Edit tour

Windows Analysis Report
PO.exe

Overview

General Information

Sample Name:	PO.exe
Analysis ID:	830558
MD5:	03d90e26c8a6fbbeb284359b0f90ee91
SHA1:	68b83832a4423003564a8df9af2cda29622190a0
SHA256:	eb2ad014aa499fd10c8ec16353295ace996e28a7d822097caf7bd11929c0b558
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

PO.exe (PID: 5176 cmdline: C:\Users\user\Desktop\PO.exe MD5: 03D90E26C8A6FBBEB284359B0F90EE91)

PO.exe (PID: 1116 cmdline: C:\Users\user\Desktop\PO.exe MD5: 03D90E26C8A6FBBEB284359B0F90EE91)

keWKhH.exe (PID: 5144 cmdline: "C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe" MD5: 03D90E26C8A6FBBEB284359B0F90EE91)

keWKhH.exe (PID: 2888 cmdline: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe MD5: 03D90E26C8A6FBBEB284359B0F90EE91)

keWKhH.exe (PID: 4980 cmdline: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe MD5: 03D90E26C8A6FBBEB284359B0F90EE91)

keWKhH.exe (PID: 6084 cmdline: "C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe" MD5: 03D90E26C8A6FBBEB284359B0F90EE91)

keWKhH.exe (PID: 3932 cmdline: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe MD5: 03D90E26C8A6FBBEB284359B0F90EE91)

keWKhH.exe (PID: 3180 cmdline: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe MD5: 03D90E26C8A6FBBEB284359B0F90EE91)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/ https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "us2.smtp.mailhostbox.com", "Username": "sudeni@dalwabo-jp.com", "Password": "     dLm)Xyz9     "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.536082591.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.536082591.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.536562013.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.536562013.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.536833086.000000000311C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.536833086.000000000311C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO.exe PID: 1116	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO.exe PID: 1116	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: keWKhH.exe PID: 4980	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: keWKhH.exe PID: 4980	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: keWKhH.exe PID: 3180	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: keWKhH.exe PID: 3180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 7 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: PO.exe

ReversingLabs: Detection: 38%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe

ReversingLabs: Detection: 38%

Machine Learning detection for sample

Source: PO.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe

Joe Sandbox ML: detected

Source: 0.2.PO.exe.3f2eeb0.8.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "us2.smtp.mailhostbox.com", "Username": "sudeni@dalwabo-jp.com", "Password": " dLm)Xyz9 "}

Source: PO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wAGa.pdb source: PO.exe, keWKhH.exe.6.dr
Source:	Binary string: wAGa.pdbSHA256 source: PO.exe, keWKhH.exe.6.dr

Source: Joe Sandbox View

IP Address: 208.91.198.143 208.91.198.143

Source: global traffic	TCP traffic: 192.168.2.3:49700 -> 208.91.198.143:587
Source: global traffic	TCP traffic: 192.168.2.3:49703 -> 208.91.199.223:587

Source: global traffic	TCP traffic: 192.168.2.3:49700 -> 208.91.198.143:587
Source: global traffic	TCP traffic: 192.168.2.3:49703 -> 208.91.199.223:587

Source: PO.exe, 00000006.00000002.533158671.00000000012C0000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.553635276.00000000068B4000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.533734950.0000000000E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: PO.exe, 00000006.00000002.533158671.00000000012C0000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0A
Source: PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: keWKhH.exe, 0000000B.00000002.330356628.00000000007B8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: PO.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00FDC844	0_2_00FDC844
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00FDF1F8	0_2_00FDF1F8
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00FDF1E8	0_2_00FDF1E8
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_054A0040	0_2_054A0040
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_054A0006	0_2_054A0006
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_054A02D1	0_2_054A02D1
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_054A02E0	0_2_054A02E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_054A9D40	0_2_054A9D40
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05B302E0	0_2_05B302E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05B348C0	0_2_05B348C0
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_02D6A9B8	6_2_02D6A9B8
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_02D6C978	6_2_02D6C978
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_02D69DA0	6_2_02D69DA0
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_02D6A0E8	6_2_02D6A0E8
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06325668	6_2_06325668
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06320400	6_2_06320400
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_063223E8	6_2_063223E8
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_063273C8	6_2_063273C8
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06329008	6_2_06329008
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06321D28	6_2_06321D28
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06326A38	6_2_06326A38
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AACEC0	6_2_06AACEC0
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AA3E51	6_2_06AA3E51
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AA0040	6_2_06AA0040
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AAF188	6_2_06AAF188
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AABFC8	6_2_06AABFC8
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AAAD48	6_2_06AAAD48
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AA3A48	6_2_06AA3A48
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AAF390	6_2_06AAF390
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AAF8FF	6_2_06AAF8FF
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AA81A0	6_2_06AA81A0
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_022CC844	11_2_022CC844
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_022CF1E8	11_2_022CF1E8
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_022CF1F8	11_2_022CF1F8
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_04A80240	11_2_04A80240
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_04A84278	11_2_04A84278
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_04A80882	11_2_04A80882
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065E02D1	11_2_065E02D1
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065E02E0	11_2_065E02E0
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065E0040	11_2_065E0040
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065E0006	11_2_065E0006
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065F02E0	11_2_065F02E0
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065F4940	11_2_065F4940

Source: PO.exe, 00000000.00000000.264075707.0000000000748000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewAGa.exe> vs PO.exe
Source: PO.exe, 00000000.00000002.312416410.0000000007340000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameOutimurs.dll2 vs PO.exe
Source: PO.exe, 00000000.00000002.302999935.0000000003B79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOutimurs.dll2 vs PO.exe
Source: PO.exe, 00000000.00000002.289521683.0000000002C47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCruiser.dll, vs PO.exe
Source: PO.exe, 00000000.00000002.302999935.0000000003ED8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename48fb3650-a520-48b4-9e2f-1fc3b6395358.exe4 vs PO.exe
Source: PO.exe, 00000000.00000002.289521683.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCruiser.dll, vs PO.exe
Source: PO.exe, 00000000.00000002.289521683.0000000002BB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename48fb3650-a520-48b4-9e2f-1fc3b6395358.exe4 vs PO.exe
Source: PO.exe, 00000006.00000002.532341288.0000000000F88000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO.exe
Source: PO.exe, 00000006.00000002.531388720.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename48fb3650-a520-48b4-9e2f-1fc3b6395358.exe4 vs PO.exe
Source: PO.exe	Binary or memory string: OriginalFilenamewAGa.exe> vs PO.exe

Source: PO.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: keWKhH.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO.exe

ReversingLabs: Detection: 38%

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\user\Desktop\PO.exe

Jump to behavior

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe "C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe"
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe "C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe"
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/4@4/2

Source: PO.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PO.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wAGa.pdb source: PO.exe, keWKhH.exe.6.dr
Source:	Binary string: wAGa.pdbSHA256 source: PO.exe, keWKhH.exe.6.dr

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00FDCB38 pushfd ; ret	0_2_00FDCB39
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_054A4106 push es; ret	0_2_054A4107
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_054A40BD push ebx; ret	0_2_054A40C3
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_05B30924 push es; retf	0_2_05B30935
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AA6660 push es; ret	6_2_06AA6670
Source: C:\Users\user\Desktop\PO.exe	Code function: 6_2_06AA5FB5 push es; ret	6_2_06AA5FBC
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065E6371 push es; ret	11_2_065E6380
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065E633D push es; ret	11_2_065E6370
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065E6021 push es; ret	11_2_065E6048
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065E40BD push ebx; ret	11_2_065E40C3
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065E4106 push es; ret	11_2_065E4107
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Code function: 11_2_065F0924 push es; retf	11_2_065F0935

Source: initial sample	Static PE information: section name: .text entropy: 7.870304849303137
Source: initial sample	Static PE information: section name: .text entropy: 7.870304849303137

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe

Jump to dropped file

Source: C:\Users\user\Desktop\PO.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run keWKhH			Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run keWKhH			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\PO.exe

File opened: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\PO.exe TID: 5224	Thread sleep time: -40023s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 5192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 5916	Thread sleep count: 6216 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -99841s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -99732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -99623s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -99509s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -99391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -99250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -99141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -99016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -98529s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -98419s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -98288s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -98159s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -97872s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -97753s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -97622s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -97394s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -97242s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -97121s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -96889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -96749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe TID: 1568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 1244	Thread sleep time: -40023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 5352	Thread sleep count: 5784 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -99842s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -99730s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -99621s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -99512s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -99378s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -99250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -99140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -99030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -98921s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -98576s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -98467s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -98358s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -98249s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -98029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -97919s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -97811s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -97702s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -97592s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -97482s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -97176s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -97054s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -96929s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 3796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 6068	Thread sleep time: -40023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 5560	Thread sleep count: 7608 > 30
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -99843s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -99734s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -99609s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -99500s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -99390s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -99281s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -99147s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -99031s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -98922s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -97961s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -97843s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -97719s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -97500s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -97391s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -97281s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -97172s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -97063s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -96907s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -96796s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -96687s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -96578s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -96469s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -96359s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -96249s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -96138s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -96030s >= -30000s
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe TID: 2096	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\PO.exe	Window / User API: threadDelayed 6216	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Window / User API: threadDelayed 5784	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Window / User API: threadDelayed 7608

Source: C:\Users\user\Desktop\PO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 40023	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 99841	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 99732	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 99623	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 99509	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 99250	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 99141	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 99016	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 98529	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 98419	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 98288	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 98159	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 97872	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 97753	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 97622	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 97394	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 97242	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 97121	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 97000	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 96889	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 96749	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 40023	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99842	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99730	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99621	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99512	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99378	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98921	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98576	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98467	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98358	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98249	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98029	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97919	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97811	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97702	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97592	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97482	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97176	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97054	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 96929	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 40023	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99843
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99734
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99609
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99500
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99390
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99281
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99147
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 99031
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98922
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98797
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98687
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98297
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98187
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97961
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97843
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97719
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97609
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97500
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97391
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97281
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97172
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 97063
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 96907
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 96796
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 96687
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 96578
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 96469
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 96359
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 96249
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 96138
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 96030
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Thread delayed: delay time: 922337203685477

Source: PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Memory written: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Memory written: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Process created: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Users\user\Desktop\PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Users\user\Desktop\PO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 6_2_02D6F6D8 GetUserNameW,

6_2_02D6F6D8

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.536082591.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.536562013.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536833086.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 1116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: keWKhH.exe PID: 4980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: keWKhH.exe PID: 3180, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PO.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\PO.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000006.00000002.536082591.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.536562013.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536833086.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 1116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: keWKhH.exe PID: 4980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: keWKhH.exe PID: 3180, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.536082591.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.536562013.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.536833086.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 1116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: keWKhH.exe PID: 4980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: keWKhH.exe PID: 3180, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	111 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	1 Account Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	1 Input Capture	114 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	131 Virtualization/Sandbox Evasion	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	111 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Hidden Files and Directories	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO.exe	38%	ReversingLabs	Win32.Trojan.Generic
PO.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe	38%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://ocsp.sectigo.com0A	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
us2.smtp.mailhostbox.com	208.91.198.143	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://us2.smtp.mailhostbox.com	PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0A	PO.exe, 00000006.00000002.533158671.0000000001258000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000006.00000002.536082591.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 00000006.00000002.533158671.000000000129D000.00000004.00000020.00020000.00000000.sdmp, keWKhH.exe, 0000000D.00000002.536833086.0000000003169000.00000004.00000800.00020000.00000000.sdmp, keWKhH.exe, 00000010.00000002.536562013.0000000002AF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	PO.exe, 00000000.00000002.309764794.0000000006B82000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.198.143	us2.smtp.mailhostbox.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false
208.91.199.223	unknown	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	830558
Start date and time:	2023-03-20 13:54:26 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	PO.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@13/4@4/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 51 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PO.exe

Simulations

Behavior and APIs

Time	Type	Description
13:55:36	API Interceptor	28x Sleep call for process: PO.exe modified
13:55:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run keWKhH C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
13:55:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run keWKhH C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
13:55:56	API Interceptor	63x Sleep call for process: keWKhH.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
208.91.198.143	DHL_Shipping_Document2.exe	Get hash	malicious	AgentTesla, zgRAT	Browse
	2303-64687.exe	Get hash	malicious	AgentTesla	Browse
	DHL_AWB_copy_&_draft_COO.exe	Get hash	malicious	AgentTesla	Browse
	Enercov_PO_202246755181.exe	Get hash	malicious	AgentTesla	Browse
	JSyBhM74Sj.exe	Get hash	malicious	AgentTesla	Browse
	Statement- Feb 2023.exe	Get hash	malicious	AgentTesla	Browse
	PO_190834253.exe	Get hash	malicious	AgentTesla, zgRAT	Browse
	wH6Ft5wweX.exe	Get hash	malicious	AgentTesla	Browse
	Remittance_Advice_MT103.exe	Get hash	malicious	AgentTesla	Browse
	9JNEJMGVi4.exe	Get hash	malicious	AgentTesla	Browse
	file.exe	Get hash	malicious	AgentTesla	Browse
	Swift_92be67ab-e027-4955-b6fc-64b.exe	Get hash	malicious	AgentTesla	Browse
	file.exe	Get hash	malicious	AgentTesla	Browse
	vbc.exe	Get hash	malicious	AgentTesla	Browse
	WzmnvvSETF.exe	Get hash	malicious	AgentTesla	Browse
	RxcddfrL4j.exe	Get hash	malicious	AgentTesla	Browse
	RU5NzaLwKA.exe	Get hash	malicious	AgentTesla, zgRAT	Browse
	4N8M1a0RZ0.exe	Get hash	malicious	AgentTesla	Browse
	jq5AqYT6rm.exe	Get hash	malicious	AgentTesla	Browse
	Re RETURN PAYMENT TT.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us2.smtp.mailhostbox.com	DHL_Shipping_Document2.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	208.91.199.223
	2303-64687.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	DHL_AWB_copy_&_draft_COO.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	Enercov_PO_202246755181.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	ORIGINAL_SHIPPING_DOCUMENT.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Shipping_doc.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.225
	JSyBhM74Sj.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	dxet2ADvMO.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Statement- Feb 2023.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	PO_190834253.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	208.91.198.143
	final_docs..exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	SST_Statement-_Feb_2023.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	208.91.199.224
	o72aqcE3gB.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	wH6Ft5wweX.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	r05593373.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	INV_50057_0111986532214.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	SecuriteInfo.com.Win32.PWSX-gen.32656.4667.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	RFQ_080323MECHNBIMar-23.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	208.91.199.225
	ARRIVAL_NOTICE_-_BL_-_TSHHKG23020096A_NEW_SHIPMENT_FCL.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	PENDING_ORDERS.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	DHL_Shipping_Document2.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	208.91.199.223
	2303-64687.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	New_Order.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	https://www.dr-aljumaa.com/favicon.ico	Get hash	malicious	Unknown	Browse	162.222.226.174
	DHL_AWB_copy_&_draft_COO.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	Enercov_PO_202246755181.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	http://comfin.mx/notasbancos/16eluniversal14-supConvencionBancaria-bancopp	Get hash	malicious	Unknown	Browse	199.79.62.169
	ORIGINAL_SHIPPING_DOCUMENT.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	DISCOUNT_PRICES.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	199.79.62.12
	Proforma_Invoice.exe	Get hash	malicious	FormBook	Browse	216.10.248.111
	Shipping_doc.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	PURCHASE_CONTRACT.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.12
	ARRIVAL_NOTICE.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.12
	Proforma_Invoice.exe	Get hash	malicious	FormBook	Browse	216.10.248.111
	https://www.dropbox.com/scl/fi/m5mvxzev2p1sywrwhx645/You-have-received-some-incoming-secured-fax-document.paper?dl=0&rlkey=ssarv205bn9gfqqvovrswidd9	Get hash	malicious	HTMLPhisher	Browse	103.211.216.141
	JSyBhM74Sj.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	dxet2ADvMO.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.224
	PO2300109.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.12
	PO_#JB2210-0005.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	199.79.62.12
	URGENT_REGUEST.exe	Get hash	malicious	FormBook	Browse	216.10.248.111

Process:	C:\Users\user\Desktop\PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\keWKhH.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	744960
Entropy (8bit):	7.861489987265584
Encrypted:	false
SSDEEP:	12288:chmmYMUnFW/NQbwf4i9aXFc4fUDC/MbGh+796B5PthWxnr569lgx/0PHSHFfG2Sc:chmUWPWa75EbGhK92Vcnr8Q90PQY2ShW
MD5:	03D90E26C8A6FBBEB284359B0F90EE91
SHA1:	68B83832A4423003564A8DF9AF2CDA29622190A0
SHA-256:	EB2AD014AA499FD10C8EC16353295ACE996E28A7D822097CAF7BD11929C0B558
SHA-512:	2D36BF943AC0B78940780209273C400F6B99344CAECEF2351A7EAE639A62B1B93DF8FF796215D75380B61CA2906DB1DB0A2A620BC7CB596B31806A2333CFE180
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............0..H...........f... ........@.. ....................................@.................................mf..O...................................XR..T............................................ ............... ..H............text....F... ...H.................. ..`.rsrc................J..............@..@.reloc...............\..............@..B.................f......H.......@V...1......".......H............................................0..R..........4...%..{....{L....%.r...p.%..\|....(.....%.r...p.%..{.....X...(.....(.......+.....0..&..........{........,...{.....+....{....Z.+..".(.....*..0..z..............}...........}......}.....(.......(......{.....s!...%.d}M...%r!..p}L...%.{....}P...%.{....}O.....{.....s!...%.d}M...%r)..p}L...%.{....}P...%.{....}O.....{.....s!...%.d}M...%r1..p}L...%.{....}P...%.{....}O......{.......+........o....&.

C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.861489987265584
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO.exe
File size:	744960
MD5:	03d90e26c8a6fbbeb284359b0f90ee91
SHA1:	68b83832a4423003564a8df9af2cda29622190a0
SHA256:	eb2ad014aa499fd10c8ec16353295ace996e28a7d822097caf7bd11929c0b558
SHA512:	2d36bf943ac0b78940780209273c400f6b99344caecef2351a7eae639a62b1b93df8ff796215d75380b61ca2906db1db0a2a620bc7cb596b31806a2333cfe180
SSDEEP:	12288:chmmYMUnFW/NQbwf4i9aXFc4fUDC/MbGh+796B5PthWxnr569lgx/0PHSHFfG2Sc:chmUWPWa75EbGhK92Vcnr8Q90PQY2ShW
TLSH:	B2F401392BAA5238F83657BD85E42290577D77A32B17C58D14F121CE5B73B038AD0A3B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..............0..H...........f... ........@.. ....................................@................................

File Icon


Icon Hash:	209480e66eb84902

Static PE Info

General

Entrypoint:	0x4b66c2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6417B6B1 [Mon Mar 20 01:28:17 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb666d	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x1110	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb5258	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb46c8	0xb4800	False	0.926453482081025	data	7.870304849303137	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x1110	0x1200	False	0.7298177083333334	data	6.6330181066106375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb8100	0xa79	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xb8b8c	0x14	data
RT_VERSION	0xb8bb0	0x360	data
RT_MANIFEST	0xb8f20	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 13:55:51.379208088 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:51.561971903 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:51.568327904 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:51.822913885 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:51.823677063 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:52.006165981 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:52.007561922 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:52.022155046 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:52.204807043 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:52.277923107 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:52.469763041 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:52.469798088 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:52.469816923 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:52.469832897 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:52.469852924 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:52.469980001 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:52.652877092 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:52.694524050 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:52.722714901 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:52.906130075 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:53.065079927 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:53.248606920 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:53.249872923 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:53.435743093 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:53.436301947 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:53.630464077 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:53.631983042 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:53.817394018 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:53.817768097 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:54.025801897 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:54.051700115 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:54.235774040 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:54.238713026 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:54.238836050 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:54.238903046 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:54.238959074 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:55:54.421613932 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:54.421794891 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:54.549983978 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:55:54.694654942 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:19.372095108 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:19.556463957 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:19.558954954 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:19.747483969 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:19.750802994 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:19.933517933 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:19.933639050 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:19.934598923 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:20.118187904 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:20.132863045 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:20.316102028 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:20.316154957 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:20.316188097 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:20.316232920 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:20.316243887 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:20.316360950 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:20.319158077 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:20.400011063 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:20.499293089 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:20.507908106 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:20.691613913 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:20.766664982 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:20.949820995 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:20.950285912 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:21.136104107 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:21.136550903 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:21.325586081 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:21.325930119 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:21.512427092 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:21.512749910 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:21.726322889 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:21.753025055 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:21.937357903 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:21.938667059 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:21.938776016 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:21.938776016 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:21.938776016 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:22.121570110 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:22.121669054 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:22.253518105 CET	587	49702	208.91.198.143	192.168.2.3
Mar 20, 2023 13:56:22.400196075 CET	49702	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:56:29.827996016 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:30.011459112 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:30.014067888 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:30.268151045 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:30.269398928 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:30.452392101 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:30.452708006 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:30.453392982 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:30.636518955 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:30.647614002 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:30.832444906 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:30.832494020 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:30.832515955 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:30.832532883 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:30.832700968 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:30.832743883 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:30.833830118 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:30.901175022 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:31.015933990 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:31.018685102 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:31.202668905 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:31.244693995 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:31.250622034 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:31.438999891 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:31.439589977 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:31.626100063 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:31.626549006 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:31.816194057 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:31.816536903 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:32.002883911 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:32.003215075 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:32.213926077 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:32.214193106 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:32.400808096 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:32.401885033 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:32.402004957 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:32.402059078 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:32.402106047 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:56:32.585180044 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:32.585311890 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:32.724270105 CET	587	49703	208.91.199.223	192.168.2.3
Mar 20, 2023 13:56:32.776011944 CET	49703	587	192.168.2.3	208.91.199.223
Mar 20, 2023 13:57:31.375132084 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:57:31.558640003 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:57:31.559303045 CET	587	49700	208.91.198.143	192.168.2.3
Mar 20, 2023 13:57:31.560026884 CET	49700	587	192.168.2.3	208.91.198.143
Mar 20, 2023 13:57:31.569428921 CET	49700	587	192.168.2.3	208.91.198.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 20, 2023 13:55:51.338753939 CET	49977	53	192.168.2.3	8.8.8.8
Mar 20, 2023 13:55:51.360728979 CET	53	49977	8.8.8.8	192.168.2.3
Mar 20, 2023 13:56:19.286415100 CET	57990	53	192.168.2.3	8.8.8.8
Mar 20, 2023 13:56:19.307167053 CET	53	57990	8.8.8.8	192.168.2.3
Mar 20, 2023 13:56:28.777345896 CET	52387	53	192.168.2.3	8.8.8.8
Mar 20, 2023 13:56:29.781128883 CET	52387	53	192.168.2.3	8.8.8.8
Mar 20, 2023 13:56:29.801374912 CET	53	52387	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 20, 2023 13:55:51.338753939 CET	192.168.2.3	8.8.8.8	0x12ed	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:19.286415100 CET	192.168.2.3	8.8.8.8	0x4bac	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:28.777345896 CET	192.168.2.3	8.8.8.8	0x2cd4	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:29.781128883 CET	192.168.2.3	8.8.8.8	0x2cd4	Standard query (0)	us2.smtp.mailhostbox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 20, 2023 13:55:51.360728979 CET	8.8.8.8	192.168.2.3	0x12ed	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:55:51.360728979 CET	8.8.8.8	192.168.2.3	0x12ed	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:55:51.360728979 CET	8.8.8.8	192.168.2.3	0x12ed	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:55:51.360728979 CET	8.8.8.8	192.168.2.3	0x12ed	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:19.307167053 CET	8.8.8.8	192.168.2.3	0x4bac	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:19.307167053 CET	8.8.8.8	192.168.2.3	0x4bac	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:19.307167053 CET	8.8.8.8	192.168.2.3	0x4bac	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:19.307167053 CET	8.8.8.8	192.168.2.3	0x4bac	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:29.801374912 CET	8.8.8.8	192.168.2.3	0x2cd4	No error (0)	us2.smtp.mailhostbox.com	208.91.199.223	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:29.801374912 CET	8.8.8.8	192.168.2.3	0x2cd4	No error (0)	us2.smtp.mailhostbox.com	208.91.198.143	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:29.801374912 CET	8.8.8.8	192.168.2.3	0x2cd4	No error (0)	us2.smtp.mailhostbox.com	208.91.199.225	A (IP address)	IN (0x0001)	false
Mar 20, 2023 13:56:29.801374912 CET	8.8.8.8	192.168.2.3	0x2cd4	No error (0)	us2.smtp.mailhostbox.com	208.91.199.224	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Mar 20, 2023 13:55:51.822913885 CET	587	49700	208.91.198.143	192.168.2.3	220 us2.outbound.mailhostbox.com ESMTP Postfix
Mar 20, 2023 13:55:51.823677063 CET	49700	587	192.168.2.3	208.91.198.143	EHLO 494126
Mar 20, 2023 13:55:52.007561922 CET	587	49700	208.91.198.143	192.168.2.3	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Mar 20, 2023 13:55:52.022155046 CET	49700	587	192.168.2.3	208.91.198.143	STARTTLS
Mar 20, 2023 13:55:52.204807043 CET	587	49700	208.91.198.143	192.168.2.3	220 2.0.0 Ready to start TLS
Mar 20, 2023 13:56:19.747483969 CET	587	49702	208.91.198.143	192.168.2.3	220 us2.outbound.mailhostbox.com ESMTP Postfix
Mar 20, 2023 13:56:19.750802994 CET	49702	587	192.168.2.3	208.91.198.143	EHLO 494126
Mar 20, 2023 13:56:19.933639050 CET	587	49702	208.91.198.143	192.168.2.3	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Mar 20, 2023 13:56:19.934598923 CET	49702	587	192.168.2.3	208.91.198.143	STARTTLS
Mar 20, 2023 13:56:20.118187904 CET	587	49702	208.91.198.143	192.168.2.3	220 2.0.0 Ready to start TLS
Mar 20, 2023 13:56:30.268151045 CET	587	49703	208.91.199.223	192.168.2.3	220 us2.outbound.mailhostbox.com ESMTP Postfix
Mar 20, 2023 13:56:30.269398928 CET	49703	587	192.168.2.3	208.91.199.223	EHLO 494126
Mar 20, 2023 13:56:30.452708006 CET	587	49703	208.91.199.223	192.168.2.3	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Mar 20, 2023 13:56:30.453392982 CET	49703	587	192.168.2.3	208.91.199.223	STARTTLS
Mar 20, 2023 13:56:30.636518955 CET	587	49703	208.91.199.223	192.168.2.3	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	13:55:28
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PO.exe
Imagebase:	0x690000
File size:	744960 bytes
MD5 hash:	03D90E26C8A6FBBEB284359B0F90EE91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	13:55:38
Start date:	20/03/2023
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PO.exe
Imagebase:	0xb40000
File size:	744960 bytes
MD5 hash:	03D90E26C8A6FBBEB284359B0F90EE91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.536082591.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.536082591.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	11
Start time:	13:55:52
Start date:	20/03/2023
Path:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe"
Imagebase:	0xa0000
File size:	744960 bytes
MD5 hash:	03D90E26C8A6FBBEB284359B0F90EE91
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	12
Start time:	13:55:58
Start date:	20/03/2023
Path:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Imagebase:	0x10000
File size:	744960 bytes
MD5 hash:	03D90E26C8A6FBBEB284359B0F90EE91
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	13
Start time:	13:55:58
Start date:	20/03/2023
Path:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Imagebase:	0xd70000
File size:	744960 bytes
MD5 hash:	03D90E26C8A6FBBEB284359B0F90EE91
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.536833086.000000000311C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.536833086.000000000311C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	14
Start time:	13:56:00
Start date:	20/03/2023
Path:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe"
Imagebase:	0x850000
File size:	744960 bytes
MD5 hash:	03D90E26C8A6FBBEB284359B0F90EE91
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	15
Start time:	13:56:15
Start date:	20/03/2023
Path:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Imagebase:	0x3a0000
File size:	744960 bytes
MD5 hash:	03D90E26C8A6FBBEB284359B0F90EE91
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	16
Start time:	13:56:15
Start date:	20/03/2023
Path:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe
Imagebase:	0x660000
File size:	744960 bytes
MD5 hash:	03D90E26C8A6FBBEB284359B0F90EE91
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.536562013.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.536562013.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	91
Total number of Limit Nodes:	7

Executed Functions

Function 05B302E0 Relevance: 1.5, Strings: 1, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pl-pl, xrefs: 05B3041B

Memory Dump Source

Source File: 00000000.00000002.309596975.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_PO.jbxd

Similarity

API ID:
String ID: pl-pl
API String ID: 0-363781727
Opcode ID: 2f9a4dfb5903d06738c4729203b810eef1147bd69b93a921a8edeeb5157fddca
Instruction ID: 7e755be17e71c7896666bfa05a6f003386faf0e2768ea047c990127081fbd9b1
Opcode Fuzzy Hash: 2f9a4dfb5903d06738c4729203b810eef1147bd69b93a921a8edeeb5157fddca
Instruction Fuzzy Hash: 139103B4A4521DDFCB04DFA9C5855EDFBB2FF48300F24A59AD006BB215D734A942CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC300 Relevance: 6.1, APIs: 4, Instructions: 122
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FDC370
GetCurrentThread.KERNEL32 ref: 00FDC3AD
GetCurrentProcess.KERNEL32 ref: 00FDC3EA
GetCurrentThreadId.KERNEL32 ref: 00FDC443

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3188dc6b951cd998be0f49e8eda5260fbf01d84c251894ea289d8d4f1797ba37
Instruction ID: d3386f4c160105213d9c75af204e02fa788af3b583801d581aeef670d6d14b20
Opcode Fuzzy Hash: 3188dc6b951cd998be0f49e8eda5260fbf01d84c251894ea289d8d4f1797ba37
Instruction Fuzzy Hash: FF5176B4D002498FDB11CFAAC98879EBFF1AF49314F24C49AE009A7391C7756984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC310 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FDC370
GetCurrentThread.KERNEL32 ref: 00FDC3AD
GetCurrentProcess.KERNEL32 ref: 00FDC3EA
GetCurrentThreadId.KERNEL32 ref: 00FDC443

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8637d31703531aa10fc17f1f89dc26da5eabca57f4cae33e5b3b731b6cf0eaff
Instruction ID: a2b22f372277b8c6eb1c0088cf10db470c236e3d7e45f95055c789403342d407
Opcode Fuzzy Hash: 8637d31703531aa10fc17f1f89dc26da5eabca57f4cae33e5b3b731b6cf0eaff
Instruction Fuzzy Hash: E65156B4D002498FDB10CFAAC988B9EBBF1BF48314F24C45AE409A7391C7756984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA028 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FDA26E

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5ee8d7f84f4be157d01aa505168e3f50e92bdf22c3449116ac9e467c5a8d7606
Instruction ID: 1386c7b63a288627995dce529d5cd5f8cf7f41457b89d209d6b8ec50b53c7a11
Opcode Fuzzy Hash: 5ee8d7f84f4be157d01aa505168e3f50e92bdf22c3449116ac9e467c5a8d7606
Instruction Fuzzy Hash: 74714470A00B058FDB24DF6AD44475ABBF2BF88314F04892EE08AD7B50DB75E8459F96

Uniqueness

Uniqueness Score: -1.00%

Function 00FD5364 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FD5421

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9f0f769b617f2fe5da826c05fa94fcefb9138b6a0b219774f2e107a2d644d9dc
Instruction ID: 0ed479c83b707b14a2c1287ee5b2e56080d5f7b657b44d3e93ebad2861d0778f
Opcode Fuzzy Hash: 9f0f769b617f2fe5da826c05fa94fcefb9138b6a0b219774f2e107a2d644d9dc
Instruction Fuzzy Hash: CD41F471C00618CFDB24DF99C884B8EBBF6BF49314F24809AD409AB251DBB55986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00FD3DE8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00FD5421

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bfd3376b4fbc378e866d2267f7441d74ccc47c9535689558ebceaa36a1cd967e
Instruction ID: 323e29e4f3132e52df327a4ca7fdd99032c782d11082f204fa50550fbc68e54f
Opcode Fuzzy Hash: bfd3376b4fbc378e866d2267f7441d74ccc47c9535689558ebceaa36a1cd967e
Instruction Fuzzy Hash: 6641F271C0061CCFDB24DFA9C884B8EBBF6BF49305F24809AD409AB251DBB56985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05B32DF1 Relevance: 1.6, APIs: 1, Instructions: 74
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 05B32E55

Memory Dump Source

Source File: 00000000.00000002.309596975.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_PO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6d2af169ffc5f2253d6151c2cb892f8a55837327573eebb10e2bbcb8f0111835
Instruction ID: df650032b78cfb5c20007c22bb7c25e7cd32bfcd905527bedfb09981fcd1186d
Opcode Fuzzy Hash: 6d2af169ffc5f2253d6151c2cb892f8a55837327573eebb10e2bbcb8f0111835
Instruction Fuzzy Hash: B131F4B98002099FDB10CF99D986BDEFBF4FB48324F20845AE459B7600C375A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC938 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FDC9C7

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2637ac06136f0f6d484ac2f03c178ebcb4638c72e886237adc04dc4036c8ce47
Instruction ID: 586affe4840c3d40b839ee2dfd65f5de934ae894261bcfaee25cfb6b37e27476
Opcode Fuzzy Hash: 2637ac06136f0f6d484ac2f03c178ebcb4638c72e886237adc04dc4036c8ce47
Instruction Fuzzy Hash: 932105B5D00249DFDB10CFA9D984ADEBFF5EB48324F14845AE814A3310C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC940 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FDC9C7

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ffb951ede93329a21c745fb56f63b963d8593589361e52a762ac51029cf5ce49
Instruction ID: 3a350dc2291812a4f9afdc5e92f997c79c61a3ed2527109b17002f6742f3f456
Opcode Fuzzy Hash: ffb951ede93329a21c745fb56f63b963d8593589361e52a762ac51029cf5ce49
Instruction Fuzzy Hash: FA21E0B59002099FDB10CFAAD984ADEBFF9EB48324F14841AE914A3310C379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA488 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FDA2E9,00000800,00000000,00000000), ref: 00FDA4FA

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 51671f690c82d01c6b3c71e288dba5a9b3dfcd9a52338285f39eb58de80e36f5
Instruction ID: c7f859ef38a79588bace36eb0546e56340be02cc21495ab698253ea73df383b0
Opcode Fuzzy Hash: 51671f690c82d01c6b3c71e288dba5a9b3dfcd9a52338285f39eb58de80e36f5
Instruction Fuzzy Hash: BB1114B6D002099FDB10CF9AD844BDEFBF5AB49324F14852EE419A7310C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FD93D8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FDA2E9,00000800,00000000,00000000), ref: 00FDA4FA

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2b4b2d0ff448610d6bcefee8ea614d2944a5482870ce3e9da7dd70772e119f1c
Instruction ID: 6463cfa5f20e020bdb77098857b6ee56a4397ad565599f50bf4912cc99478402
Opcode Fuzzy Hash: 2b4b2d0ff448610d6bcefee8ea614d2944a5482870ce3e9da7dd70772e119f1c
Instruction Fuzzy Hash: 741103B6D002099FCB10CF9AD844BEEBBF5AB49324F54846EE419B7310C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA208 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FDA26E

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7c50c2fcbf5599a6ece3d702559115fa9add47d1513d92285cf404698a4d33dd
Instruction ID: 1ff10576e4cf3957f4d41a29ee537d368789ddcef84a5cfd7166ada4625205d4
Opcode Fuzzy Hash: 7c50c2fcbf5599a6ece3d702559115fa9add47d1513d92285cf404698a4d33dd
Instruction Fuzzy Hash: 581113B5C002498FCB10CF9AC844BDEFBF5AB88324F14845AD419A7300C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05B32DF8 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 05B32E55

Memory Dump Source

Source File: 00000000.00000002.309596975.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_PO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 602dbe92a45cb9b1fcbbdfc250117144483c870ee8b03a62bfb960b161934303
Instruction ID: 9e8f254bc81b4f8d11064186fa685278693804871ee940c7270bebf0be46c269
Opcode Fuzzy Hash: 602dbe92a45cb9b1fcbbdfc250117144483c870ee8b03a62bfb960b161934303
Instruction Fuzzy Hash: 4911D3B58002499FDB20CF9AD985BDEFBF8FB48324F208459E459B7600C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 054AFF40 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309379681.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e863cba2e84d162e157bb878c9cabf62712ad70fbad3d15c274da987057744
Instruction ID: 2e670c94801f51ba595267ff16dec043628784c9092cf91355c38796d2b0c993
Opcode Fuzzy Hash: d6e863cba2e84d162e157bb878c9cabf62712ad70fbad3d15c274da987057744
Instruction Fuzzy Hash: 23E04F34900208EFCB44DF94E44499DBFB4FF09311F208095E80517324C731AE54DF84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 054A02E0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

@, xrefs: 054A19AD

Memory Dump Source

Source File: 00000000.00000002.309379681.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_PO.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 92fc01c6f08093487427be4da4971ffb4a7e15f3e93f076e1f4641d29f1e8e8f
Instruction ID: 29ba27ba8d1f774150167629ad4ffd8d8b3754e3279ea706f600b4b57e73bc72
Opcode Fuzzy Hash: 92fc01c6f08093487427be4da4971ffb4a7e15f3e93f076e1f4641d29f1e8e8f
Instruction Fuzzy Hash: 7F410EB1E016688BEB6CCF6B8D4479AFAF7BFC9200F14C1BAD40DA6255DB7109958F01

Uniqueness

Uniqueness Score: -1.00%

Function 05B348C0 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309596975.0000000005B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b30000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40fd5a020408ba268699bc41180c2dae33208ac58716d0c2b693098221b50a1f
Instruction ID: 8949e284f05f79f098b75ad51a3f9f60d57559fb52cc69b165457844761ad33c
Opcode Fuzzy Hash: 40fd5a020408ba268699bc41180c2dae33208ac58716d0c2b693098221b50a1f
Instruction Fuzzy Hash: FBD1BE31B046048FDB19DB79C456BAEB7F7AF89700F1484AAD046EB391DB39E805CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FDF1F8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5853b994a48bd3fbdaa55e2631f771470f23657cf6b24caca74565f589d6219
Instruction ID: 4370cbe986b94ce880612fe326c11135c5d600d874fdd23d6a7400f0676bf38e
Opcode Fuzzy Hash: a5853b994a48bd3fbdaa55e2631f771470f23657cf6b24caca74565f589d6219
Instruction Fuzzy Hash: F712B5F1411F4ACAD310CF65ED981A93BA9FF81B28B514308D3616BAF1D7B8116AEF44

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC844 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe746b0b931023bc40c98031cfeaceb58753a6810c06d51943718252c002d887
Instruction ID: 9923e74a99032f6cc37a277d053f6b35d529b35a4aef5a9a9b4b23cf532eb068
Opcode Fuzzy Hash: fe746b0b931023bc40c98031cfeaceb58753a6810c06d51943718252c002d887
Instruction Fuzzy Hash: 0BA18F36E0021A8FCF05DFA5C8845DDBBB3FF85310B19856AE905AF361DB35A905DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00FDF1E8 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288270588.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fd0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1dbe2e1c5e88c440fc8a3bdeece1a0d824855712210d453186a1ccc435f5064
Instruction ID: 3370bd756f8049508d13275c014fb059cd1a22c9f744b7851bc7909e5138c448
Opcode Fuzzy Hash: f1dbe2e1c5e88c440fc8a3bdeece1a0d824855712210d453186a1ccc435f5064
Instruction Fuzzy Hash: F4C117B1811F4A8BD710CF65EC881A93BA9FF85B28F514309D3616B6F0D7B8116AEF44

Uniqueness

Uniqueness Score: -1.00%

Function 054A0006 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309379681.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aca78abe4be397011d5bc937c39d185cd7c80ce391693aaa6a6535e02fb8ad9
Instruction ID: d0ef7283192a70a6db8ac5c6e6d481967e0ac02dec18932ff7689870cc2541e9
Opcode Fuzzy Hash: 8aca78abe4be397011d5bc937c39d185cd7c80ce391693aaa6a6535e02fb8ad9
Instruction Fuzzy Hash: 99717C7090124C8FD748EFBAE9416AE7BF7FFC4304B14C56AC0099B66AEB741906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054A0040 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309379681.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba6e84cd0a7e3c4b0a68d681bea434cd4ad4aa880578e611af6468127180c04
Instruction ID: 9a6f3ab24773c52006bd47b4cf70d70980a5ba792eebed773280f70188a89198
Opcode Fuzzy Hash: 0ba6e84cd0a7e3c4b0a68d681bea434cd4ad4aa880578e611af6468127180c04
Instruction Fuzzy Hash: 5A613A70A0024D8BD748EFAAE9416AE7BF7FFC4304F14C42AD0199B669EF745905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 054A9D40 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309379681.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd860c8c0b329e49b0773cfa54780965d7348ed9667490cebad310c7a5627bb
Instruction ID: 79e516a4272dbf2ba06000a3d7198a4ca921b53945a1a678d71dfaa8c19726db
Opcode Fuzzy Hash: cfd860c8c0b329e49b0773cfa54780965d7348ed9667490cebad310c7a5627bb
Instruction Fuzzy Hash: 6C413371E05A588BEB5CCF6B8D4069EFAF7BFC9201F14C1BA840DAA255DB3055468E41

Uniqueness

Uniqueness Score: -1.00%

Function 054A02D1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.309379681.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_54a0000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45104e5944fec898c20531628d82f5d58f55b7d6409e9d014f25f32954bb1e47
Instruction ID: f8010cb842a7da719e94d1f769543b6b1002ee22bde0035910909909c6bd6e97
Opcode Fuzzy Hash: 45104e5944fec898c20531628d82f5d58f55b7d6409e9d014f25f32954bb1e47
Instruction Fuzzy Hash: 3B4114B1E016588BEB5CCF6B9D4169DFAF3BFC8200F18C1BAD40DAA255DB3105568F01

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO.exePID: 1116, Parent PID: 5176COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.7%
Total number of Nodes:	81
Total number of Limit Nodes:	7

Executed Functions

Function 02D6F6D8 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 02D6F813

Memory Dump Source

Source File: 00000006.00000002.535856884.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d60000_PO.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c20728e2d598f3de2c7e237b324b06439186b520b191a88419e557a1fbb4b64f
Instruction ID: 78cc5d29204aa98d4ed6d2f068b9f875aec04157673cbad3dcac94504fa6a559
Opcode Fuzzy Hash: c20728e2d598f3de2c7e237b324b06439186b520b191a88419e557a1fbb4b64f
Instruction Fuzzy Hash: F95136B4D006188FDB18CFA9D888BADBBF5BF48314F248119E816BB755CB749844CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06AA3610 Relevance: 1.8, APIs: 1, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AA3882

Memory Dump Source

Source File: 00000006.00000002.553997729.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6aa0000_PO.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ef4b9fb312e8553ee5df89e6833041202fbde4af69be7ec868bf26fb993afcab
Instruction ID: b15d450f94f9d3b6ca736c82a20e7a8f95df182d23c3a3934f9b27bf6ff565af
Opcode Fuzzy Hash: ef4b9fb312e8553ee5df89e6833041202fbde4af69be7ec868bf26fb993afcab
Instruction Fuzzy Hash: EB9199B1C093889FDF52DFA5C8509DEBFB2EF0A250F19819BE444EB262C3759845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02D6F679 Relevance: 1.7, APIs: 1, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 02D6F813

Memory Dump Source

Source File: 00000006.00000002.535856884.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d60000_PO.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 1884ac0af4f7a2d505c7f97dccb4266ce71e3583e94d21c6760632a52df004ef
Instruction ID: cf43299e3747430c559df86ee0c6a2a8c4d9765749b77b315ac8dce6cceec00c
Opcode Fuzzy Hash: 1884ac0af4f7a2d505c7f97dccb4266ce71e3583e94d21c6760632a52df004ef
Instruction Fuzzy Hash: BB5145B0D002188FDB14CFA9D888BADBBF2FB48314F248559D816BB755DB74A844CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0632C3A9 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.552427206.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6320000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243bd8a4f38a2e2bac5a5656d076c5be2f8df5a54e6b9eca2bc53785436515a2
Instruction ID: 40245ecd6419a219491ddbb34d66efa3fe86e656621416cf971946b84667a671
Opcode Fuzzy Hash: 243bd8a4f38a2e2bac5a5656d076c5be2f8df5a54e6b9eca2bc53785436515a2
Instruction Fuzzy Hash: F0412571D003968FCB55CF7AC8002AEFFF5AF8A320F15856AD445A7241DB389845CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02D6F6CC Relevance: 1.6, APIs: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 02D6F813

Memory Dump Source

Source File: 00000006.00000002.535856884.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d60000_PO.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 36e464cdd07ed65455eddd3c881572731894533bf8770c35ef73c546e63a8481
Instruction ID: ce7b1a35c169341f5a6891aa36f059032045033a4eb841479d5520e232a914fd
Opcode Fuzzy Hash: 36e464cdd07ed65455eddd3c881572731894533bf8770c35ef73c546e63a8481
Instruction Fuzzy Hash: 5D5144B5D006188FDB18CFA9D888BADBBF1BF48314F25811AE816BB755CB749844CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06AA3770 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AA3882

Memory Dump Source

Source File: 00000006.00000002.553997729.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6aa0000_PO.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: eecf1a265e60953c8ab02ed314c9e1e150862d1f4377b0e9fe94171dfb0f2b25
Instruction ID: 4d4b3367927d6e12f3d7ec1a11be5657ed2d0d99e9bb0bdf086f622dababb743
Opcode Fuzzy Hash: eecf1a265e60953c8ab02ed314c9e1e150862d1f4377b0e9fe94171dfb0f2b25
Instruction Fuzzy Hash: 0C41EFB5D00309DFDF15CF9AC880ADEBBB6BF48310F24852AE819AB210D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D675E4 Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 02D676D7

Memory Dump Source

Source File: 00000006.00000002.535856884.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d60000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d0eb0c15a0cf6217092866be6c20120aed0cad965ee7c79a1c5bae481e30cca5
Instruction ID: c985990a64197dbb02ab74ac61e4d9c392fc7b98dc9183a364cf1ab80ebcc590
Opcode Fuzzy Hash: d0eb0c15a0cf6217092866be6c20120aed0cad965ee7c79a1c5bae481e30cca5
Instruction Fuzzy Hash: 024158B1D002598FEB14CFA9C9847AEFBF1FB48718F248529D815AB344D7789846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D65A64 Relevance: 1.6, APIs: 1, Instructions: 97
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 02D676D7

Memory Dump Source

Source File: 00000006.00000002.535856884.0000000002D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d60000_PO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f7cae2b2db7d3b56c715ec880433ac8b4a0922c0268a6dd7284804585541f30e
Instruction ID: b7c5b795b31806810e3582159effb73c3e11878d74b94eb8fa0d6a9eb37c6e7b
Opcode Fuzzy Hash: f7cae2b2db7d3b56c715ec880433ac8b4a0922c0268a6dd7284804585541f30e
Instruction Fuzzy Hash: 384158B0D0024D8FEB10CFA9C8887AEFBF1EB48718F148429E815AB344D7749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06AA3B4C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06AA61E1

Memory Dump Source

Source File: 00000006.00000002.553997729.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6aa0000_PO.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bdfa100495ef93eaa9c76c8b7684cfb09c461ed783d8f5e3c17aa8d2e40ef69f
Instruction ID: 03af84acc547f4272079e3700300f631bee01bae32db5fee8213335fbc7a1739
Opcode Fuzzy Hash: bdfa100495ef93eaa9c76c8b7684cfb09c461ed783d8f5e3c17aa8d2e40ef69f
Instruction Fuzzy Hash: E1413DB89003058FDB54DF99C848AAEBFF5FB88314F28D55AE419AB311D775A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0632C488 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0632C4EF

Memory Dump Source

Source File: 00000006.00000002.552427206.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6320000_PO.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 72a045f3057d7e5c359fd1b741cc135a1791700198fe8e45e5a8199066dff175
Instruction ID: c5d69869be736aab2411f93ec93ebcbeb02368c9fc728f0233ea110ca8085f21
Opcode Fuzzy Hash: 72a045f3057d7e5c359fd1b741cc135a1791700198fe8e45e5a8199066dff175
Instruction Fuzzy Hash: A31112B5C0022A9BCB10CF9AC844BDEFBF5AF48324F15812AD818B7240D379A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 06AAAB28 Relevance: 1.5, APIs: 1, Instructions: 49
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06AAAB85

Memory Dump Source

Source File: 00000006.00000002.553997729.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6aa0000_PO.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 35b5c045cd426f837c54528cfa796328cbd5ba1968805a6d5e9f76955d7d82de
Instruction ID: 16d0f53bef52e702ed9a0349c26fb5a48481527227031e06396b1abbbe64adf4
Opcode Fuzzy Hash: 35b5c045cd426f837c54528cfa796328cbd5ba1968805a6d5e9f76955d7d82de
Instruction Fuzzy Hash: 331133B5C003488FDB60DF9AD884BDEBBF5AB58324F24851AD519A7310C37AA945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06AA7700 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06AAAB85

Memory Dump Source

Source File: 00000006.00000002.553997729.0000000006AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6aa0000_PO.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a9b6a953093c7f33e273aaf8ffe0fde2e3c755e3bebff95c13bff69e15ac6ff6
Instruction ID: 8cc6a09273cef10af3970de7b9937b130821ed78d6193acd180b2644585f7dce
Opcode Fuzzy Hash: a9b6a953093c7f33e273aaf8ffe0fde2e3c755e3bebff95c13bff69e15ac6ff6
Instruction Fuzzy Hash: 7D1148B58003088FCB60DF9AC484BDEBBF5EB48324F24851AD519A7300C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: keWKhH.exePID: 5144, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	308
Total number of Limit Nodes:	10

Executed Functions

Function 022CC300 Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 022CC370
GetCurrentThread.KERNEL32 ref: 022CC3AD
GetCurrentProcess.KERNEL32 ref: 022CC3EA
GetCurrentThreadId.KERNEL32 ref: 022CC443

Memory Dump Source

Source File: 0000000B.00000002.332033543.00000000022C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_22c0000_keWKhH.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9a187940de21ac69b8b43a111a5b4443b1fee82a964831177b91035cb8bb3a54
Instruction ID: 59a84cf3f47986bb3c5f7eb013c9af475c8f9ff6062197b751cb4549eee93f6a
Opcode Fuzzy Hash: 9a187940de21ac69b8b43a111a5b4443b1fee82a964831177b91035cb8bb3a54
Instruction Fuzzy Hash: 5C5174B4A002498FDB10CFAADA487EEBFF5AF48314F24C59EE449A7250C7755888CF65

Uniqueness

Uniqueness Score: -1.00%

Function 022CC310 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 022CC370
GetCurrentThread.KERNEL32 ref: 022CC3AD
GetCurrentProcess.KERNEL32 ref: 022CC3EA
GetCurrentThreadId.KERNEL32 ref: 022CC443

Memory Dump Source

Source File: 0000000B.00000002.332033543.00000000022C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_22c0000_keWKhH.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 92a9fca627af718570c2b0832ce7a03de18b58f46105c92f4d27e48f72179e04
Instruction ID: 10c7c236d1a7167caf1e8cb391df2a5f91163f2c9715ac205e71188d559f91c9
Opcode Fuzzy Hash: 92a9fca627af718570c2b0832ce7a03de18b58f46105c92f4d27e48f72179e04
Instruction Fuzzy Hash: 795155B4A002498FDB10CFAADA487EEBBF5AF48314F20C55EE409B7250C7759884CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 065E8840 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 065E8A76

Memory Dump Source

Source File: 0000000B.00000002.356087964.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_65e0000_keWKhH.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f5aa3805f7dbf3930362477f09216f7617e4879aa3e5389cb8ce2e52983772aa
Instruction ID: efb4aac559c9b9ab92619f01b7871c4dbc8e09e2b43542d95999065a7d21aa07
Opcode Fuzzy Hash: f5aa3805f7dbf3930362477f09216f7617e4879aa3e5389cb8ce2e52983772aa
Instruction Fuzzy Hash: 19915971D00219CFDF64CFA8C8817ADBBB2BF48314F1485A9E849B7280DB759985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 022CA028 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 022CA26E

Memory Dump Source

Source File: 0000000B.00000002.332033543.00000000022C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_22c0000_keWKhH.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c93c2500743f41f4bf6e3c936cbe8f0270ae84d968912f3969e902052f26ec36
Instruction ID: dfd6696fe10a742de28ee8b84ddbba67b71ef2632988ee39e1b16b60cfc7a9e2
Opcode Fuzzy Hash: c93c2500743f41f4bf6e3c936cbe8f0270ae84d968912f3969e902052f26ec36
Instruction Fuzzy Hash: F0714570A10B098FDB20DF6AD44475ABBF1BF88314F108A2DD04AD7A54D775E845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04A809CC Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A80AEA

Memory Dump Source

Source File: 0000000B.00000002.353646326.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a80000_keWKhH.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 835edb85db7f4b0c36cc85dffb92c1c0c7a08ee8fbd380ab38966611af31725f
Instruction ID: 29e490e468bbb405632bebc6c16e00d71edddbc76af0ba72e13e7e7ea75d5d93
Opcode Fuzzy Hash: 835edb85db7f4b0c36cc85dffb92c1c0c7a08ee8fbd380ab38966611af31725f
Instruction Fuzzy Hash: DC51D0B5D00309DFDB14CF9AC884ADEBBB5FF48314F64852AE418AB210D775A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04A809D8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04A80AEA

Memory Dump Source

Source File: 0000000B.00000002.353646326.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a80000_keWKhH.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3bcf5ddf3e9d759554fa98120d0b0587f7dfd3402e3c3c173edaa67f951f8e86
Instruction ID: aba83d7d04b8113d844f7adeb2eeaf48f5931911d83d17799dfe1a5c6a667fbc
Opcode Fuzzy Hash: 3bcf5ddf3e9d759554fa98120d0b0587f7dfd3402e3c3c173edaa67f951f8e86
Instruction Fuzzy Hash: 9B41B0B5D00309DFDB14CF9AC884ADEBBB5FF48314F25812AE419AB210D775A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 022C5364 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022C5421

Memory Dump Source

Source File: 0000000B.00000002.332033543.00000000022C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_22c0000_keWKhH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 03ee48ba641434030933c1f1d28e9fcf77f8cb4b032d3e06076b4574da849620
Instruction ID: efe7e025dab7d061d37805b00ae39c5302d24f45bb662a55509680e016ab45f5
Opcode Fuzzy Hash: 03ee48ba641434030933c1f1d28e9fcf77f8cb4b032d3e06076b4574da849620
Instruction Fuzzy Hash: D7411571C00219CFDB24CFA9C8847DDBBB6BF44305F648159D409BB255DBB5A986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 022C3DE8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 022C5421

Memory Dump Source

Source File: 0000000B.00000002.332033543.00000000022C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_22c0000_keWKhH.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4cf3b5a324163965962500d0fb8f053aaa0f7b05905cb147e4835670d13e8b5a
Instruction ID: e0980f56fc4c3cd200747cbf28d6f831800032046973788a1d3c8d02851a0d5d
Opcode Fuzzy Hash: 4cf3b5a324163965962500d0fb8f053aaa0f7b05905cb147e4835670d13e8b5a
Instruction Fuzzy Hash: 5341F170C10619CFDB24CFA9C884B9EBBB6FF48304F608159D409BB255DBB5A986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04A82F90 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04A83051

Memory Dump Source

Source File: 0000000B.00000002.353646326.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a80000_keWKhH.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f4712ef164bf2fd72045c0ba228fafbf0924a3bf792d8ef8e9e8b68739b3f692
Instruction ID: fc5e0198a338b39eebfbed5dc09ce56a52906dac723add3d80e1a4c0e9d6b8ed
Opcode Fuzzy Hash: f4712ef164bf2fd72045c0ba228fafbf0924a3bf792d8ef8e9e8b68739b3f692
Instruction Fuzzy Hash: EF414CB8A002058FDB14DF99C488BAABBF5FB48314F24C45CD519A7321D776A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 065F2E70 Relevance: 1.6, APIs: 1, Instructions: 80
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 065F2ED5

Memory Dump Source

Source File: 0000000B.00000002.356293522.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_65f0000_keWKhH.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bd371bda8a3fb3d63c535dce5dec9b67226a1bd8b1e5f578c972ef9a8842b591
Instruction ID: 5e2a519e1d560a2111c007e6200184438aba8ab8b1a20af3cdc0d3db0b871143
Opcode Fuzzy Hash: bd371bda8a3fb3d63c535dce5dec9b67226a1bd8b1e5f578c972ef9a8842b591
Instruction Fuzzy Hash: C0310AB58002499FDB10CF9AD885BEEFBF8FB48324F20841AE554A7600C375A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 065E8528 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 065E85B8

Memory Dump Source

Source File: 0000000B.00000002.356087964.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_65e0000_keWKhH.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0f3e9534d96a552ba4c7b154ebde193d2f95ba75b24f595af0d2b2584bd4c6c6
Instruction ID: 8d8ba1e4e948d80d86edee010168608b5340b06fec0aa1b95cb245e39d20c197
Opcode Fuzzy Hash: 0f3e9534d96a552ba4c7b154ebde193d2f95ba75b24f595af0d2b2584bd4c6c6
Instruction Fuzzy Hash: 972115759002499FCF50CFAAC8847DEBBF6FF48314F14842AE919A7240DB789944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 022CC938 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022CC9C7

Memory Dump Source

Source File: 0000000B.00000002.332033543.00000000022C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_22c0000_keWKhH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f3c28d3f0420c65b0796fb7605fb02edf7743ea722e11d57eda46b7a8c096a92
Instruction ID: 356b9aaa9ac51a22263e74ab16573abc3b614061408e16107f14e778eea6c3ab
Opcode Fuzzy Hash: f3c28d3f0420c65b0796fb7605fb02edf7743ea722e11d57eda46b7a8c096a92
Instruction Fuzzy Hash: B521E9B5D002499FDB10CFAAD984AEEBFF5EB58314F14845AE854B3350C375A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 065E8648 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 065E86C8

Memory Dump Source

Source File: 0000000B.00000002.356087964.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_65e0000_keWKhH.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ab3465845772757904426a9046b85cc4b8037e3fe2a029aee30c6ddb9acf81e3
Instruction ID: e1f57a2d7bdc7ecbc174002cee67fac9955c655e1ebfe9390ec11250dee26004
Opcode Fuzzy Hash: ab3465845772757904426a9046b85cc4b8037e3fe2a029aee30c6ddb9acf81e3
Instruction Fuzzy Hash: 542125B5D002499FCF10CFAAC880AEEBBF5FF48324F54842AE518A7240D7799945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 065E82A0 Relevance: 1.6, APIs: 1, Instructions: 63
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 065E831E

Memory Dump Source

Source File: 0000000B.00000002.356087964.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_65e0000_keWKhH.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 807f56d5b939e605efdf099ed06e87421d4213978c5f6654a5a81f50fb1b9629
Instruction ID: 4d7239697e51f431279816e1a79a567a7edd4b6f95f4ec1eaa41c4daf3124b6b
Opcode Fuzzy Hash: 807f56d5b939e605efdf099ed06e87421d4213978c5f6654a5a81f50fb1b9629
Instruction Fuzzy Hash: 68213575D002098FCB54CFAEC8847EEBBF5EF58324F54842AD459A7240CB78A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 022CC940 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 022CC9C7

Memory Dump Source

Source File: 0000000B.00000002.332033543.00000000022C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_22c0000_keWKhH.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: af832ac6abf3260f7aadd80ab2aa7f8ccf77eccc60e8f1e12a1a06bc76bbd386
Instruction ID: 387e3b0e03b5ae084a7fc460d6aac3b7b7888b2e76620a9bf43421a578d685b4
Opcode Fuzzy Hash: af832ac6abf3260f7aadd80ab2aa7f8ccf77eccc60e8f1e12a1a06bc76bbd386
Instruction Fuzzy Hash: 9521E6B59002099FDB10CF9AD984ADEBBF5EB48314F14841AE918A3310C374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 022C93D8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022CA2E9,00000800,00000000,00000000), ref: 022CA4FA

Memory Dump Source

Source File: 0000000B.00000002.332033543.00000000022C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_22c0000_keWKhH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d7a27ed141c9a3e2c3bfb0b9d760961012c3c413829c391f08a000c2cf323c16
Instruction ID: 6634742547d02aa0166c85de64ccb934027392513725ef8f5eb03aef3203d5e4
Opcode Fuzzy Hash: d7a27ed141c9a3e2c3bfb0b9d760961012c3c413829c391f08a000c2cf323c16
Instruction Fuzzy Hash: D811D8B5D002499FDB10CF9AC844BAEBBF5AB48314F14855DD415B7600C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 022CA488 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,022CA2E9,00000800,00000000,00000000), ref: 022CA4FA

Memory Dump Source

Source File: 0000000B.00000002.332033543.00000000022C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_22c0000_keWKhH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cadd072c7ef8e4a70474ce95243661f4ed8c51709d056e24904c1c0aa0ae73f3
Instruction ID: 0dbba3d32a1b7e89fecd2fd2327100ddb961053341c48e24cdd6363c348d78cf
Opcode Fuzzy Hash: cadd072c7ef8e4a70474ce95243661f4ed8c51709d056e24904c1c0aa0ae73f3
Instruction Fuzzy Hash: 291126B6D002498FCB20CFAAC884BEEFBF5AB98314F14855ED419B7200C379A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 065E8438 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 065E84A6

Memory Dump Source

Source File: 0000000B.00000002.356087964.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_65e0000_keWKhH.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 163c03a7875cfa4836019af251b1c5e3bb81dda554dc43ea54735837d3c449f9
Instruction ID: 6548f41fa84c682e344f4dea66b897006a09e649ee674f6ad89294a30b6b4bef
Opcode Fuzzy Hash: 163c03a7875cfa4836019af251b1c5e3bb81dda554dc43ea54735837d3c449f9
Instruction Fuzzy Hash: 661129759002499BCF14DFAAC8447DFBFF6EF48324F148419E465A7250C7759944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 065F5281 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 065F52E0

Memory Dump Source

Source File: 0000000B.00000002.356293522.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_65f0000_keWKhH.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d5bec4646e10b38286ff4469158f4555392eaa15984e30523be655474497ec16
Instruction ID: c140f6e60ad837ae01f7beefa4e686ee8eac0fbdfec464ebd28da69102d5c38e
Opcode Fuzzy Hash: d5bec4646e10b38286ff4469158f4555392eaa15984e30523be655474497ec16
Instruction Fuzzy Hash: 3B116DB58002499FCB10CF9AC845BDEBFF8FB48324F108419E554A7640D779A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 065E81C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 065E8222

Memory Dump Source

Source File: 0000000B.00000002.356087964.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_65e0000_keWKhH.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7c0d28bbb22ed8209ab5e2cc42b372e41d81efe2ce48c7fdd1e34b538a222ac9
Instruction ID: f27df755ce2b7fd2acff21041192b3970191fd0ac886b1141238f6c37fdc7853
Opcode Fuzzy Hash: 7c0d28bbb22ed8209ab5e2cc42b372e41d81efe2ce48c7fdd1e34b538a222ac9
Instruction Fuzzy Hash: 4C113A75D002498BCB14DFAEC8447DFFBF5AF98324F148419D419A7240C779A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 022CA208 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 022CA26E

Memory Dump Source

Source File: 0000000B.00000002.332033543.00000000022C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 022C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_22c0000_keWKhH.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ed72eebb3279402aa62220a8197454a3a46e475df72d785e64c102522ad6a5a6
Instruction ID: e2d453cedb28bde70fbe19e9822888c80873d9f842dc0ac92a3b15f78648f533
Opcode Fuzzy Hash: ed72eebb3279402aa62220a8197454a3a46e475df72d785e64c102522ad6a5a6
Instruction Fuzzy Hash: DD1113B6C002498FCB10CF9AC844BDEFBF4AF88324F20851AD429A7204C3B9A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 065F5288 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 065F52E0

Memory Dump Source

Source File: 0000000B.00000002.356293522.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_65f0000_keWKhH.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f9ee8bec1346810f3449fbcebfccac26aa89e6dcf77817595ef5a5787351653f
Instruction ID: 012d63f2a9cda80d87272f971c489cfbf6ee38a303a08a67d893e74498fd9aa0
Opcode Fuzzy Hash: f9ee8bec1346810f3449fbcebfccac26aa89e6dcf77817595ef5a5787351653f
Instruction Fuzzy Hash: 031148B5C002498FCB10CF9AC885BDEBBF4FB58324F208419D558A7340D779A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04A80C18 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04A80C7D

Memory Dump Source

Source File: 0000000B.00000002.353646326.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a80000_keWKhH.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2f21775ee19ad6ad6ea1fca60596f6f13d3915544626e62db1f78d586358d701
Instruction ID: 139d0a32b3f36338a8998adad567a72d15af90ac271b71f33e825ee646d5a909
Opcode Fuzzy Hash: 2f21775ee19ad6ad6ea1fca60596f6f13d3915544626e62db1f78d586358d701
Instruction Fuzzy Hash: 7F1148B58002488FDB20CF9AD585BDEBFF4EB58324F248419D858B3301C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A80C20 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04A80C7D

Memory Dump Source

Source File: 0000000B.00000002.353646326.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4a80000_keWKhH.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5f4248e2783bb20b590db833cd10fe56adf04ee7f4e425d363dabefec83a5a71
Instruction ID: 1f435a11db3ed00cdca6ce7cb7ec45708925eace67fe3b4099aea85eb12d6888
Opcode Fuzzy Hash: 5f4248e2783bb20b590db833cd10fe56adf04ee7f4e425d363dabefec83a5a71
Instruction Fuzzy Hash: C711E8B58002499FDB10DF9AD985BDEBBF8EB58324F108419D859A7700C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 065F2E78 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 065F2ED5

Memory Dump Source

Source File: 0000000B.00000002.356293522.00000000065F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_65f0000_keWKhH.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a71fcb7f8d6a231335f0d0419a40069a105a03a3278dae42be7b703215d80562
Instruction ID: 1bb5a2ce1ddfd8a5c188988c76bc3d2cec2a4e25b86dbf3bc3014e780d1dbe87
Opcode Fuzzy Hash: a71fcb7f8d6a231335f0d0419a40069a105a03a3278dae42be7b703215d80562
Instruction Fuzzy Hash: 6311E8B58003499FDB10CF9AC985BDFBBF8FB48324F208419E554A7600C375A584CFA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\keWKhH.exe.log

C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe

C:\Users\user\AppData\Roaming\keWKhH\keWKhH.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
PO.exe

Function 05B302E0 Relevance: 1.5, Strings: 1, Instructions: 230
COMMON

Function 00FDC300 Relevance: 6.1, APIs: 4, Instructions: 122
threadCOMMON

Function 00FDC310 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 00FDA028 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Function 00FD5364 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 00FD3DE8 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 05B32DF1 Relevance: 1.6, APIs: 1, Instructions: 74
windowCOMMON

Function 00FDC938 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 00FDC940 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 00FDA488 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 00FD93D8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 00FDA208 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 05B32DF8 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre