bf1:$a34: get_Keyboard 0x4ca11:$a34: get_Keyboard 0x24d59:$a35: get_ShiftKeyDown 0x4db79:$a35: get_ShiftKeyDown 0x24d6a:$a36: get_AltKeyDown 0x4db8a:$a36: get_AltKeyDown 0x23bfe:$a37: get_Password 0x4ca1e:$a37: get_Password 0x2462a:$a38: get_PasswordHash 0x4d44a:$a38: get_PasswordHash 0x25496:$a39: get_DefaultCredentials 0x4e2b6:$a39: get_DefaultCredentials
0.2.HCoITD94bW.exe.4193ce8.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x272b4:$s10: logins 0x500d4:$s10: logins 0x26d42:$s11: credential 0x4fb62:$s11: credential 0x23be3:$g1: get_Clipboard 0x4ca03:$g1: get_Clipboard 0x23bf1:$g2: get_Keyboard 0x4ca11:$g2: get_Keyboard 0x23bfe:$g3: get_Password 0x4ca1e:$g3: get_Password 0x24d49:$g4: get_CtrlKeyDown 0x4db69:$g4: get_CtrlKeyDown 0x24d59:$g5: get_ShiftKeyDown 0x4db79:$g5: get_ShiftKeyDown 0x24d6a:$g6: get_AltKeyDown 0x4db8a:$g6: get_AltKeyDown
0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x90d32:$a20: get_LastAccessed 0xb9b52:$a20: get_LastAccessed 0x92e06:$a30: set_GuidMasterKey 0xbbc26:$a30: set_GuidMasterKey 0x90e03:$a33: get_Clipboard 0xb9c23:$a33: get_Clipboard 0x90e11:$a34: get_Keyboard 0xb9c31:$a34: get_Keyboard 0x91f79:$a35: get_ShiftKeyDown 0xbad99:$a35: get_ShiftKeyDown 0x91f8a:$a36: get_AltKeyDown 0xbadaa:$a36: get_AltKeyDown 0x90e1e:$a37: get_Password 0xb9c3e:$a37: get_Password 0x9184a:$a38: get_PasswordHash 0xba66a:$a38: get_PasswordHash 0x926b6:$a39: get_DefaultCredentials 0xbb4d6:$a39: get_DefaultCredentials
0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x944d4:$s10: logins 0xbd2f4:$s10: logins 0x93f62:$s11: credential 0xbcd82:$s11: credential 0x90e03:$g1: get_Clipboard 0xb9c23:$g1: get_Clipboard 0x90e11:$g2: get_Keyboard 0xb9c31:$g2: get_Keyboard 0x90e1e:$g3: get_Password 0xb9c3e:$g3: get_Password 0x91f69:$g4: get_CtrlKeyDown 0xbad89:$g4: get_CtrlKeyDown 0x91f79:$g5: get_ShiftKeyDown 0xbad99:$g5: get_ShiftKeyDown 0x91f8a:$g6: get_AltKeyDown 0xbadaa:$g6: get_AltKeyDown
12.2.AppData.exe.4489990.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
12.2.AppData.exe.4489990.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x23b12:$a20: get_LastAccessed 0x4cb32:$a20: get_LastAccessed 0x25be6:$a30: set_GuidMasterKey 0x4ec06:$a30: set_GuidMasterKey 0x23be3:$a33: get_Clipboard 0x4cc03:$a33: get_Clipboard 0x23bf1:$a34: get_Keyboard 0x4cc11:$a34: get_Keyboard 0x24d59:$a35: get_ShiftKeyDown 0x4dd79:$a35: get_ShiftKeyDown 0x24d6a:$a36: get_AltKeyDown 0x4dd8a:$a36: get_AltKeyDown 0x23bfe:$a37: get_Password 0x4cc1e:$a37: get_Password 0x2462a:$a38: get_PasswordHash 0x4d64a:$a38: get_PasswordHash 0x25496:$a39: get_DefaultCredentials 0x4e4b6:$a39: get_DefaultCredentials
12.2.AppData.exe.4489990.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x272b4:$s10: logins 0x502d4:$s10: logins 0x26d42:$s11: credential 0x4fd62:$s11: credential 0x23be3:$g1: get_Clipboard 0x4cc03:$g1: get_Clipboard 0x23bf1:$g2: get_Keyboard 0x4cc11:$g2: get_Keyboard 0x23bfe:$g3: get_Password 0x4cc1e:$g3: get_Password 0x24d49:$g4: get_CtrlKeyDown 0x4dd69:$g4: get_CtrlKeyDown 0x24d59:$g5: get_ShiftKeyDown 0x4dd79:$g5: get_ShiftKeyDown 0x24d6a:$g6: get_AltKeyDown 0x4dd8a:$g6: get_AltKeyDown
0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xfdf52:$a20: get_LastAccessed 0x126d72:$a20: get_LastAccessed 0x100026:$a30: set_GuidMasterKey 0x128e46:$a30: set_GuidMasterKey 0xfe023:$a33: get_Clipboard 0x126e43:$a33: get_Clipboard 0xfe031:$a34: get_Keyboard 0x126e51:$a34: get_Keyboard 0xff199:$a35: get_ShiftKeyDown 0x127fb9:$a35: get_ShiftKeyDown 0xff1aa:$a36: get_AltKeyDown 0x127fca:$a36: get_AltKeyDown 0xfe03e:$a37: get_Password 0x126e5e:$a37: get_Password 0xfea6a:$a38: get_PasswordHash 0x12788a:$a38: get_PasswordHash 0xff8d6:$a39: get_DefaultCredentials 0x1286f6:$a39: get_DefaultCredentials
0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x1016f4:$s10: logins 0x12a514:$s10: logins 0x101182:$s11: credential 0x129fa2:$s11: credential 0xfe023:$g1: get_Clipboard 0x126e43:$g1: get_Clipboard 0xfe031:$g2: get_Keyboard 0x126e51:$g2: get_Keyboard 0xfe03e:$g3: get_Password 0x126e5e:$g3: get_Password 0xff189:$g4: get_CtrlKeyDown 0x127fa9:$g4: get_CtrlKeyDown 0xff199:$g5: get_ShiftKeyDown 0x127fb9:$g5: get_ShiftKeyDown 0xff1aa:$g6: get_AltKeyDown 0x127fca:$g6: get_AltKeyDown
Click to see the 25 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\AppData\AppData.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\HCoITD94bW.exe, ProcessId: 7364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppData

Suricata Signatures

ETPRO MALWARE Agent Tesla Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:10:48.359928+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.10	49682	149.154.167.220	443	TCP
2025-03-07T23:11:05.128406+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.10	49690	149.154.167.220	443	TCP
2025-03-07T23:11:12.299540+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.10	49693	149.154.167.220	443	TCP
2025-03-07T23:12:23.539899+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.10	49697	149.154.167.220	443	TCP

ETPRO MALWARE Agent Tesla Telegram Exfil M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:10:48.359928+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.10	49682	149.154.167.220	443	TCP
2025-03-07T23:10:52.792139+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.10	49683	149.154.167.220	443	TCP
2025-03-07T23:11:05.128406+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.10	49690	149.154.167.220	443	TCP
2025-03-07T23:11:08.463458+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.10	49691	149.154.167.220	443	TCP
2025-03-07T23:11:12.299540+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.10	49693	149.154.167.220	443	TCP
2025-03-07T23:11:15.522295+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.10	49694	149.154.167.220	443	TCP
2025-03-07T23:12:23.539899+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.10	49697	149.154.167.220	443	TCP

ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:10:48.864375+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.10	49682	TCP
2025-03-07T23:10:53.301863+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.10	49683	TCP
2025-03-07T23:11:05.555389+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.10	49690	TCP
2025-03-07T23:11:08.841924+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.10	49691	TCP
2025-03-07T23:11:12.798210+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.10	49693	TCP
2025-03-07T23:11:16.182114+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.10	49694	TCP
2025-03-07T23:12:23.768622+0100	2854281	1	A Network Trojan was detected	149.154.167.220	443	192.168.2.10	49697	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:10:48.068804+0100	1810008	1	Potentially Bad Traffic	192.168.2.10	49682	149.154.167.220	443	TCP
2025-03-07T23:10:52.490616+0100	1810008	1	Potentially Bad Traffic	192.168.2.10	49683	149.154.167.220	443	TCP
2025-03-07T23:11:04.741909+0100	1810008	1	Potentially Bad Traffic	192.168.2.10	49690	149.154.167.220	443	TCP
2025-03-07T23:11:08.084337+0100	1810008	1	Potentially Bad Traffic	192.168.2.10	49691	149.154.167.220	443	TCP
2025-03-07T23:11:11.772278+0100	1810008	1	Potentially Bad Traffic	192.168.2.10	49693	149.154.167.220	443	TCP
2025-03-07T23:11:15.193853+0100	1810008	1	Potentially Bad Traffic	192.168.2.10	49694	149.154.167.220	443	TCP
2025-03-07T23:12:23.178132+0100	1810008	1	Potentially Bad Traffic	192.168.2.10	49697	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HCoITD94bW.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe

Avira: detection malicious, Label: TR/AD.GenSteal.qzqrd

Found malware configuration

Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendMessage?chat_id=5632751450"}
Source: HCoITD94bW.exe.7364.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: HCoITD94bW.exe	ReversingLabs: Detection: 78%
Source: HCoITD94bW.exe	Virustotal: Detection: 79%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: HCoITD94bW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49697 version: TLS 1.2

Source: HCoITD94bW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wZnH.pdb source: HCoITD94bW.exe, AppData.exe.2.dr
Source:	Binary string: wZnH.pdbSHA256o source: HCoITD94bW.exe, AppData.exe.2.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49690 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49693 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49683 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49691 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.10:49693 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49694 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.10:49693 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.10:49690 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.10:49690 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49682 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.10:49697 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.10:49691 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.10:49683 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.10:49694 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.10:49682 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.10:49682 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.10:49691
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.10:49697 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.10:49697 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.10:49683
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.10:49694
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.10:49693
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.10:49690
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.10:49682
Source: Network traffic	Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.10:49697

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: POST /bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5d9baa2e5b73Host: api.telegram.orgContent-Length: 1073Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5d9d8fd07bfaHost: api.telegram.orgContent-Length: 1608Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5d9b70eda7f3Host: api.telegram.orgContent-Length: 1073Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5d9d70da3f04Host: api.telegram.orgContent-Length: 1608Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5d9b7705f000Host: api.telegram.orgContent-Length: 1073Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5d9d7369cc85Host: api.telegram.orgContent-Length: 1608Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5fdae3f872fdHost: api.telegram.orgContent-Length: 981Expect: 100-continue

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd5d9baa2e5b73Host: api.telegram.orgContent-Length: 1073Expect: 100-continueConnection: Keep-Alive

Source: AppData.exe, 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003502000.00000004.00000800.00020000.00000000.sdmp, HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003474000.00000004.00000800.00020000.00000000.sdmp, HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.0000000003072000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.0000000003526000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.00000000034D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: HCoITD94bW.exe, AppData.exe.2.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: AppData.exe, 0000000E.00000002.3548930931.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.000000000320F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://A6uxKavPK33BnTXZ.org
Source: AppData.exe, 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: AppData.exe, 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgMozilla/5.0
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003502000.00000004.00000800.00020000.00000000.sdmp, HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003474000.00000004.00000800.00020000.00000000.sdmp, HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.0000000003072000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.0000000003526000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.00000000034D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003474000.00000004.00000800.00020000.00000000.sdmp, HCoITD94bW.exe, 00000002.00000002.3549792215.00000000030F2000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.0000000003072000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.000000000320F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/
Source: AppData.exe, 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/5632751450appdataAppDataA
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003502000.00000004.00000800.00020000.00000000.sdmp, HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003474000.00000004.00000800.00020000.00000000.sdmp, HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034E1000.00000004.00000800.00020000.00000000.sdmp, HCoITD94bW.exe, 00000002.00000002.3549792215.00000000030F2000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.0000000003072000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.0000000003526000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.00000000034D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5902621720:AAG63saKfqN8L1Gxy5Zs-PFqX69DHY3i2Yg/sendDocument

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49697 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\HCoITD94bW.exe

Code function: 2_2_07232CD8 SetWindowsHookExW 0000000D,00000000,?,?

2_2_07232CD8

Installs a global keyboard hook

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\HCoITD94bW.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\AppData\AppData.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\AppData\AppData.exe

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.HCoITD94bW.exe.36ba508.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.HCoITD94bW.exe.36ba508.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.AppData.exe.44b29b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 12.2.AppData.exe.44b29b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.AppData.exe.4489990.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 12.2.AppData.exe.4489990.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.HCoITD94bW.exe.4193ce8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.HCoITD94bW.exe.4193ce8.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.AppData.exe.44b29b0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 12.2.AppData.exe.44b29b0.2.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.HCoITD94bW.exe.4193ce8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.HCoITD94bW.exe.4193ce8.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 12.2.AppData.exe.4489990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 12.2.AppData.exe.4489990.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0000000C.00000002.1359535705.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000000C.00000002.1359535705.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000005.00000002.3544840309.0000000000425000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.1095948057.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.1095948057.0000000003EF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: HCoITD94bW.exe PID: 7268, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: AppData.exe PID: 7820, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: AppData.exe PID: 1628, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, E5A48D8E-6D6C-435A-85D1-A169C2581EDC.cs	Large array initialization: E5A48D8E_002D6D6C_002D435A_002D85D1_002DA169C2581EDC: array initializer size 9532
Source: 0.2.HCoITD94bW.exe.4193ce8.2.raw.unpack, E5A48D8E-6D6C-435A-85D1-A169C2581EDC.cs	Large array initialization: E5A48D8E_002D6D6C_002D435A_002D85D1_002DA169C2581EDC: array initializer size 9532
Source: 12.2.AppData.exe.44b29b0.2.raw.unpack, E5A48D8E-6D6C-435A-85D1-A169C2581EDC.cs	Large array initialization: E5A48D8E_002D6D6C_002D435A_002D85D1_002DA169C2581EDC: array initializer size 9532

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_04BDD3E4	0_2_04BDD3E4
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694E6F8	0_2_0694E6F8
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06947CB8	0_2_06947CB8
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06946D98	0_2_06946D98
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694CD80	0_2_0694CD80
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06945B88	0_2_06945B88
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694E6E9	0_2_0694E6E9
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694D4B0	0_2_0694D4B0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694D4C0	0_2_0694D4C0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694A540	0_2_0694A540
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694D25A	0_2_0694D25A
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694D268	0_2_0694D268
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06946399	0_2_06946399
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694A380	0_2_0694A380
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694A370	0_2_0694A370
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694A0F0	0_2_0694A0F0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694A0E1	0_2_0694A0E1
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694D018	0_2_0694D018
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694E018	0_2_0694E018
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694D008	0_2_0694D008
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694E00A	0_2_0694E00A
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06949F80	0_2_06949F80
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06949F70	0_2_06949F70
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06944C99	0_2_06944C99
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06947C3E	0_2_06947C3E
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06948D10	0_2_06948D10
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06948D00	0_2_06948D00
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694CD6F	0_2_0694CD6F
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694EBD0	0_2_0694EBD0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_0694EBC0	0_2_0694EBC0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06949B50	0_2_06949B50
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06945B77	0_2_06945B77
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06A584B8	0_2_06A584B8
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06A56538	0_2_06A56538
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06A513B9	0_2_06A513B9
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06A560F1	0_2_06A560F1
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06A57BE0	0_2_06A57BE0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_02F1A9D8	2_2_02F1A9D8
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_02F177DB	2_2_02F177DB
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_02F19DC0	2_2_02F19DC0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_02F1A108	2_2_02F1A108
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_072344A0	2_2_072344A0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07238628	2_2_07238628
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_0723B668	2_2_0723B668
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_072354E8	2_2_072354E8
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07846608	2_2_07846608
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_0784B318	2_2_0784B318
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07843A90	2_2_07843A90
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_078482B0	2_2_078482B0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07844230	2_2_07844230
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07840890	2_2_07840890
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07840740	2_2_07840740
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07844EC8	2_2_07844EC8
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07841318	2_2_07841318
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_0784F348	2_2_0784F348
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_0784824D	2_2_0784824D
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_078441D0	2_2_078441D0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07C5BB68	2_2_07C5BB68
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07C51530	2_2_07C51530
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07C560C0	2_2_07C560C0
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07C5CD56	2_2_07C5CD56
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07C5CD58	2_2_07C5CD58
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07C53978	2_2_07C53978
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_0306D3E4	4_2_0306D3E4
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_076F6538	4_2_076F6538
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_076F84B8	4_2_076F84B8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_076F60F1	4_2_076F60F1
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_076F7BE0	4_2_076F7BE0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE5B88	4_2_08DE5B88
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE7CB8	4_2_08DE7CB8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DECD80	4_2_08DECD80
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE6DA8	4_2_08DE6DA8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEE6F8	4_2_08DEE6F8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEA0F0	4_2_08DEA0F0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEA0E1	4_2_08DEA0E1
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DED018	4_2_08DED018
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEE018	4_2_08DEE018
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEE00B	4_2_08DEE00B
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DED008	4_2_08DED008
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DED25B	4_2_08DED25B
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DED268	4_2_08DED268
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEEBD0	4_2_08DEEBD0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEEBC0	4_2_08DEEBC0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE6399	4_2_08DE6399
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEA380	4_2_08DEA380
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE63A8	4_2_08DE63A8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE9B50	4_2_08DE9B50
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE5B77	4_2_08DE5B77
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEA370	4_2_08DEA370
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE9B60	4_2_08DE9B60
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DED4C0	4_2_08DED4C0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE4C99	4_2_08DE4C99
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE7CB7	4_2_08DE7CB7
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DED4B0	4_2_08DED4B0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE4CA8	4_2_08DE4CA8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE7C78	4_2_08DE7C78
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE6D98	4_2_08DE6D98
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEA550	4_2_08DEA550
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEA540	4_2_08DEA540
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DECD6F	4_2_08DECD6F
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE8D10	4_2_08DE8D10
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE8D00	4_2_08DE8D00
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DEE6E9	4_2_08DEE6E9
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE9F80	4_2_08DE9F80
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE9F70	4_2_08DE9F70
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_0138A108	5_2_0138A108
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_0138A9D8	5_2_0138A9D8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_013877DA	5_2_013877DA
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_01389DC0	5_2_01389DC0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_058B75D8	5_2_058B75D8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_058B6840	5_2_058B6840
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_058B4129	5_2_058B4129
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_058B1B48	5_2_058B1B48
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9F280	5_2_06E9F280
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E99050	5_2_06E99050
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EAF6F0	5_2_06EAF6F0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EA3699	5_2_06EA3699
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EA9AE0	5_2_06EA9AE0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EAA0A8	5_2_06EAA0A8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EABE80	5_2_06EABE80
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EC5640	5_2_06EC5640
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06ECEA38	5_2_06ECEA38
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EC6CED	5_2_06EC6CED
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EC30D8	5_2_06EC30D8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EC50A8	5_2_06EC50A8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06ECA4B0	5_2_06ECA4B0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EC6480	5_2_06EC6480
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EC0040	5_2_06EC0040
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06EC3079	5_2_06EC3079
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06ECE1E8	5_2_06ECE1E8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_01076F90	12_2_01076F90
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0107D3E4	12_2_0107D3E4
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08817BE0	12_2_08817BE0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08815CB0	12_2_08815CB0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08815CC8	12_2_08815CC8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_088160F1	12_2_088160F1
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_088184B8	12_2_088184B8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08816538	12_2_08816538
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08825B88	12_2_08825B88
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08827CB8	12_2_08827CB8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882CD80	12_2_0882CD80
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08826D98	12_2_08826D98
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882E6F8	12_2_0882E6F8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882A0E1	12_2_0882A0E1
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882A0F0	12_2_0882A0F0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882E00B	12_2_0882E00B
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882D008	12_2_0882D008
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882D018	12_2_0882D018
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882E018	12_2_0882E018
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882D25B	12_2_0882D25B
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882D268	12_2_0882D268
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882A380	12_2_0882A380
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08826399	12_2_08826399
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882EBC0	12_2_0882EBC0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882EBD0	12_2_0882EBD0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08829B50	12_2_08829B50
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882A370	12_2_0882A370
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08825B77	12_2_08825B77
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08824C9B	12_2_08824C9B
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08827CAB	12_2_08827CAB
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882D4B0	12_2_0882D4B0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882D4C0	12_2_0882D4C0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08828D00	12_2_08828D00
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08828D10	12_2_08828D10
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882A540	12_2_0882A540
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882CD6F	12_2_0882CD6F
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_0882E6E9	12_2_0882E6E9
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08829F80	12_2_08829F80
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 12_2_08829F70	12_2_08829F70
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_030AA9D8	14_2_030AA9D8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_030A77DB	14_2_030A77DB
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_030A9DC0	14_2_030A9DC0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_030AA108	14_2_030AA108
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_05D727C9	14_2_05D727C9
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_05D737B6	14_2_05D737B6
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_05D7E778	14_2_05D7E778
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_05D72767	14_2_05D72767
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_05D7271F	14_2_05D7271F
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_05D72640	14_2_05D72640
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_05D73350	14_2_05D73350
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_05D72A76	14_2_05D72A76
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_075975D8	14_2_075975D8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_07591B48	14_2_07591B48
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_07590040	14_2_07590040
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_07594129	14_2_07594129
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_075D6790	14_2_075D6790
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_075D3D38	14_2_075D3D38
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_075DF478	14_2_075DF478
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_075DDC00	14_2_075DDC00
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_075DA968	14_2_075DA968
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_075DF477	14_2_075DF477
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_075DBB58	14_2_075DBB58
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 14_2_075DBB57	14_2_075DBB57

Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: String function: 030A1810 appears 39 times
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: String function: 01381680 appears 43 times
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: String function: 030A1680 appears 43 times
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: String function: 01381810 appears 39 times

Source: HCoITD94bW.exe, 00000000.00000002.1094948447.000000000289F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5cc642c5-22a7-40a5-abd5-7bfa7f5d8946.exe4 vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000000.00000002.1095948057.0000000003EF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000000.00000002.1095948057.0000000003EF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5cc642c5-22a7-40a5-abd5-7bfa7f5d8946.exe4 vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000000.00000000.1079681571.0000000000454000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewZnH.exeB vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000000.00000002.1095948057.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5cc642c5-22a7-40a5-abd5-7bfa7f5d8946.exe4 vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000000.00000002.1093682707.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000000.00000002.1109903459.000000000B100000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000030CC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000002.00000002.3545475230.0000000001339000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $oq,\\StringFileInfo\\080904B0\\OriginalFilename vs HCoITD94bW.exe
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000030F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs HCoITD94bW.exe
Source: HCoITD94bW.exe	Binary or memory string: OriginalFilenamewZnH.exeB vs HCoITD94bW.exe

Source: HCoITD94bW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.HCoITD94bW.exe.36ba508.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.HCoITD94bW.exe.36ba508.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.AppData.exe.44b29b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 12.2.AppData.exe.44b29b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.AppData.exe.4489990.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 12.2.AppData.exe.4489990.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.HCoITD94bW.exe.4193ce8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.HCoITD94bW.exe.4193ce8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.AppData.exe.44b29b0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 12.2.AppData.exe.44b29b0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.HCoITD94bW.exe.4193ce8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.HCoITD94bW.exe.4193ce8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 12.2.AppData.exe.4489990.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 12.2.AppData.exe.4489990.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0000000C.00000002.1359535705.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000000C.00000002.1359535705.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000005.00000002.3544840309.0000000000425000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.1095948057.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.1095948057.0000000003EF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: HCoITD94bW.exe PID: 7268, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: AppData.exe PID: 7820, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: AppData.exe PID: 1628, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: HCoITD94bW.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AppData.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, F.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, F.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, F.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, F.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, E.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, E.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, E.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, E.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, E.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, kKRAy5eHKfl9wqw590.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, kKRAy5eHKfl9wqw590.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, kKRAy5eHKfl9wqw590.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, kKRAy5eHKfl9wqw590.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, kKRAy5eHKfl9wqw590.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, kKRAy5eHKfl9wqw590.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/7@2/2

Source: C:\Users\user\Desktop\HCoITD94bW.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HCoITD94bW.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe

Mutant created: NULL

Source: HCoITD94bW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: HCoITD94bW.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\HCoITD94bW.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\HCoITD94bW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HCoITD94bW.exe, 00000002.00000002.3549792215.000000000346E000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3551197176.000000000306B000.00000004.00000800.00020000.00000000.sdmp, AppData.exe, 0000000E.00000002.3548930931.00000000034C9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: HCoITD94bW.exe	ReversingLabs: Detection: 78%
Source: HCoITD94bW.exe	Virustotal: Detection: 79%

Source: C:\Users\user\Desktop\HCoITD94bW.exe

File read: C:\Users\user\Desktop\HCoITD94bW.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HCoITD94bW.exe "C:\Users\user\Desktop\HCoITD94bW.exe"
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process created: C:\Users\user\Desktop\HCoITD94bW.exe "C:\Users\user\Desktop\HCoITD94bW.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process created: C:\Users\user\Desktop\HCoITD94bW.exe "C:\Users\user\Desktop\HCoITD94bW.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\Desktop\HCoITD94bW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\HCoITD94bW.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\HCoITD94bW.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: HCoITD94bW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: HCoITD94bW.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: HCoITD94bW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wZnH.pdb source: HCoITD94bW.exe, AppData.exe.2.dr
Source:	Binary string: wZnH.pdbSHA256o source: HCoITD94bW.exe, AppData.exe.2.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	.Net Code: d8ibZDl0Bk System.Reflection.Assembly.Load(byte[])
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	.Net Code: d8ibZDl0Bk System.Reflection.Assembly.Load(byte[])
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	.Net Code: d8ibZDl0Bk System.Reflection.Assembly.Load(byte[])

Source: HCoITD94bW.exe

Static PE information: 0x98D08CEB [Thu Mar 30 15:53:15 2051 UTC]

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06947750 push cs; ret	0_2_06947751
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06A5D1FD push FFFFFF8Bh; iretd	0_2_06A5D1FF
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 0_2_06A5BAA8 push esp; ret	0_2_06A5BAED
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_078478E0 push eax; retf	2_2_078478ED
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_0784D03F pushad ; retf	2_2_0784D0B9
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Code function: 2_2_07C527BF push edi; retn 0000h	2_2_07C527C1
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_076FD1FD push FFFFFF8Bh; iretd	4_2_076FD1FF
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_076FBAA8 push esp; ret	4_2_076FBAED
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_076FB939 push cs; retf	4_2_076FB946
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_076F2899 push 7CD0076Eh; retf	4_2_076F289E
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE57A5 pushad ; retf	4_2_08DE57A6
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 4_2_08DE7750 push cs; ret	4_2_08DE7751
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_058B56C3 push ebp; iretd	5_2_058B56C8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9A768 push es; retf	5_2_06E9B03C
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B4E7 push es; retf	5_2_06E9B4F0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B4FF push es; retf	5_2_06E9B500
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B4F7 push es; retf	5_2_06E9B4F8
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B4AB push es; retf	5_2_06E9B4B0
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B4A3 push es; retf	5_2_06E9B4A4
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B463 push es; retf	5_2_06E9B464
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B453 push es; retf	5_2_06E9B454
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B423 push es; retf	5_2_06E9B424
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B403 push es; retf	5_2_06E9B40C
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B41B push es; retf	5_2_06E9B41C
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B5D3 push es; retf	5_2_06E9B5D4
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B587 push es; retf	5_2_06E9B588
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B56F push es; retf	5_2_06E9B570
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B567 push es; retf	5_2_06E9B568
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B57F push es; retf	5_2_06E9B580
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B577 push es; retf	5_2_06E9B578
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Code function: 5_2_06E9B54F push es; retf	5_2_06E9B550

Source: HCoITD94bW.exe	Static PE information: section name: .text entropy: 7.705531314592027
Source: AppData.exe.2.dr	Static PE information: section name: .text entropy: 7.705531314592027

Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, PI80yk87oJpK0Rl74iA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'V3xDtaMArC', 'UIIDOWIZXq', 'SZcDhmmgdo', 'AhnDfCqwfv', 'FdOD0r6WEs', 'fYfD4h7WYt', 'elJDFMi0hc'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, mKWchoKUnqByYFEnyh.cs	High entropy of concatenated method names: 'C2uy99FReo', 'wgFyUjA4M2', 'eScyeYALlK', 'GWlyKsjXZd', 'DOUymMvxQ6', 'dSyyLPmti1', 'AymyS5usbc', 'tpNyV45fAe', 'wH8yxSvIYU', 'yXuyDptZc6'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, q7gqetvCug0hv5udWc.cs	High entropy of concatenated method names: 'YbCSs8y1FC', 'vcqS3R1dZc', 'qXPV79bZmg', 'gq0V8iMIPb', 'PRISt5HJrC', 'yBKSOsF5LX', 'hCUSh0bAAx', 'nhYSfRetaf', 'rykS0xWyO4', 'RKRS4e0qjQ'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, nJB4qTFoHXGbibncOH.cs	High entropy of concatenated method names: 'd6nSjD1ZGQ', 'yNmSrk01qB', 'ToString', 'EbhSEqkpJD', 'OIJS5Ar2So', 'iPxSy3gm7F', 'cdTSNleVvd', 'EcfSAu7XbV', 'RoNS2AKMIP', 'G6CSRwiWhl'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	High entropy of concatenated method names: 'myjQJKWL9f', 'tJNQEm8MLm', 'suLQ5tuL6f', 'cCBQyEGYnQ', 'YyZQNtDuqJ', 'ffNQA3SUrT', 'F0BQ2naTL6', 'aKqQRKOJHB', 'ah5QMdJSnL', 'DctQjOnP1N'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, po6Efi4p42Wf6LMnkx.cs	High entropy of concatenated method names: 'ToString', 'MtWLtvF9Cv', 'TU7LuxbieS', 'dL5LYUpfSQ', 'IIgLit9bLM', 'JqcLXWsyDU', 'APoLaiNFSq', 'oY2LTOaUq5', 'xiHLlOcg9u', 'mjOLGlKUtg'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, kKRAy5eHKfl9wqw590.cs	High entropy of concatenated method names: 'zF45fMq9eQ', 'vDy50mj7yk', 'pf954sOIdh', 'jp95Fwg1w3', 'jnv5w1Yc4X', 't7g5vbGPcl', 'Rkg5WekkQB', 'qRa5sZY7Wt', 'KSl5nNrdR5', 'S2D53Ib7M4'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, nhpRVqzsddf4BrYXEr.cs	High entropy of concatenated method names: 'dEaDUyJP6i', 'fYxDefKvYC', 'i6lDKwoeRo', 'xLhDBvVZOi', 'rhRDudOwdn', 'UJxDiQSTP5', 'lKqDXlROKn', 'rypDqOn0ci', 'kKrDpy1gb5', 'kFQDHudgRk'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, SBWxvyfRioFwVe8jeZ.cs	High entropy of concatenated method names: 't03mo5fSJt', 'nxymODXtPW', 'QqgmffbtMd', 'c0Cm0S3nRQ', 'TPQmurhfih', 'MRKmYUoaW1', 'ID4mixTJuY', 'yeZmXXCa2l', 'k8jma76OCU', 'yN3mT3NIJe'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, MNyeyfGRJyNM4d92YO.cs	High entropy of concatenated method names: 'cfO2pjStmt', 'Vw62HRcl0T', 'Oom2ZS2MxQ', 'U2B29cehRw', 'H9B21ki3Ix', 'r7o2UmrPal', 'w5h26iJ9ii', 'vdv2eYOflJ', 'Ky02KIoHBd', 'sU52I2o5Q2'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, bF0hgkh86puLpmwH5Y.cs	High entropy of concatenated method names: 'vSrPeuMe2u', 'yWLPK3FJmm', 'zUnPBVvXoB', 'QYYPuKB9sW', 'BtDPibH7UH', 'ysFPXTjyyw', 'AQuPTQDjl6', 'j1nPlQcWyZ', 'DfsPoRA8Bi', 'JOLPt7d8DH'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, cYDN9mbHwm8PjAv2w8.cs	High entropy of concatenated method names: 'xWR82KRAy5', 'zKf8Rl9wqw', 'OUn8jqByYF', 'fny8rh9NUX', 'xnh8mBmq8U', 'k948LlnKDc', 'MphG785pDdm3fKyk9j', 'LE9VVR4GOBlJeba3Px', 'wBI882K249', 'R7y8QwCpy8'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, U1jAVhWgwPOnFHN0B7.cs	High entropy of concatenated method names: 'PMgxmVWJbA', 'UaxxSyBNtV', 'zW7xxlZvSs', 'THZxdVLIUE', 'ckPxg5vEhl', 'tDCxqj8bK6', 'Dispose', 'w81VEIwpRY', 'ej4V5meBcG', 'a6TVy3rqDO'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, qioHNnyJPf0YUQPlWS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rAckntQRPN', 'uuRk3LvCf0', 'JD1kz78JRx', 'D0NQ7LRvBe', 'vAnQ8Bl8vB', 'E3TQkm6nyx', 'COCQQx2tOk', 'RAqHAjgFtvq2UhK3ZNd'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, ln6u5C88JHsce7ISGNv.cs	High entropy of concatenated method names: 'j9SD31C92O', 'IEvDzickuC', 'daWd7RrOop', 'kOYd8jySBb', 'oT1dkTlNxZ', 'uYidQsoX3w', 'WT2db2VtPr', 'oRRdJsl4Bi', 'BHbdEN8xto', 'BLWd5NjE8E'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, gr3PQ03YuKAwFnNr3J.cs	High entropy of concatenated method names: 'eAgDycy0GV', 'bJiDNER8NI', 'M8IDAhMHoB', 'M5AD2uwoCQ', 'd8nDxa02RR', 'F1PDRQOlwY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, BHfZ5TaogBSaju12Rb.cs	High entropy of concatenated method names: 'jpcA4WYVso', 'vhFAFuHe1o', 'URMAwyrbDh', 'ToString', 'BImAvfIYwP', 'lXVAWIPfwq', 'sSabD6s8ALRtJlQNVxZ', 'Tmx6uNsHMQR95ehPxB0'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, JH2vGSnhUd3SDVMVC9.cs	High entropy of concatenated method names: 'euexBbb64G', 'TABxuCmBAi', 'qg1xYXSGM0', 'BiVxihKj2Y', 'vhlxX1fqcC', 'mLoxauuC9s', 'oDYxToYMqd', 'VuMxlY146D', 'Du4xG03sfT', 'DpTxosFFd8'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, yComp85yYmFaiduPKT.cs	High entropy of concatenated method names: 'Dispose', 'oOn8nFHN0B', 'z9Zkuw4QGi', 'MLvwK5QSvL', 'aIi83yP6vW', 'li38zEU5iA', 'ProcessDialogKey', 'Miik7H2vGS', 'QUdk83SDVM', 'rC9kk5r3PQ'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, lNkkgTk1CH30Ux4saL.cs	High entropy of concatenated method names: 'nRHZYVkp7', 'zmO9qfcNY', 'DKCUQCtjE', 'P3w657IoO', 'omrKWh16p', 'y7rIsuCGP', 'L7xdVTIi15GB5qERFI', 'rQ7W0xbuIDpgtn0Oom', 'x9GV915VU', 'quZDI39lu'
Source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, x8UR94BlnKDc8fOujq.cs	High entropy of concatenated method names: 'ILCAJhqg9p', 'N37A5flV0s', 'mkFANWDNXn', 'vl8A2OHJLM', 'zryAR766hA', 'rtnNwE6j38', 'ohcNvAsOMu', 'mP3NWZEjRS', 'BuvNsAaDnN', 'H76NnuaKDh'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, PI80yk87oJpK0Rl74iA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'V3xDtaMArC', 'UIIDOWIZXq', 'SZcDhmmgdo', 'AhnDfCqwfv', 'FdOD0r6WEs', 'fYfD4h7WYt', 'elJDFMi0hc'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, mKWchoKUnqByYFEnyh.cs	High entropy of concatenated method names: 'C2uy99FReo', 'wgFyUjA4M2', 'eScyeYALlK', 'GWlyKsjXZd', 'DOUymMvxQ6', 'dSyyLPmti1', 'AymyS5usbc', 'tpNyV45fAe', 'wH8yxSvIYU', 'yXuyDptZc6'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, q7gqetvCug0hv5udWc.cs	High entropy of concatenated method names: 'YbCSs8y1FC', 'vcqS3R1dZc', 'qXPV79bZmg', 'gq0V8iMIPb', 'PRISt5HJrC', 'yBKSOsF5LX', 'hCUSh0bAAx', 'nhYSfRetaf', 'rykS0xWyO4', 'RKRS4e0qjQ'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, nJB4qTFoHXGbibncOH.cs	High entropy of concatenated method names: 'd6nSjD1ZGQ', 'yNmSrk01qB', 'ToString', 'EbhSEqkpJD', 'OIJS5Ar2So', 'iPxSy3gm7F', 'cdTSNleVvd', 'EcfSAu7XbV', 'RoNS2AKMIP', 'G6CSRwiWhl'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	High entropy of concatenated method names: 'myjQJKWL9f', 'tJNQEm8MLm', 'suLQ5tuL6f', 'cCBQyEGYnQ', 'YyZQNtDuqJ', 'ffNQA3SUrT', 'F0BQ2naTL6', 'aKqQRKOJHB', 'ah5QMdJSnL', 'DctQjOnP1N'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, po6Efi4p42Wf6LMnkx.cs	High entropy of concatenated method names: 'ToString', 'MtWLtvF9Cv', 'TU7LuxbieS', 'dL5LYUpfSQ', 'IIgLit9bLM', 'JqcLXWsyDU', 'APoLaiNFSq', 'oY2LTOaUq5', 'xiHLlOcg9u', 'mjOLGlKUtg'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, kKRAy5eHKfl9wqw590.cs	High entropy of concatenated method names: 'zF45fMq9eQ', 'vDy50mj7yk', 'pf954sOIdh', 'jp95Fwg1w3', 'jnv5w1Yc4X', 't7g5vbGPcl', 'Rkg5WekkQB', 'qRa5sZY7Wt', 'KSl5nNrdR5', 'S2D53Ib7M4'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, nhpRVqzsddf4BrYXEr.cs	High entropy of concatenated method names: 'dEaDUyJP6i', 'fYxDefKvYC', 'i6lDKwoeRo', 'xLhDBvVZOi', 'rhRDudOwdn', 'UJxDiQSTP5', 'lKqDXlROKn', 'rypDqOn0ci', 'kKrDpy1gb5', 'kFQDHudgRk'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, SBWxvyfRioFwVe8jeZ.cs	High entropy of concatenated method names: 't03mo5fSJt', 'nxymODXtPW', 'QqgmffbtMd', 'c0Cm0S3nRQ', 'TPQmurhfih', 'MRKmYUoaW1', 'ID4mixTJuY', 'yeZmXXCa2l', 'k8jma76OCU', 'yN3mT3NIJe'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, MNyeyfGRJyNM4d92YO.cs	High entropy of concatenated method names: 'cfO2pjStmt', 'Vw62HRcl0T', 'Oom2ZS2MxQ', 'U2B29cehRw', 'H9B21ki3Ix', 'r7o2UmrPal', 'w5h26iJ9ii', 'vdv2eYOflJ', 'Ky02KIoHBd', 'sU52I2o5Q2'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, bF0hgkh86puLpmwH5Y.cs	High entropy of concatenated method names: 'vSrPeuMe2u', 'yWLPK3FJmm', 'zUnPBVvXoB', 'QYYPuKB9sW', 'BtDPibH7UH', 'ysFPXTjyyw', 'AQuPTQDjl6', 'j1nPlQcWyZ', 'DfsPoRA8Bi', 'JOLPt7d8DH'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, cYDN9mbHwm8PjAv2w8.cs	High entropy of concatenated method names: 'xWR82KRAy5', 'zKf8Rl9wqw', 'OUn8jqByYF', 'fny8rh9NUX', 'xnh8mBmq8U', 'k948LlnKDc', 'MphG785pDdm3fKyk9j', 'LE9VVR4GOBlJeba3Px', 'wBI882K249', 'R7y8QwCpy8'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, U1jAVhWgwPOnFHN0B7.cs	High entropy of concatenated method names: 'PMgxmVWJbA', 'UaxxSyBNtV', 'zW7xxlZvSs', 'THZxdVLIUE', 'ckPxg5vEhl', 'tDCxqj8bK6', 'Dispose', 'w81VEIwpRY', 'ej4V5meBcG', 'a6TVy3rqDO'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, qioHNnyJPf0YUQPlWS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rAckntQRPN', 'uuRk3LvCf0', 'JD1kz78JRx', 'D0NQ7LRvBe', 'vAnQ8Bl8vB', 'E3TQkm6nyx', 'COCQQx2tOk', 'RAqHAjgFtvq2UhK3ZNd'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, ln6u5C88JHsce7ISGNv.cs	High entropy of concatenated method names: 'j9SD31C92O', 'IEvDzickuC', 'daWd7RrOop', 'kOYd8jySBb', 'oT1dkTlNxZ', 'uYidQsoX3w', 'WT2db2VtPr', 'oRRdJsl4Bi', 'BHbdEN8xto', 'BLWd5NjE8E'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, gr3PQ03YuKAwFnNr3J.cs	High entropy of concatenated method names: 'eAgDycy0GV', 'bJiDNER8NI', 'M8IDAhMHoB', 'M5AD2uwoCQ', 'd8nDxa02RR', 'F1PDRQOlwY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, BHfZ5TaogBSaju12Rb.cs	High entropy of concatenated method names: 'jpcA4WYVso', 'vhFAFuHe1o', 'URMAwyrbDh', 'ToString', 'BImAvfIYwP', 'lXVAWIPfwq', 'sSabD6s8ALRtJlQNVxZ', 'Tmx6uNsHMQR95ehPxB0'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, JH2vGSnhUd3SDVMVC9.cs	High entropy of concatenated method names: 'euexBbb64G', 'TABxuCmBAi', 'qg1xYXSGM0', 'BiVxihKj2Y', 'vhlxX1fqcC', 'mLoxauuC9s', 'oDYxToYMqd', 'VuMxlY146D', 'Du4xG03sfT', 'DpTxosFFd8'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, yComp85yYmFaiduPKT.cs	High entropy of concatenated method names: 'Dispose', 'oOn8nFHN0B', 'z9Zkuw4QGi', 'MLvwK5QSvL', 'aIi83yP6vW', 'li38zEU5iA', 'ProcessDialogKey', 'Miik7H2vGS', 'QUdk83SDVM', 'rC9kk5r3PQ'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, lNkkgTk1CH30Ux4saL.cs	High entropy of concatenated method names: 'nRHZYVkp7', 'zmO9qfcNY', 'DKCUQCtjE', 'P3w657IoO', 'omrKWh16p', 'y7rIsuCGP', 'L7xdVTIi15GB5qERFI', 'rQ7W0xbuIDpgtn0Oom', 'x9GV915VU', 'quZDI39lu'
Source: 0.2.HCoITD94bW.exe.b100000.5.raw.unpack, x8UR94BlnKDc8fOujq.cs	High entropy of concatenated method names: 'ILCAJhqg9p', 'N37A5flV0s', 'mkFANWDNXn', 'vl8A2OHJLM', 'zryAR766hA', 'rtnNwE6j38', 'ohcNvAsOMu', 'mP3NWZEjRS', 'BuvNsAaDnN', 'H76NnuaKDh'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, PI80yk87oJpK0Rl74iA.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'V3xDtaMArC', 'UIIDOWIZXq', 'SZcDhmmgdo', 'AhnDfCqwfv', 'FdOD0r6WEs', 'fYfD4h7WYt', 'elJDFMi0hc'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, mKWchoKUnqByYFEnyh.cs	High entropy of concatenated method names: 'C2uy99FReo', 'wgFyUjA4M2', 'eScyeYALlK', 'GWlyKsjXZd', 'DOUymMvxQ6', 'dSyyLPmti1', 'AymyS5usbc', 'tpNyV45fAe', 'wH8yxSvIYU', 'yXuyDptZc6'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, q7gqetvCug0hv5udWc.cs	High entropy of concatenated method names: 'YbCSs8y1FC', 'vcqS3R1dZc', 'qXPV79bZmg', 'gq0V8iMIPb', 'PRISt5HJrC', 'yBKSOsF5LX', 'hCUSh0bAAx', 'nhYSfRetaf', 'rykS0xWyO4', 'RKRS4e0qjQ'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, nJB4qTFoHXGbibncOH.cs	High entropy of concatenated method names: 'd6nSjD1ZGQ', 'yNmSrk01qB', 'ToString', 'EbhSEqkpJD', 'OIJS5Ar2So', 'iPxSy3gm7F', 'cdTSNleVvd', 'EcfSAu7XbV', 'RoNS2AKMIP', 'G6CSRwiWhl'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, TwXKZyRFgl4CtwdoJs.cs	High entropy of concatenated method names: 'myjQJKWL9f', 'tJNQEm8MLm', 'suLQ5tuL6f', 'cCBQyEGYnQ', 'YyZQNtDuqJ', 'ffNQA3SUrT', 'F0BQ2naTL6', 'aKqQRKOJHB', 'ah5QMdJSnL', 'DctQjOnP1N'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, po6Efi4p42Wf6LMnkx.cs	High entropy of concatenated method names: 'ToString', 'MtWLtvF9Cv', 'TU7LuxbieS', 'dL5LYUpfSQ', 'IIgLit9bLM', 'JqcLXWsyDU', 'APoLaiNFSq', 'oY2LTOaUq5', 'xiHLlOcg9u', 'mjOLGlKUtg'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, kKRAy5eHKfl9wqw590.cs	High entropy of concatenated method names: 'zF45fMq9eQ', 'vDy50mj7yk', 'pf954sOIdh', 'jp95Fwg1w3', 'jnv5w1Yc4X', 't7g5vbGPcl', 'Rkg5WekkQB', 'qRa5sZY7Wt', 'KSl5nNrdR5', 'S2D53Ib7M4'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, nhpRVqzsddf4BrYXEr.cs	High entropy of concatenated method names: 'dEaDUyJP6i', 'fYxDefKvYC', 'i6lDKwoeRo', 'xLhDBvVZOi', 'rhRDudOwdn', 'UJxDiQSTP5', 'lKqDXlROKn', 'rypDqOn0ci', 'kKrDpy1gb5', 'kFQDHudgRk'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, SBWxvyfRioFwVe8jeZ.cs	High entropy of concatenated method names: 't03mo5fSJt', 'nxymODXtPW', 'QqgmffbtMd', 'c0Cm0S3nRQ', 'TPQmurhfih', 'MRKmYUoaW1', 'ID4mixTJuY', 'yeZmXXCa2l', 'k8jma76OCU', 'yN3mT3NIJe'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, MNyeyfGRJyNM4d92YO.cs	High entropy of concatenated method names: 'cfO2pjStmt', 'Vw62HRcl0T', 'Oom2ZS2MxQ', 'U2B29cehRw', 'H9B21ki3Ix', 'r7o2UmrPal', 'w5h26iJ9ii', 'vdv2eYOflJ', 'Ky02KIoHBd', 'sU52I2o5Q2'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, bF0hgkh86puLpmwH5Y.cs	High entropy of concatenated method names: 'vSrPeuMe2u', 'yWLPK3FJmm', 'zUnPBVvXoB', 'QYYPuKB9sW', 'BtDPibH7UH', 'ysFPXTjyyw', 'AQuPTQDjl6', 'j1nPlQcWyZ', 'DfsPoRA8Bi', 'JOLPt7d8DH'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, cYDN9mbHwm8PjAv2w8.cs	High entropy of concatenated method names: 'xWR82KRAy5', 'zKf8Rl9wqw', 'OUn8jqByYF', 'fny8rh9NUX', 'xnh8mBmq8U', 'k948LlnKDc', 'MphG785pDdm3fKyk9j', 'LE9VVR4GOBlJeba3Px', 'wBI882K249', 'R7y8QwCpy8'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, U1jAVhWgwPOnFHN0B7.cs	High entropy of concatenated method names: 'PMgxmVWJbA', 'UaxxSyBNtV', 'zW7xxlZvSs', 'THZxdVLIUE', 'ckPxg5vEhl', 'tDCxqj8bK6', 'Dispose', 'w81VEIwpRY', 'ej4V5meBcG', 'a6TVy3rqDO'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, qioHNnyJPf0YUQPlWS.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'rAckntQRPN', 'uuRk3LvCf0', 'JD1kz78JRx', 'D0NQ7LRvBe', 'vAnQ8Bl8vB', 'E3TQkm6nyx', 'COCQQx2tOk', 'RAqHAjgFtvq2UhK3ZNd'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, ln6u5C88JHsce7ISGNv.cs	High entropy of concatenated method names: 'j9SD31C92O', 'IEvDzickuC', 'daWd7RrOop', 'kOYd8jySBb', 'oT1dkTlNxZ', 'uYidQsoX3w', 'WT2db2VtPr', 'oRRdJsl4Bi', 'BHbdEN8xto', 'BLWd5NjE8E'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, gr3PQ03YuKAwFnNr3J.cs	High entropy of concatenated method names: 'eAgDycy0GV', 'bJiDNER8NI', 'M8IDAhMHoB', 'M5AD2uwoCQ', 'd8nDxa02RR', 'F1PDRQOlwY', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, BHfZ5TaogBSaju12Rb.cs	High entropy of concatenated method names: 'jpcA4WYVso', 'vhFAFuHe1o', 'URMAwyrbDh', 'ToString', 'BImAvfIYwP', 'lXVAWIPfwq', 'sSabD6s8ALRtJlQNVxZ', 'Tmx6uNsHMQR95ehPxB0'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, JH2vGSnhUd3SDVMVC9.cs	High entropy of concatenated method names: 'euexBbb64G', 'TABxuCmBAi', 'qg1xYXSGM0', 'BiVxihKj2Y', 'vhlxX1fqcC', 'mLoxauuC9s', 'oDYxToYMqd', 'VuMxlY146D', 'Du4xG03sfT', 'DpTxosFFd8'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, yComp85yYmFaiduPKT.cs	High entropy of concatenated method names: 'Dispose', 'oOn8nFHN0B', 'z9Zkuw4QGi', 'MLvwK5QSvL', 'aIi83yP6vW', 'li38zEU5iA', 'ProcessDialogKey', 'Miik7H2vGS', 'QUdk83SDVM', 'rC9kk5r3PQ'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, lNkkgTk1CH30Ux4saL.cs	High entropy of concatenated method names: 'nRHZYVkp7', 'zmO9qfcNY', 'DKCUQCtjE', 'P3w657IoO', 'omrKWh16p', 'y7rIsuCGP', 'L7xdVTIi15GB5qERFI', 'rQ7W0xbuIDpgtn0Oom', 'x9GV915VU', 'quZDI39lu'
Source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, x8UR94BlnKDc8fOujq.cs	High entropy of concatenated method names: 'ILCAJhqg9p', 'N37A5flV0s', 'mkFANWDNXn', 'vl8A2OHJLM', 'zryAR766hA', 'rtnNwE6j38', 'ohcNvAsOMu', 'mP3NWZEjRS', 'BuvNsAaDnN', 'H76NnuaKDh'

Source: C:\Users\user\Desktop\HCoITD94bW.exe

File created: C:\Users\user\AppData\Roaming\AppData\AppData.exe

Jump to dropped file

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppData			Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AppData			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\HCoITD94bW.exe

File opened: C:\Users\user\AppData\Roaming\AppData\AppData.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: HCoITD94bW.exe PID: 7268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 1628, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: 2690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: 2690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: 4690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: 8AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: 9AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: 9CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: ACE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: B170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: C170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: D170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory allocated: 5090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 3230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 5230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 8F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 9F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: A120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: B120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: BB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: CB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: DB20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 12D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 1050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 2C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 8830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 71F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 9830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: A830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: B0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: C0E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 3060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 31C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory allocated: 51C0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Window / User API: threadDelayed 3316	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Window / User API: threadDelayed 6501	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Window / User API: threadDelayed 5515	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Window / User API: threadDelayed 4287	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Window / User API: threadDelayed 3222
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Window / User API: threadDelayed 6613

Source: C:\Users\user\Desktop\HCoITD94bW.exe TID: 7288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe TID: 7488	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe TID: 7780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe TID: 2416	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe TID: 2416	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe TID: 844	Thread sleep count: 5515 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe TID: 844	Thread sleep count: 4287 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe TID: 5816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe TID: 7292	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe TID: 7292	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe TID: 7336	Thread sleep count: 3222 > 30
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe TID: 7336	Thread sleep count: 6613 > 30

Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\HCoITD94bW.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Thread delayed: delay time: 922337203685477

Source: AppData.exe, 0000000E.00000002.3570502764.0000000006838000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
Source: HCoITD94bW.exe, 00000002.00000002.3545812209.0000000001524000.00000004.00000020.00020000.00000000.sdmp, AppData.exe, 00000005.00000002.3545884346.0000000001068000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\HCoITD94bW.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HCoITD94bW.exe

Code function: 2_2_078421B0 LdrInitializeThunk,

2_2_078421B0

Source: C:\Users\user\Desktop\HCoITD94bW.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\HCoITD94bW.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Memory written: C:\Users\user\Desktop\HCoITD94bW.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory written: C:\Users\user\AppData\Roaming\AppData\AppData.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Memory written: C:\Users\user\AppData\Roaming\AppData\AppData.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Process created: C:\Users\user\Desktop\HCoITD94bW.exe "C:\Users\user\Desktop\HCoITD94bW.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Process created: C:\Users\user\AppData\Roaming\AppData\AppData.exe "C:\Users\user\AppData\Roaming\AppData\AppData.exe"	Jump to behavior

Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30)<br>{Win}r{Win}<br>t-oq
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003502000.00000004.00000800.00020000.00000000.sdmp, HCoITD94bW.exe, 00000002.00000002.3549792215.00000000030F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30)<br>{Win}r{Win}<br><b>[ ]</b> (07/03/2025 17:49:23)<br>r
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30)<br>{Win}THtqT
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034B6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003502000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30)<br>{Win}r{Win}<br><b>[ ]</b> (07/03/2025 17:49:23)<br>r@\oqh
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.0000000003502000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30)<br>{Win}r{Win}<br><b>[ ]</b> (07/03/2025 17(
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034B6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-oq
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30)<br>{Win}r{Win}<br><b>[ ]</b> (07/03/2025 17:49:23)<br>LRoqD
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30)<br>{Win}r{Win}THtqT
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30)<br>{Win}r{Win}<br><b>[ ]</b> (07/03/2025 17:49:23)<br>rTHtqT
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30)<br>{Win}rTHtqT
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (07/03/2025 17:24:30)<br>
Source: HCoITD94bW.exe, 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRoq

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Users\user\Desktop\HCoITD94bW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Users\user\Desktop\HCoITD94bW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Users\user\AppData\Roaming\AppData\AppData.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Users\user\AppData\Roaming\AppData\AppData.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Users\user\AppData\Roaming\AppData\AppData.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Users\user\AppData\Roaming\AppData\AppData.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\HCoITD94bW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HCoITD94bW.exe.36ba508.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppData.exe.44b29b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppData.exe.4489990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HCoITD94bW.exe.4193ce8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppData.exe.44b29b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HCoITD94bW.exe.4193ce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppData.exe.4489990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1359535705.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1359535705.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1095948057.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1095948057.0000000003EF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.3549792215.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3549792215.00000000030F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.000000000320F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HCoITD94bW.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 2404, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.3549792215.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.000000000320F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HCoITD94bW.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 2404, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\HCoITD94bW.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\FTP Navigator\Ftplist.txt
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\HCoITD94bW.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\HCoITD94bW.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\AppData\AppData.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 00000002.00000002.3549792215.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.000000000320F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HCoITD94bW.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 2404, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.HCoITD94bW.exe.36ba508.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HCoITD94bW.exe.36ba508.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppData.exe.44b29b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppData.exe.4489990.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HCoITD94bW.exe.4193ce8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppData.exe.44b29b0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HCoITD94bW.exe.4193ce8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HCoITD94bW.exe.4126ac8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.AppData.exe.4489990.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HCoITD94bW.exe.40b98a8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1359535705.00000000046A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1359535705.0000000004489000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1095948057.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1095948057.0000000003EF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000002.00000002.3549792215.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3549792215.00000000030F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.000000000320F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HCoITD94bW.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 2404, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000002.00000002.3549792215.00000000030CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3549792215.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3551197176.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3549792215.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3548930931.000000000320F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HCoITD94bW.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AppData.exe PID: 2404, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	112 Process Injection	11 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HCoITD94bW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
HCoITD94bW.exe