Edit tour

Windows Analysis Report
Payment List.bat.exe

Overview

General Information

Sample name:	Payment List.bat.exe
Analysis ID:	1448359
MD5:	fed0e7606fdae5961988a53e62c792b9
SHA1:	6a2955bf2a7a60e1a5b3d37176d5c4842a582702
SHA256:	2cd9ea183ef88bc1ee850151e47ffc1613b6a4a57ddbb14ef8230cd25ba77a70
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment List.bat.exe (PID: 4268 cmdline: "C:\Users\user\Desktop\Payment List.bat.exe" MD5: FED0E7606FDAE5961988A53E62C792B9)

powershell.exe (PID: 4416 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7372 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 3040 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Payment List.bat.exe (PID: 7228 cmdline: "C:\Users\user\Desktop\Payment List.bat.exe" MD5: FED0E7606FDAE5961988A53E62C792B9)

qicqbuFUGCXO.exe (PID: 7336 cmdline: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe MD5: FED0E7606FDAE5961988A53E62C792B9)

schtasks.exe (PID: 7540 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpD43A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

qicqbuFUGCXO.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe" MD5: FED0E7606FDAE5961988A53E62C792B9)

qicqbuFUGCXO.exe (PID: 7600 cmdline: "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe" MD5: FED0E7606FDAE5961988A53E62C792B9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.privateemail.com", "Username": "info@bondamit.shop", "Password": "payment1759"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.3237643875.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.3237643875.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.3238159947.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3238159947.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Payment List.bat.exe PID: 4268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payment List.bat.exe PID: 4268	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Payment List.bat.exe PID: 4268	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Payment List.bat.exe PID: 7228	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payment List.bat.exe PID: 7228	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: qicqbuFUGCXO.exe PID: 7336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qicqbuFUGCXO.exe PID: 7336	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: qicqbuFUGCXO.exe PID: 7336	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: qicqbuFUGCXO.exe PID: 7600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qicqbuFUGCXO.exe PID: 7600	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.Payment List.bat.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33495:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33507:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33591:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33623:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3368d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33795:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33825:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.qicqbuFUGCXO.exe.44da8d8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.qicqbuFUGCXO.exe.44da8d8.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.qicqbuFUGCXO.exe.44da8d8.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31695:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31707:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31791:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31823:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3188d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31995:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a25:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.qicqbuFUGCXO.exe.449feb8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.qicqbuFUGCXO.exe.449feb8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.qicqbuFUGCXO.exe.449feb8.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31695:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31707:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31791:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31823:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3188d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31995:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a25:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Payment List.bat.exe.3bcf1a8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Payment List.bat.exe.3bcf1a8.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Payment List.bat.exe.3bcf1a8.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31695:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31707:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31791:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31823:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3188d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31995:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a25:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Payment List.bat.exe.3c09bc8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Payment List.bat.exe.3c09bc8.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Payment List.bat.exe.3c09bc8.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31695:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31707:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31791:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31823:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3188d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31995:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a25:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.qicqbuFUGCXO.exe.44da8d8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.qicqbuFUGCXO.exe.44da8d8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.qicqbuFUGCXO.exe.44da8d8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33495:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dcb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33507:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33591:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ddb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33623:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3368d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6dead:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33795:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6dfb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33825:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e045:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
10.2.qicqbuFUGCXO.exe.449feb8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.qicqbuFUGCXO.exe.449feb8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.qicqbuFUGCXO.exe.449feb8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33495:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6deb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa86d5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33507:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa8747:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33591:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dfb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa87d1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33623:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e043:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8863:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3368d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e0ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa88cd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e11f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa893f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33795:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e1b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa89d5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33495:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dcb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33507:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33591:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ddb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33623:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de43:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3368d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6dead:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df1f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33795:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6dfb5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33825:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e045:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33495:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6deb5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa86d5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33507:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df27:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa8747:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33591:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dfb1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa87d1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33623:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e043:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8863:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3368d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e0ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa88cd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e11f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa893f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33795:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e1b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa89d5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment List.bat.exe", ParentImage: C:\Users\user\Desktop\Payment List.bat.exe, ParentProcessId: 4268, ParentProcessName: Payment List.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe", ProcessId: 4416, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpD43A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpD43A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe, ParentImage: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe, ParentProcessId: 7336, ParentProcessName: qicqbuFUGCXO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpD43A.tmp", ProcessId: 7540, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 66.29.159.53, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Payment List.bat.exe, Initiated: true, ProcessId: 7228, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49709

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment List.bat.exe", ParentImage: C:\Users\user\Desktop\Payment List.bat.exe, ParentProcessId: 4268, ParentProcessName: Payment List.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp", ProcessId: 3040, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment List.bat.exe", ParentImage: C:\Users\user\Desktop\Payment List.bat.exe, ParentProcessId: 4268, ParentProcessName: Payment List.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe", ProcessId: 4416, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment List.bat.exe", ParentImage: C:\Users\user\Desktop\Payment List.bat.exe, ParentProcessId: 4268, ParentProcessName: Payment List.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp", ProcessId: 3040, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payment List.bat.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://smtp.privateemail.com

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe

Avira: detection malicious, Label: HEUR/AGEN.1309290

Found malware configuration

Source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.privateemail.com", "Username": "info@bondamit.shop", "Password": "payment1759"}

Multi AV Scanner detection for domain / URL

Source: smtp.privateemail.com	Virustotal: Detection: 6%			Perma Link
Source: http://smtp.privateemail.com	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Virustotal: Detection: 39%			Perma Link

Multi AV Scanner detection for submitted file

Source: Payment List.bat.exe	Virustotal: Detection: 39%			Perma Link
Source: Payment List.bat.exe	ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Payment List.bat.exe

Joe Sandbox ML: detected

Source: Payment List.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49712 version: TLS 1.2

Source: Payment List.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 66.29.159.53:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 66.29.159.53 66.29.159.53

Source: Joe Sandbox View

ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 66.29.159.53:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: smtp.privateemail.com

Source: Payment List.bat.exe, 00000009.00000002.3236913525.0000000001009000.00000004.00000020.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3236064889.0000000001178000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.0000000006486000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.000000000643A000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Payment List.bat.exe, 00000009.00000002.3236913525.0000000001009000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3236064889.0000000001143000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.000000000643A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Payment List.bat.exe, 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3236064889.0000000001178000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.0000000006486000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: Payment List.bat.exe, 00000009.00000002.3236913525.0000000001009000.00000004.00000020.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3236064889.0000000001178000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.0000000006486000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.000000000643A000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Payment List.bat.exe, 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3236064889.0000000001178000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.0000000006486000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Payment List.bat.exe, 00000000.00000002.2051609562.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3237643875.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000A.00000002.2087668364.00000000032B0000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment List.bat.exe, 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.privateemail.com
Source: Payment List.bat.exe, 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3234606006.0000000000435000.00000040.00000400.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Payment List.bat.exe, 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3237643875.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3234618654.0000000000425000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Payment List.bat.exe, 00000009.00000002.3237643875.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Payment List.bat.exe, 00000009.00000002.3237643875.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Payment List.bat.exe, 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3236064889.0000000001178000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.0000000006486000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49712 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, R1W.cs	.Net Code: Niu4iGJUscW
Source: 0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack, R1W.cs	.Net Code: Niu4iGJUscW

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.Payment List.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.qicqbuFUGCXO.exe.449feb8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment List.bat.exe.3c09bc8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.qicqbuFUGCXO.exe.449feb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.Payment List.bat.exe.8840000.6.raw.unpack, .cs

Large array initialization: : array initializer size 27104

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment List.bat.exe

Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_0286E2EC	0_2_0286E2EC
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_07083F00	0_2_07083F00
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_07081F71	0_2_07081F71
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_07081F80	0_2_07081F80
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_070845B0	0_2_070845B0
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_070845C0	0_2_070845C0
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_07081B48	0_2_07081B48
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_070823B8	0_2_070823B8
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_0708B2D0	0_2_0708B2D0
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_08836FA8	0_2_08836FA8
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_088345AA	0_2_088345AA
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_0883D6E0	0_2_0883D6E0
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_08839150	0_2_08839150
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_08839160	0_2_08839160
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 0_2_08833630	0_2_08833630
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_00F1E6C1	9_2_00F1E6C1
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_00F1A968	9_2_00F1A968
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_00F14AA0	9_2_00F14AA0
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_00F13E88	9_2_00F13E88
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_00F141D0	9_2_00F141D0
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068BA068	9_2_068BA068
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068BBB58	9_2_068BBB58
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068C5630	9_2_068C5630
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068C6678	9_2_068C6678
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068C2420	9_2_068C2420
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068CB2C8	9_2_068CB2C8
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068CC220	9_2_068CC220
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068C7E08	9_2_068C7E08
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068C7728	9_2_068C7728
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068CE448	9_2_068CE448
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068C0007	9_2_068C0007
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068C0040	9_2_068C0040
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_068C5D78	9_2_068C5D78
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_0167E2EC	10_2_0167E2EC
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_05800518	10_2_05800518
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_05807AE8	10_2_05807AE8
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_05800509	10_2_05800509
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_05807AD8	10_2_05807AD8
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_077E1F71	10_2_077E1F71
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_077E3F00	10_2_077E3F00
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_077E1F80	10_2_077E1F80
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_077EA6C0	10_2_077EA6C0
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_077E45C0	10_2_077E45C0
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_077E45B0	10_2_077E45B0
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_077E1B48	10_2_077E1B48
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_077E23B8	10_2_077E23B8
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_010CE2C1	15_2_010CE2C1
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_010CAA23	15_2_010CAA23
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_010C4AA0	15_2_010C4AA0
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_010CDCE8	15_2_010CDCE8
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_010C3E88	15_2_010C3E88
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_010C41D0	15_2_010C41D0
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_058FA068	15_2_058FA068
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_058FBB58	15_2_058FBB58
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_0690B6E0	15_2_0690B6E0
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_06905630	15_2_06905630
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_06906678	15_2_06906678
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_0690B2BA	15_2_0690B2BA
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_0690C220	15_2_0690C220
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_069030F8	15_2_069030F8
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_06907E08	15_2_06907E08
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_06907728	15_2_06907728
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_0690E448	15_2_0690E448
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_06900040	15_2_06900040
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_06905D67	15_2_06905D67
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 15_2_06900007	15_2_06900007

Source: Payment List.bat.exe, 00000000.00000002.2059120003.0000000008840000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Payment List.bat.exe
Source: Payment List.bat.exe, 00000000.00000002.2050105007.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment List.bat.exe
Source: Payment List.bat.exe, 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebb26f961-fadf-4425-9082-cde080536011.exe4 vs Payment List.bat.exe
Source: Payment List.bat.exe, 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Payment List.bat.exe
Source: Payment List.bat.exe, 00000000.00000002.2051609562.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebb26f961-fadf-4425-9082-cde080536011.exe4 vs Payment List.bat.exe
Source: Payment List.bat.exe, 00000000.00000000.1996291919.0000000000708000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedhRh.exe6 vs Payment List.bat.exe
Source: Payment List.bat.exe, 00000000.00000002.2058603056.0000000006D70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Payment List.bat.exe
Source: Payment List.bat.exe, 00000000.00000002.2059160853.00000000088A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedhRh.exe6 vs Payment List.bat.exe
Source: Payment List.bat.exe, 00000009.00000002.3235139188.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment List.bat.exe
Source: Payment List.bat.exe	Binary or memory string: OriginalFilenamedhRh.exe6 vs Payment List.bat.exe

Source: Payment List.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.Payment List.bat.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.qicqbuFUGCXO.exe.449feb8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment List.bat.exe.3c09bc8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.qicqbuFUGCXO.exe.449feb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Payment List.bat.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qicqbuFUGCXO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, KLhJmaON.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, 7hO8luD.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, 9HIFdl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, Jsi8pDhntxMX6Xyxk2.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, Jsi8pDhntxMX6Xyxk2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, Jsi8pDhntxMX6Xyxk2.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, euaaF1BcsGrmlCeRIA.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, euaaF1BcsGrmlCeRIA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, euaaF1BcsGrmlCeRIA.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, euaaF1BcsGrmlCeRIA.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, Jsi8pDhntxMX6Xyxk2.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, Jsi8pDhntxMX6Xyxk2.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, Jsi8pDhntxMX6Xyxk2.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@2/2

Source: C:\Users\user\Desktop\Payment List.bat.exe

File created: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Mutant created: \Sessions\1\BaseNamedObjects\DJoxFmROk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03

Source: C:\Users\user\Desktop\Payment List.bat.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp

Jump to behavior

Source: Payment List.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment List.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Payment List.bat.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment List.bat.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Payment List.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment List.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment List.bat.exe	Virustotal: Detection: 39%
Source: Payment List.bat.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\Payment List.bat.exe

File read: C:\Users\user\Desktop\Payment List.bat.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment List.bat.exe "C:\Users\user\Desktop\Payment List.bat.exe"
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Users\user\Desktop\Payment List.bat.exe "C:\Users\user\Desktop\Payment List.bat.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpD43A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process created: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process created: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Users\user\Desktop\Payment List.bat.exe "C:\Users\user\Desktop\Payment List.bat.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpD43A.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process created: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process created: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\Payment List.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment List.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Payment List.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Payment List.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment List.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: Payment List.bat.exe, Form1.cs	.Net Code: InitializeComponent
Source: qicqbuFUGCXO.exe.0.dr, Form1.cs	.Net Code: InitializeComponent
Source: 0.2.Payment List.bat.exe.8840000.6.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, Jsi8pDhntxMX6Xyxk2.cs	.Net Code: pmo5yOopxhe9Lsx1Haj System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, Jsi8pDhntxMX6Xyxk2.cs	.Net Code: pmo5yOopxhe9Lsx1Haj System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_00F1A255 push esp; retf 0139h	9_2_00F1A6C1
Source: C:\Users\user\Desktop\Payment List.bat.exe	Code function: 9_2_00F10C55 push edi; retf	9_2_00F10C7A
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_077E723F pushad ; retf	10_2_077E7245
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Code function: 10_2_077E505D pushfd ; ret	10_2_077E505E

Source: Payment List.bat.exe	Static PE information: section name: .text entropy: 7.9683017131333695
Source: qicqbuFUGCXO.exe.0.dr	Static PE information: section name: .text entropy: 7.9683017131333695

Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, r0iZedUvuindKHylwd.cs	High entropy of concatenated method names: 'puyJ1s10GM', 'WhtJBnTxD7', 'oh0JfLXl6k', 'N8SJUu733p', 'Ey5JFa8hAU', 'Lm0JICsnEn', 'dYYJM5QHvC', 'LAnJDHKkC6', 'KJBJYG9Xsd', 'dvMJPCECKb'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, pikLgkbN4ZISFR2s3c.cs	High entropy of concatenated method names: 'mKlhlkSQ1m', 'UnjhEbqJOW', 'rp8hykMng8', 'RUXh0WBOli', 'B26hnoDEmQ', 'Bh7hoTVFc4', 'tLQhVVUTKg', 'P5Te5ApeoE', 'Tnee4Qf6p0', 'PL1edHJs7r'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, ELtqISxsOw3V02RCjFW.cs	High entropy of concatenated method names: 'tqph1yBrlX', 'MPJhBGhX4M', 'sLwhfm4u1b', 'n8chUMth4n', 'ORDhFAX3Jt', 'QMIhIys1Rl', 'TeVhMUUpq2', 'qJ2hDI3DFw', 'aTThYgEZoG', 'tglhP08ovA'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, dWulo9RpUOalcjJI2Q.cs	High entropy of concatenated method names: 'WrCJ0Hl5ak', 'ByrJw7pRoJ', 'tYdJVsE2QX', 'lZWVXxCDKm', 'quaVzWarn7', 'vaoJpEKSQi', 'S82Jl6wLK4', 'KY9J9Qwd9h', 'r3ZJE9xTGJ', 'UKeJyVFkXK'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, p0iPcUeZyPThV5MRLn.cs	High entropy of concatenated method names: 'kLrVZvmjiB', 'MWPVnbTjiF', 'wloVoZ2Moe', 'cttVJCiL4R', 'VQ1Vv76HHD', 'iUXoqBMC2b', 'jTooKLJSMK', 'ddjo5nGHWI', 'BZGo4iWYbD', 'TIOodtUY4t'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, rYGv6xaF2ojY36Wqqb.cs	High entropy of concatenated method names: 'NIie0yMOW5', 'h9benpJh8s', 'z5OewxEFmM', 'brHeoP95Eo', 'vWqeVcuiIp', 'HJWeJk1jua', 'PZ1evX7193', 'NMBebiJCS6', 'y3oea6VjwM', 'opEexyF9ox'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, SJAEGJxHxC1BWIHAdZ8.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O3PTH3Hr3x', 'ILnTrna6FB', 'PmXTLaQcdE', 'CbaTRF1XvW', 'oVBTqrPHWl', 'goLTKEHWAo', 'KtRT5rkKck'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, qKTWB5qjUIJB9pwDoA.cs	High entropy of concatenated method names: 'Dispose', 'bx6ldoIrdd', 'MnL9WEPvoU', 'uokkkaCnIr', 'Q0QlXmaWFG', 'wBhlzIlB1J', 'ProcessDialogKey', 'iT19pJd4lh', 'jOr9lrTxut', 'PCc99VYyru'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, EhpjUmncbbEC1BLpWS.cs	High entropy of concatenated method names: 'Nw9lJXHehO', 'goElvOhdww', 'rNnla1NUFu', 'r2ylxyy2ye', 'hPUlO6bNQs', 'Afbl8rCngc', 'thadskZhrkhjaRjTOV', 'pRlbDtgJQHcaKgOINU', 'eRSllJO0VG', 'qIclE9Qoqo'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, aWlFDfwStAKSqIvErB.cs	High entropy of concatenated method names: 'J91uapAQdC', 'lS0uxDOrZF', 'ToString', 'HIPu0gUDOf', 'itDun2T7lo', 'PweuwQKQE6', 'uehuoKSDVr', 'DAJuV4JWyd', 'IL7uJGAQuX', 'KGRuvQXdwq'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, hpCmMLpM3wQUvsSK1M.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dZu9dVQIC1', 'o6x9Xdb5El', 'aGt9zkrPnI', 'TSQEpw3WJB', 'GkAElyoCso', 'Jc5E9ZNNXs', 'evdEE3mRCI', 'xYVZXeolL7WCI0q8APP'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, X8ilbRKJ9gowAsFF2T.cs	High entropy of concatenated method names: 'pgPu4WPITY', 'oLtuXljTb4', 'csEephFvNR', 'g7HelIvJuW', 'yoxuQKsopx', 'O9Iuie85PL', 'XkAujwyymG', 'JKyuHCUh5j', 'je5urSq28q', 'uh1uLsCEjI'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, Nnw42Cz0pPmI8skKNY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pujht4wd1h', 'eV6hODwbIK', 'EYWh81xdeA', 'ULohuTFebx', 'kxohePguwN', 'FjGhh9Lrt0', 'wlihT0l2yH'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, SWgkEbtr45SQJ1E5e9.cs	High entropy of concatenated method names: 'HBnwU18OjM', 'g7cwI557q4', 'P4SwDmhIMF', 'PpkwYykva3', 'eIowO3TN0H', 'Gk3w8nEpNG', 'MbZwunE7T8', 'YhFwem4596', 'EKrwhAF8gJ', 'zhiwT22O1q'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, euaaF1BcsGrmlCeRIA.cs	High entropy of concatenated method names: 'R0UnH5vPGo', 'LmLnrxYZK4', 'I4knLXEacH', 'fSOnRLil8U', 'pymnqKuKWp', 'MCnnKKJ9il', 'lFSn5GxM1i', 'Uewn4T8Ete', 'qUjndDE6a1', 'Ba3nX9Rpye'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, SsPoL0kKePBSP7AoUO.cs	High entropy of concatenated method names: 'mVZe7gwEOB', 'oXJeWElOef', 'zsmeAdkeZl', 'rCkesLyF10', 'zJ2eHGjviq', 'qPpe3UTtpK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, KOOR6mdGIBnqTRBpUD.cs	High entropy of concatenated method names: 'OTFfdsox0', 'FeeUntNyx', 'S7FIOwYQ7', 'X9NMUkBWG', 'mUpYMwCHv', 'PopPX7isX', 'pP3yy1KqVwLkv6HAvt', 'k6jsa9tmhJtjvnKD5R', 'c1LeTTSUM', 'xjyT5tXsC'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, kuPSY3Xvn0gTTjEVG5.cs	High entropy of concatenated method names: 'oUYtDSfd7E', 'SyUtYFuihh', 'mXEt7ipcVN', 'kNetW0kSUl', 'v61tsXxXAo', 'gFot3NkOQM', 'aI9tGm6dgd', 'sxctcFeR0d', 'adHtSQLxIV', 'CnetQuPw1D'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, mjxHCeI2arfhcxYQMD.cs	High entropy of concatenated method names: 'p24OS0q3t0', 'aoTOiEALVn', 'D3BOH3Xxht', 'DpaOrLRXyD', 'R5dOWh6hKI', 'yPLOA3j1fd', 'R4mOsSnofX', 'U3lO3TfjdO', 'SqyOCiFG6H', 'opKOGji23h'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, ESiwFYGf9PIJGb224M.cs	High entropy of concatenated method names: 'reHoFJcx4I', 'yhJoM6ijZC', 'mMLwAWb1WU', 'WtgwsnE3aD', 'DaQw3SopxJ', 'CA4wCksoNd', 'oROwGLO2G8', 'AwDwce73iL', 'Uqqwg2wx7G', 'UxIwSN0Pfe'
Source: 0.2.Payment List.bat.exe.3cf9160.2.raw.unpack, Jsi8pDhntxMX6Xyxk2.cs	High entropy of concatenated method names: 'iPHEZKLncS', 'OrEE0aywFR', 'DeNEnOBVhv', 'HQ9EwVollF', 'E1oEoNP3vi', 'Jw8EVJNMQY', 'MZcEJ3wLfq', 'VLFEvqL1Y0', 'TFxEbJLG8l', 'YWHEak41ot'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, r0iZedUvuindKHylwd.cs	High entropy of concatenated method names: 'puyJ1s10GM', 'WhtJBnTxD7', 'oh0JfLXl6k', 'N8SJUu733p', 'Ey5JFa8hAU', 'Lm0JICsnEn', 'dYYJM5QHvC', 'LAnJDHKkC6', 'KJBJYG9Xsd', 'dvMJPCECKb'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, pikLgkbN4ZISFR2s3c.cs	High entropy of concatenated method names: 'mKlhlkSQ1m', 'UnjhEbqJOW', 'rp8hykMng8', 'RUXh0WBOli', 'B26hnoDEmQ', 'Bh7hoTVFc4', 'tLQhVVUTKg', 'P5Te5ApeoE', 'Tnee4Qf6p0', 'PL1edHJs7r'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, ELtqISxsOw3V02RCjFW.cs	High entropy of concatenated method names: 'tqph1yBrlX', 'MPJhBGhX4M', 'sLwhfm4u1b', 'n8chUMth4n', 'ORDhFAX3Jt', 'QMIhIys1Rl', 'TeVhMUUpq2', 'qJ2hDI3DFw', 'aTThYgEZoG', 'tglhP08ovA'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, dWulo9RpUOalcjJI2Q.cs	High entropy of concatenated method names: 'WrCJ0Hl5ak', 'ByrJw7pRoJ', 'tYdJVsE2QX', 'lZWVXxCDKm', 'quaVzWarn7', 'vaoJpEKSQi', 'S82Jl6wLK4', 'KY9J9Qwd9h', 'r3ZJE9xTGJ', 'UKeJyVFkXK'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, p0iPcUeZyPThV5MRLn.cs	High entropy of concatenated method names: 'kLrVZvmjiB', 'MWPVnbTjiF', 'wloVoZ2Moe', 'cttVJCiL4R', 'VQ1Vv76HHD', 'iUXoqBMC2b', 'jTooKLJSMK', 'ddjo5nGHWI', 'BZGo4iWYbD', 'TIOodtUY4t'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, rYGv6xaF2ojY36Wqqb.cs	High entropy of concatenated method names: 'NIie0yMOW5', 'h9benpJh8s', 'z5OewxEFmM', 'brHeoP95Eo', 'vWqeVcuiIp', 'HJWeJk1jua', 'PZ1evX7193', 'NMBebiJCS6', 'y3oea6VjwM', 'opEexyF9ox'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, SJAEGJxHxC1BWIHAdZ8.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'O3PTH3Hr3x', 'ILnTrna6FB', 'PmXTLaQcdE', 'CbaTRF1XvW', 'oVBTqrPHWl', 'goLTKEHWAo', 'KtRT5rkKck'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, qKTWB5qjUIJB9pwDoA.cs	High entropy of concatenated method names: 'Dispose', 'bx6ldoIrdd', 'MnL9WEPvoU', 'uokkkaCnIr', 'Q0QlXmaWFG', 'wBhlzIlB1J', 'ProcessDialogKey', 'iT19pJd4lh', 'jOr9lrTxut', 'PCc99VYyru'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, EhpjUmncbbEC1BLpWS.cs	High entropy of concatenated method names: 'Nw9lJXHehO', 'goElvOhdww', 'rNnla1NUFu', 'r2ylxyy2ye', 'hPUlO6bNQs', 'Afbl8rCngc', 'thadskZhrkhjaRjTOV', 'pRlbDtgJQHcaKgOINU', 'eRSllJO0VG', 'qIclE9Qoqo'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, aWlFDfwStAKSqIvErB.cs	High entropy of concatenated method names: 'J91uapAQdC', 'lS0uxDOrZF', 'ToString', 'HIPu0gUDOf', 'itDun2T7lo', 'PweuwQKQE6', 'uehuoKSDVr', 'DAJuV4JWyd', 'IL7uJGAQuX', 'KGRuvQXdwq'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, hpCmMLpM3wQUvsSK1M.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dZu9dVQIC1', 'o6x9Xdb5El', 'aGt9zkrPnI', 'TSQEpw3WJB', 'GkAElyoCso', 'Jc5E9ZNNXs', 'evdEE3mRCI', 'xYVZXeolL7WCI0q8APP'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, X8ilbRKJ9gowAsFF2T.cs	High entropy of concatenated method names: 'pgPu4WPITY', 'oLtuXljTb4', 'csEephFvNR', 'g7HelIvJuW', 'yoxuQKsopx', 'O9Iuie85PL', 'XkAujwyymG', 'JKyuHCUh5j', 'je5urSq28q', 'uh1uLsCEjI'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, Nnw42Cz0pPmI8skKNY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pujht4wd1h', 'eV6hODwbIK', 'EYWh81xdeA', 'ULohuTFebx', 'kxohePguwN', 'FjGhh9Lrt0', 'wlihT0l2yH'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, SWgkEbtr45SQJ1E5e9.cs	High entropy of concatenated method names: 'HBnwU18OjM', 'g7cwI557q4', 'P4SwDmhIMF', 'PpkwYykva3', 'eIowO3TN0H', 'Gk3w8nEpNG', 'MbZwunE7T8', 'YhFwem4596', 'EKrwhAF8gJ', 'zhiwT22O1q'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, euaaF1BcsGrmlCeRIA.cs	High entropy of concatenated method names: 'R0UnH5vPGo', 'LmLnrxYZK4', 'I4knLXEacH', 'fSOnRLil8U', 'pymnqKuKWp', 'MCnnKKJ9il', 'lFSn5GxM1i', 'Uewn4T8Ete', 'qUjndDE6a1', 'Ba3nX9Rpye'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, SsPoL0kKePBSP7AoUO.cs	High entropy of concatenated method names: 'mVZe7gwEOB', 'oXJeWElOef', 'zsmeAdkeZl', 'rCkesLyF10', 'zJ2eHGjviq', 'qPpe3UTtpK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, KOOR6mdGIBnqTRBpUD.cs	High entropy of concatenated method names: 'OTFfdsox0', 'FeeUntNyx', 'S7FIOwYQ7', 'X9NMUkBWG', 'mUpYMwCHv', 'PopPX7isX', 'pP3yy1KqVwLkv6HAvt', 'k6jsa9tmhJtjvnKD5R', 'c1LeTTSUM', 'xjyT5tXsC'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, kuPSY3Xvn0gTTjEVG5.cs	High entropy of concatenated method names: 'oUYtDSfd7E', 'SyUtYFuihh', 'mXEt7ipcVN', 'kNetW0kSUl', 'v61tsXxXAo', 'gFot3NkOQM', 'aI9tGm6dgd', 'sxctcFeR0d', 'adHtSQLxIV', 'CnetQuPw1D'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, mjxHCeI2arfhcxYQMD.cs	High entropy of concatenated method names: 'p24OS0q3t0', 'aoTOiEALVn', 'D3BOH3Xxht', 'DpaOrLRXyD', 'R5dOWh6hKI', 'yPLOA3j1fd', 'R4mOsSnofX', 'U3lO3TfjdO', 'SqyOCiFG6H', 'opKOGji23h'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, ESiwFYGf9PIJGb224M.cs	High entropy of concatenated method names: 'reHoFJcx4I', 'yhJoM6ijZC', 'mMLwAWb1WU', 'WtgwsnE3aD', 'DaQw3SopxJ', 'CA4wCksoNd', 'oROwGLO2G8', 'AwDwce73iL', 'Uqqwg2wx7G', 'UxIwSN0Pfe'
Source: 0.2.Payment List.bat.exe.6d70000.5.raw.unpack, Jsi8pDhntxMX6Xyxk2.cs	High entropy of concatenated method names: 'iPHEZKLncS', 'OrEE0aywFR', 'DeNEnOBVhv', 'HQ9EwVollF', 'E1oEoNP3vi', 'Jw8EVJNMQY', 'MZcEJ3wLfq', 'VLFEvqL1Y0', 'TFxEbJLG8l', 'YWHEak41ot'

Source: C:\Users\user\Desktop\Payment List.bat.exe

File created: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Payment List.bat.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Payment List.bat.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Payment List.bat.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qicqbuFUGCXO.exe PID: 7336, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Payment List.bat.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory allocated: 2820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory allocated: 4990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory allocated: 8A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory allocated: 6E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory allocated: 9B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory allocated: AB90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory allocated: 1130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Memory allocated: 1670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Memory allocated: 3260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Memory allocated: 5260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Memory allocated: 8E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Memory allocated: 75F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Memory allocated: 8E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Memory allocated: 1080000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Memory allocated: 2E80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Memory allocated: 11D0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6113	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 423	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7921	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 596	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Window / User API: threadDelayed 2629	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Window / User API: threadDelayed 2440	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Window / User API: threadDelayed 455
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Window / User API: threadDelayed 3730

Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 5308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1172	Thread sleep count: 6113 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5864	Thread sleep count: 423 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7444	Thread sleep count: 2629 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7444	Thread sleep count: 2440 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -98760s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -98187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -97859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -97745s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -97625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -97515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7356	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7708	Thread sleep count: 455 > 30
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7708	Thread sleep count: 3730 > 30
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -99657s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -99532s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -98813s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -98703s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -98594s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -98360s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -97860s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -97735s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -97610s >= -30000s
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe TID: 7704	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Payment List.bat.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Payment List.bat.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment List.bat.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 98760	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 98187	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 97859	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 97745	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 97515	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 99657
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 99532
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 99422
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 99313
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 98938
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 98813
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 98703
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 98594
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 98360
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 97860
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 97735
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 97610
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Thread delayed: delay time: 922337203685477

Source: Payment List.bat.exe, 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3234618654.0000000000425000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: hgfsZrw6
Source: qicqbuFUGCXO.exe, 0000000F.00000002.3236064889.00000000011AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: Payment List.bat.exe, 00000009.00000002.3236913525.0000000001009000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Payment List.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Payment List.bat.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Payment List.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe"
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment List.bat.exe	Memory written: C:\Users\user\Desktop\Payment List.bat.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Memory written: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Process created: C:\Users\user\Desktop\Payment List.bat.exe "C:\Users\user\Desktop\Payment List.bat.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpD43A.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process created: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Process created: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Users\user\Desktop\Payment List.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Users\user\Desktop\Payment List.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Payment List.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.449feb8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3bcf1a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3c09bc8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.449feb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3237643875.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3238159947.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment List.bat.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment List.bat.exe PID: 7228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qicqbuFUGCXO.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qicqbuFUGCXO.exe PID: 7600, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Payment List.bat.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Payment List.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Payment List.bat.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.449feb8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3bcf1a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3c09bc8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.449feb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3237643875.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3238159947.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment List.bat.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment List.bat.exe PID: 7228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qicqbuFUGCXO.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qicqbuFUGCXO.exe PID: 7600, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.449feb8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3bcf1a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3c09bc8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.44da8d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.qicqbuFUGCXO.exe.449feb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3c09bc8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment List.bat.exe.3bcf1a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3237643875.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3238159947.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment List.bat.exe PID: 4268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment List.bat.exe PID: 7228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qicqbuFUGCXO.exe PID: 7336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qicqbuFUGCXO.exe PID: 7600, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	211 Security Software Discovery	Distributed Component Object Model	1 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment List.bat.exe	40%	Virustotal		Browse
Payment List.bat.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
Payment List.bat.exe	100%	Avira	HEUR/AGEN.1309290
Payment List.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	100%	Avira	HEUR/AGEN.1309290
C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe	40%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	1%	Virustotal		Browse
smtp.privateemail.com	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://smtp.privateemail.com	100%	Avira URL Cloud	malware
http://smtp.privateemail.com	6%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false	1%, Virustotal, Browse	unknown
smtp.privateemail.com	66.29.159.53	true	true	6%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	Payment List.bat.exe, 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3236064889.0000000001178000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.0000000006486000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	Payment List.bat.exe, 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3237643875.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3234618654.0000000000425000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	Payment List.bat.exe, 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3236064889.0000000001178000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.0000000006486000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	Payment List.bat.exe, 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3234606006.0000000000435000.00000040.00000400.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	Payment List.bat.exe, 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3236645093.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3236064889.0000000001178000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3248237829.0000000006486000.00000004.00000020.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	Payment List.bat.exe, 00000009.00000002.3237643875.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Payment List.bat.exe, 00000000.00000002.2051609562.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, Payment List.bat.exe, 00000009.00000002.3237643875.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000A.00000002.2087668364.00000000032B0000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002E81000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://smtp.privateemail.com	Payment List.bat.exe, 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, qicqbuFUGCXO.exe, 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
66.29.159.53	smtp.privateemail.com	United States		19538	ADVANTAGECOMUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448359
Start date and time:	2024-05-28 09:10:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment List.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 257 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:11:19	API Interceptor	27x Sleep call for process: Payment List.bat.exe modified
03:11:21	API Interceptor	27x Sleep call for process: powershell.exe modified
03:11:24	API Interceptor	23x Sleep call for process: qicqbuFUGCXO.exe modified
09:11:22	Task Scheduler	Run new task: qicqbuFUGCXO path: C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/
66.29.159.53	INQUIRY RE44535_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Texas_Tool_Purchase_Order#T18834-1.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse
	Swift_Message#1234323456.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse
	e-dekont_swift-details.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse
	17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exe	Get hash	malicious	AgentTesla	Browse
	1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	https://www.wikiran.org/attachments/leaks/asbgroup//4d90f5a202dda02e5900334984637a7fd0d3b2e2/CIMB%20PAYMENT%200520.zip	Get hash	malicious	AgentTesla	Browse
	pAYMENTcOPY.com.exe	Get hash	malicious	AgentTesla, NSISDropper	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
smtp.privateemail.com	INQUIRY RE44535_pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	66.29.159.53
	Texas_Tool_Purchase_Order#T18834-1.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	66.29.159.53
	Swift_Message#1234323456.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	66.29.159.53
	e-dekont_swift-details.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	66.29.159.53
	17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	https://www.wikiran.org/attachments/leaks/asbgroup//4d90f5a202dda02e5900334984637a7fd0d3b2e2/CIMB%20PAYMENT%200520.zip	Get hash	malicious	AgentTesla	Browse	66.29.159.53
	pAYMENTcOPY.com.exe	Get hash	malicious	AgentTesla, NSISDropper	Browse	66.29.159.53
api.ipify.org	N#U00a3mero de pedido HMFZ0772 [Pedido].exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://pesoneta3754.pages.dev/help/contact/687223607724468/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://spoge-tronie37834.pages.dev/help/contact/815304886072906	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://fb.com-case0328.me/help/contact/472015820496903	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://kalvin9835-philadent98254.pages.dev/	Get hash	malicious	Unknown	Browse	104.26.13.205
	http://fb.com-case0328.me/help/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://grtpesoneta3754.pages.dev/help/contact/310231431980412	Get hash	malicious	Unknown	Browse	104.26.12.205
	Company Profile.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	b86258bbf5182d3da8292cbff6262a90cef9dd418fd8b6706fde5747662da2ae_dump.bin.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://pesoneta3754.pages.dev/help/defaults.php	Get hash	malicious	Unknown	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	N#U00a3mero de pedido HMFZ0772 [Pedido].exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://layanan-banntuan.program-update.com/	Get hash	malicious	Unknown	Browse	172.67.196.204
	https://download.adaware.com/nano_download.php?partner=adaware	Get hash	malicious	Unknown	Browse	104.16.212.94
	http://personapatternanalyzer.com/6c9pixal	Get hash	malicious	Unknown	Browse	188.114.97.3
	D8toi0qM9J.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	104.16.180.49
	http://pesoneta3754.pages.dev/help/contact/687223607724468/	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://xmdt-kun-5-manh.pages.dev/	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://pemulihanakunndanaa.program-update.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://mint-openseapro-nftsx.vercel.app/	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://pemulihan-akun-danaaa.program-update.com/	Get hash	malicious	Unknown	Browse	172.67.196.204
ADVANTAGECOMUS	VSL_BUNKER INQUIRY.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	PO JAN 2024.exe	Get hash	malicious	FormBook	Browse	66.29.145.248
	RFQ#o52824.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	Doc_10577030xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	66.29.151.236
	Copy#51007602.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	66.29.151.236
	Doc100057638xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	66.29.151.236
	RB_VAC_1.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	66.29.137.12
	4TH HIRE SOA REMITTANCE_USD280,000.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	PAYMENT COPY.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
	#U0426#U0438#U0442#U0430#U0442#U0430.exe	Get hash	malicious	FormBook	Browse	66.29.149.193

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	N#U00a3mero de pedido HMFZ0772 [Pedido].exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://o-p.me/public/Netflix/ch/login.php/	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://pemulihanakunndanaa.program-update.com/	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://mysteryybox13.vercel.app/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://suchen-mobile-fahrzeuge-details-search-390615990-request.de/	Get hash	malicious	Unknown	Browse	104.26.12.205
	Listido_Junio.exe	Get hash	malicious	DarkCloud, DarkTortilla	Browse	104.26.12.205
	1.ps1	Get hash	malicious	DarkGate, MailPassView	Browse	104.26.12.205
	new.cmd	Get hash	malicious	Unknown	Browse	104.26.12.205
	IMG-35235235523525235252532535Selvfinansieret.vbs	Get hash	malicious	GuLoader	Browse	104.26.12.205
	Company Profile.PDF.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\Payment List.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qicqbuFUGCXO.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
MD5:	16AD599332DD2FF94DA0787D71688B62
SHA1:	02F738694B02E84FFE3BAB7DE5709001823C6E40
SHA-256:	452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
SHA-512:	A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2b4v25mx.py4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2k25l10s.ehu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ycvunae.3t1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eex24wbc.iy2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2bj0fhx.uwo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gj4u1ly2.k3q.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ix1k0ng4.d1l.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofzeqo3f.zu0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp

Download File

Process:	C:\Users\user\Desktop\Payment List.bat.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.115111534925106
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtzxvn:cgergYrFdOFzOzN33ODOiDdKrsuTtv
MD5:	46C06DE08A32D8912122FEFFA542804F
SHA1:	7016849857F20EB4ABAA6A907B6643B2D01A155C
SHA-256:	3AED92A28B288F5DB0D1E077A879C8E6B7E3FF3CA4C8D5221EBC3A688D0B562F
SHA-512:	872913F7E074B284E6FBAE7F99DE7DD5BE4052F04329D5BF8003F6EC45DC9CF5FE8861F0D5E8C5F6836571DA4629C5FCEC60EF21FA84EC62F6E21DEA703D0515
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpD43A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1585
Entropy (8bit):	5.115111534925106
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtzxvn:cgergYrFdOFzOzN33ODOiDdKrsuTtv
MD5:	46C06DE08A32D8912122FEFFA542804F
SHA1:	7016849857F20EB4ABAA6A907B6643B2D01A155C
SHA-256:	3AED92A28B288F5DB0D1E077A879C8E6B7E3FF3CA4C8D5221EBC3A688D0B562F
SHA-512:	872913F7E074B284E6FBAE7F99DE7DD5BE4052F04329D5BF8003F6EC45DC9CF5FE8861F0D5E8C5F6836571DA4629C5FCEC60EF21FA84EC62F6E21DEA703D0515
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe

Download File

Process:	C:\Users\user\Desktop\Payment List.bat.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	683520
Entropy (8bit):	7.96173932044234
Encrypted:	false
SSDEEP:	12288:rKcOV/xljKrCu8RrCPZTUYTkXh/9HJRGWqF07TDuTkOVvF:PrC/rCRT+Rlv0F0fwLV
MD5:	FED0E7606FDAE5961988A53E62C792B9
SHA1:	6A2955BF2A7A60E1A5B3D37176D5C4842A582702
SHA-256:	2CD9EA183EF88BC1EE850151E47FFC1613B6A4A57DDBB14EF8230CD25BA77A70
SHA-512:	B49626292C059439C027C0211E499711616D09A0EEC50800F374952D4B2BC8CA83538250CA9BC5C87445D7AD9B2B8E1E6468386DC9D94BD6CEF29ADC0890F951
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26% Antivirus: Virustotal, Detection: 40%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...45Uf..............0..F...&.......d... ........@.. ....................................@.................................td..O........"........................................................................... ............... ..H............text....D... ...F.................. ..`.rsrc....".......$...H..............@..@.reloc...............l..............@..B.................d......H........h..07..........................................................6.(.....(.......0..~......."....."......{....o....,..{....o......(....,...X..{....o....,..{....o......(....,...X..{....o....,..{....o......(....,...X..{....o....,..{....o......(....,...X..{....o....,..{....o......(....,...X..{....o....,..{....o......(....,...X..{....o....,..{....o......(....,...X..{....o......(....&..X..{....o......(....&..X..{....o......(....&..X..{"...o......(....&..X..{.....(....o...

C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Payment List.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.96173932044234
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Payment List.bat.exe
File size:	683'520 bytes
MD5:	fed0e7606fdae5961988a53e62c792b9
SHA1:	6a2955bf2a7a60e1a5b3d37176d5c4842a582702
SHA256:	2cd9ea183ef88bc1ee850151e47ffc1613b6a4a57ddbb14ef8230cd25ba77a70
SHA512:	b49626292c059439c027c0211e499711616d09a0eec50800f374952d4b2bc8ca83538250ca9bc5c87445d7ad9b2b8e1e6468386dc9d94bd6cef29adc0890f951
SSDEEP:	12288:rKcOV/xljKrCu8RrCPZTUYTkXh/9HJRGWqF07TDuTkOVvF:PrC/rCRT+Rlv0F0fwLV
TLSH:	2CE4237937B92363E5F9D2F054AA25D087F4728B76A0EAD55DD621C30DE3FA88200E47
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...45Uf..............0..F...&.......d... ........@.. ....................................@................................

File Icon


Icon Hash:	4c9e97336b69cda2

Static PE Info

General

Entrypoint:	0x4a64c6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66553534 [Tue May 28 01:36:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa6474	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8000	0x22e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xac000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa44cc	0xa4600	2e366e6348caef1c493cf666a110675a	False	0.9555935123574144	data	7.9683017131333695	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa8000	0x22e0	0x2400	2ad73b0f778c5afb74828b4533f944e4	False	0.8470052083333334	data	7.446515066909842	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xac000	0xc	0x200	06c45e8f7165e1ea7f5b2047a87c3316	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa8100	0x1c70	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9625
RT_GROUP_ICON	0xa9d80	0x14	data	1.05
RT_VERSION	0xa9da4	0x33c	data	0.428743961352657
RT_MANIFEST	0xaa0f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2024 09:11:23.368767977 CEST	49708	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:23.368803024 CEST	443	49708	104.26.12.205	192.168.2.5
May 28, 2024 09:11:23.369085073 CEST	49708	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:23.373814106 CEST	49708	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:23.373835087 CEST	443	49708	104.26.12.205	192.168.2.5
May 28, 2024 09:11:23.867547989 CEST	443	49708	104.26.12.205	192.168.2.5
May 28, 2024 09:11:23.867708921 CEST	49708	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:23.875999928 CEST	49708	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:23.876022100 CEST	443	49708	104.26.12.205	192.168.2.5
May 28, 2024 09:11:23.876318932 CEST	443	49708	104.26.12.205	192.168.2.5
May 28, 2024 09:11:23.916049004 CEST	49708	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:23.962816954 CEST	49708	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:24.010505915 CEST	443	49708	104.26.12.205	192.168.2.5
May 28, 2024 09:11:24.138869047 CEST	443	49708	104.26.12.205	192.168.2.5
May 28, 2024 09:11:24.138941050 CEST	443	49708	104.26.12.205	192.168.2.5
May 28, 2024 09:11:24.139030933 CEST	49708	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:24.146255970 CEST	49708	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:24.789616108 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:24.794703960 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:24.794780016 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:25.467019081 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.470796108 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:25.475734949 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.629717112 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.630192995 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:25.635149002 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.789910078 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.790357113 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:25.797163963 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.950627089 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.950690985 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.950722933 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.950761080 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:25.950762987 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.950819016 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:25.950819969 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.950850010 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:25.951288939 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:26.019164085 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:26.024123907 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:26.178764105 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:26.183650970 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:26.188518047 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:26.350617886 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:26.351603031 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:26.356900930 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:26.513199091 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:26.514389038 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:26.520411968 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:26.677381039 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:26.677611113 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:26.682801008 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:26.796732903 CEST	49712	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:26.796780109 CEST	443	49712	104.26.12.205	192.168.2.5
May 28, 2024 09:11:26.797811031 CEST	49712	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:26.801879883 CEST	49712	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:26.801896095 CEST	443	49712	104.26.12.205	192.168.2.5
May 28, 2024 09:11:26.838298082 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:26.838576078 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:26.843457937 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:27.028398037 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:27.028809071 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:27.033735991 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:27.187180996 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:27.187985897 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:27.188075066 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:27.188114882 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:27.188139915 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:27.193010092 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:27.193041086 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:27.193075895 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:27.193124056 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:27.278156996 CEST	443	49712	104.26.12.205	192.168.2.5
May 28, 2024 09:11:27.278228045 CEST	49712	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:27.280189037 CEST	49712	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:27.280195951 CEST	443	49712	104.26.12.205	192.168.2.5
May 28, 2024 09:11:27.280582905 CEST	443	49712	104.26.12.205	192.168.2.5
May 28, 2024 09:11:27.360124111 CEST	49712	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:27.406500101 CEST	443	49712	104.26.12.205	192.168.2.5
May 28, 2024 09:11:27.501018047 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:11:27.525348902 CEST	443	49712	104.26.12.205	192.168.2.5
May 28, 2024 09:11:27.525413990 CEST	443	49712	104.26.12.205	192.168.2.5
May 28, 2024 09:11:27.525476933 CEST	49712	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:27.529330969 CEST	49712	443	192.168.2.5	104.26.12.205
May 28, 2024 09:11:27.634835958 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:28.225913048 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:28.231357098 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:28.231472015 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:28.788465977 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:28.790505886 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:28.795411110 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:28.943707943 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:28.944607973 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:28.949639082 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.098071098 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.098475933 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:29.103363037 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.253359079 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.253391981 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.253444910 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:29.253509998 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.253536940 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.253555059 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.253570080 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.253591061 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:29.253638983 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:29.255259991 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:29.260092974 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.409118891 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.414453030 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:29.419431925 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.568451881 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.568836927 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:29.573925018 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.723423958 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.723716021 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:29.728575945 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.878819942 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:29.879097939 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:29.883990049 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.034487009 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.034768105 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:30.039809942 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.212047100 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.212328911 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:30.217519045 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.366729021 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.367307901 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:30.367388964 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:30.367417097 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:30.367417097 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:11:30.372462988 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.372503996 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.372523069 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.372534037 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.671519995 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:11:30.712973118 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:13:04.807194948 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:13:04.812160015 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:13:04.965713978 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:13:04.965869904 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:13:04.965969086 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:13:04.967575073 CEST	49709	587	192.168.2.5	66.29.159.53
May 28, 2024 09:13:04.973329067 CEST	587	49709	66.29.159.53	192.168.2.5
May 28, 2024 09:13:08.244668007 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:13:08.249872923 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:13:08.398660898 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:13:08.398893118 CEST	587	49713	66.29.159.53	192.168.2.5
May 28, 2024 09:13:08.398950100 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:13:08.399694920 CEST	49713	587	192.168.2.5	66.29.159.53
May 28, 2024 09:13:08.404541016 CEST	587	49713	66.29.159.53	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2024 09:11:23.348853111 CEST	52895	53	192.168.2.5	1.1.1.1
May 28, 2024 09:11:23.355957031 CEST	53	52895	1.1.1.1	192.168.2.5
May 28, 2024 09:11:24.779937029 CEST	54605	53	192.168.2.5	1.1.1.1
May 28, 2024 09:11:24.788892984 CEST	53	54605	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 28, 2024 09:11:23.348853111 CEST	192.168.2.5	1.1.1.1	0xe2cf	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
May 28, 2024 09:11:24.779937029 CEST	192.168.2.5	1.1.1.1	0xbd02	Standard query (0)	smtp.privateemail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 28, 2024 09:11:23.355957031 CEST	1.1.1.1	192.168.2.5	0xe2cf	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
May 28, 2024 09:11:23.355957031 CEST	1.1.1.1	192.168.2.5	0xe2cf	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
May 28, 2024 09:11:23.355957031 CEST	1.1.1.1	192.168.2.5	0xe2cf	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
May 28, 2024 09:11:24.788892984 CEST	1.1.1.1	192.168.2.5	0xbd02	No error (0)	smtp.privateemail.com	66.29.159.53	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	104.26.12.205	443	7228	C:\Users\user\Desktop\Payment List.bat.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-28 07:11:23 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-05-28 07:11:24 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 28 May 2024 07:11:24 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 88ac6e2f18394361-EWR
2024-05-28 07:11:24 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35 Data Ascii: 8.46.123.175

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	104.26.12.205	443	7600	C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-28 07:11:27 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-05-28 07:11:27 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 28 May 2024 07:11:27 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 88ac6e445e627291-EWR
2024-05-28 07:11:27 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35 Data Ascii: 8.46.123.175

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 28, 2024 09:11:25.467019081 CEST	587	49709	66.29.159.53	192.168.2.5	220 PrivateEmail.com prod Mail Node
May 28, 2024 09:11:25.470796108 CEST	49709	587	192.168.2.5	66.29.159.53	EHLO 841675
May 28, 2024 09:11:25.629717112 CEST	587	49709	66.29.159.53	192.168.2.5	250-mta-11.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
May 28, 2024 09:11:25.630192995 CEST	49709	587	192.168.2.5	66.29.159.53	STARTTLS
May 28, 2024 09:11:25.789910078 CEST	587	49709	66.29.159.53	192.168.2.5	220 Ready to start TLS
May 28, 2024 09:11:28.788465977 CEST	587	49713	66.29.159.53	192.168.2.5	220 PrivateEmail.com prod Mail Node
May 28, 2024 09:11:28.790505886 CEST	49713	587	192.168.2.5	66.29.159.53	EHLO 841675
May 28, 2024 09:11:28.943707943 CEST	587	49713	66.29.159.53	192.168.2.5	250-mta-11.privateemail.com 250-PIPELINING 250-SIZE 81788928 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-CHUNKING 250 STARTTLS
May 28, 2024 09:11:28.944607973 CEST	49713	587	192.168.2.5	66.29.159.53	STARTTLS
May 28, 2024 09:11:29.098071098 CEST	587	49713	66.29.159.53	192.168.2.5	220 Ready to start TLS

Target ID:	0
Start time:	03:11:18
Start date:	28/05/2024
Path:	C:\Users\user\Desktop\Payment List.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment List.bat.exe"
Imagebase:	0x660000
File size:	683'520 bytes
MD5 hash:	FED0E7606FDAE5961988A53E62C792B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2052289650.0000000003BCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:11:20
Start date:	28/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment List.bat.exe"
Imagebase:	0xe20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:11:20
Start date:	28/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:11:21
Start date:	28/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"
Imagebase:	0xe20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:11:21
Start date:	28/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:11:21
Start date:	28/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp"
Imagebase:	0xe00000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:11:21
Start date:	28/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:11:22
Start date:	28/05/2024
Path:	C:\Users\user\Desktop\Payment List.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment List.bat.exe"
Imagebase:	0x850000
File size:	683'520 bytes
MD5 hash:	FED0E7606FDAE5961988A53E62C792B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3237643875.0000000002D49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3237643875.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3237643875.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:11:22
Start date:	28/05/2024
Path:	C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe
Imagebase:	0xed0000
File size:	683'520 bytes
MD5 hash:	FED0E7606FDAE5961988A53E62C792B9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2088998167.000000000449F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs Detection: 40%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:11:23
Start date:	28/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:11:25
Start date:	28/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qicqbuFUGCXO" /XML "C:\Users\user\AppData\Local\Temp\tmpD43A.tmp"
Imagebase:	0xe00000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:11:25
Start date:	28/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:11:25
Start date:	28/05/2024
Path:	C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"
Imagebase:	0x3e0000
File size:	683'520 bytes
MD5 hash:	FED0E7606FDAE5961988A53E62C792B9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:11:25
Start date:	28/05/2024
Path:	C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\qicqbuFUGCXO.exe"
Imagebase:	0x870000
File size:	683'520 bytes
MD5 hash:	FED0E7606FDAE5961988A53E62C792B9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3238159947.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3238159947.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3238159947.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	197
Total number of Limit Nodes:	12

Executed Functions

Function 08836FA8 Relevance: 7.9, Strings: 6, Instructions: 438COMMON

Download Yara Rule

Strings

$]q, xrefs: 08837200
LR]q, xrefs: 0883725F
$]q, xrefs: 088371F0
LR]q, xrefs: 0883712A
LR]q, xrefs: 0883726D
LR]q, xrefs: 08837138

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$LR]q$LR]q$$]q$$]q
API String ID: 0-2875722158
Opcode ID: 13c3a743a141ecbd7ad54ca5de54e77549ff8cda9e8bc768f978408cdeb417eb
Instruction ID: 4033841ef85f80ee64d722991101f68394cc80687c84a74f6b00dedd155e4b5a
Opcode Fuzzy Hash: 13c3a743a141ecbd7ad54ca5de54e77549ff8cda9e8bc768f978408cdeb417eb
Instruction Fuzzy Hash: D1F1E5B1A08179CFC715AB6CC8507ACBFB1AF45316F4881BAE452EB692D374C941CBE1

Function 088345AA Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbc5efc3afd7c6d48cca0deffccf6846616e5f026ded4eb7ac16f8ca70b7765
Instruction ID: 5f5286b3dea1367b7e2fc06a3255af689e3203c869fff87c5aa3169c83951413
Opcode Fuzzy Hash: dbbc5efc3afd7c6d48cca0deffccf6846616e5f026ded4eb7ac16f8ca70b7765
Instruction Fuzzy Hash: F9713475908229CFC710CFADD8417AABBF1FF12306F1581AAD16ACB692D3349941CB99

Function 0883D6E0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b610e2ccb9ab5215e8fe4f2a3738a7912a7f4c1c5a8300a1479d99d08cc22138
Instruction ID: 23ad6ed34fdc0ca85329d734cf84b0d41d47246e75f1bfb2c5da9b077723ec02
Opcode Fuzzy Hash: b610e2ccb9ab5215e8fe4f2a3738a7912a7f4c1c5a8300a1479d99d08cc22138
Instruction Fuzzy Hash: BF510574E05228DFDB14CF6AC8806AEFBF6BF8A301F54D4A9D409A7212D7345985CF91

Function 08832AEB Relevance: 17.9, Strings: 14, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XX]q, xrefs: 08832E93
fbq, xrefs: 08832C89
fbq, xrefs: 08832C26
$]q, xrefs: 0883326F
fbq, xrefs: 08832BF1
XX]q, xrefs: 08832F74
fbq, xrefs: 08832BE5
XX]q, xrefs: 08832F24
XX]q, xrefs: 08832F84
Te]q, xrefs: 08832DC1
XX]q, xrefs: 08832F34
fbq, xrefs: 08832C99
fbq, xrefs: 08832C36
XX]q, xrefs: 08832E4E

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: fbq$ fbq$ fbq$ fbq$ fbq$ fbq$Te]q$XX]q$XX]q$XX]q$XX]q$XX]q$XX]q$$]q
API String ID: 0-4267258224
Opcode ID: 9a7c6f71610d28a38c19d52d20e2c77597a465ab128876acaf5c29536137e468
Instruction ID: 59a5958f4677bf24d4827dc9f04a16bd8c82ee3baf8ac3e1397214e280d41afa
Opcode Fuzzy Hash: 9a7c6f71610d28a38c19d52d20e2c77597a465ab128876acaf5c29536137e468
Instruction Fuzzy Hash: 0002E330A04268CFDB25CFA8C5957ADBBF2FF45302F508569D416EF2A6CB748942CB91

Function 08832F9E Relevance: 14.1, Strings: 11, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XX]q, xrefs: 08832FD1
Te]q, xrefs: 08832FF0
$]q, xrefs: 088330A9
$]q, xrefs: 0883326F
$]q, xrefs: 08833197
XX]q, xrefs: 08832FC1
Te]q, xrefs: 08832FE6
fbq, xrefs: 08833182
$]q, xrefs: 088331AD
fbq, xrefs: 08833172
fbq, xrefs: 088332C9

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: fbq$ fbq$ fbq$Te]q$Te]q$XX]q$XX]q$$]q$$]q$$]q$$]q
API String ID: 0-140804313
Opcode ID: 9a235cdd9b3d648acb20e1b2923115f3669f59fddc45eea498538688a3557261
Instruction ID: 831db2709fd83dd41b2c39f4ee2da12b071ced33c3221990ffe531206054a920
Opcode Fuzzy Hash: 9a235cdd9b3d648acb20e1b2923115f3669f59fddc45eea498538688a3557261
Instruction Fuzzy Hash: 16D1AF30A04268CFCB15CFA8E595AADBBB1FF41302F158699E411EF2A9C7709C41CB91

Function 0883156C Relevance: 13.0, Strings: 10, Instructions: 458
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 088319DE
$]q, xrefs: 08831AAD
Te]q, xrefs: 0883174C
$]q, xrefs: 088319EA
Te]q, xrefs: 08831615
Te]q, xrefs: 088315C3
$]q, xrefs: 08831AB9
Te]q, xrefs: 088317E1
Te]q, xrefs: 088316D5
Te]q, xrefs: 08831817

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: Te]q$Te]q$Te]q$Te]q$Te]q$Te]q$$]q$$]q$$]q$$]q
API String ID: 0-3613213995
Opcode ID: ea7faa0c3661f8577ab036b93145dd78ac359ef09a861f09dcd61f41bd01d235
Instruction ID: 70c801fea9c3f83b79ede92207cbfb182f297cac654ca87812952b07ff493113
Opcode Fuzzy Hash: ea7faa0c3661f8577ab036b93145dd78ac359ef09a861f09dcd61f41bd01d235
Instruction Fuzzy Hash: 0BF1B378F40218DFDB149FA8D859BBE76F2AF84B02F548419F402EB385DA749C42CB95

Function 08832FB7 Relevance: 12.8, Strings: 10, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XX]q, xrefs: 08832F24
$]q, xrefs: 088330A9
$]q, xrefs: 0883326F
$]q, xrefs: 08833197
XX]q, xrefs: 08832FC1
Te]q, xrefs: 08832FE6
XX]q, xrefs: 08832F74
$]q, xrefs: 088331AD
fbq, xrefs: 08833172
fbq, xrefs: 088332C9

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: fbq$ fbq$Te]q$XX]q$XX]q$XX]q$$]q$$]q$$]q$$]q
API String ID: 0-4039791027
Opcode ID: 4a89375be2c3595828e035167012f88703b5b05ead5ed9896ecd28bfa8a3f94a
Instruction ID: 341203fcdd5ac92b0742e34f0720d8a44976be563435d29913d6325760179c3e
Opcode Fuzzy Hash: 4a89375be2c3595828e035167012f88703b5b05ead5ed9896ecd28bfa8a3f94a
Instruction Fuzzy Hash: 2CB15B31E04228DFDB25CF98E984AACB7B1FF40717F14856AE416EB799C7749842CB81

Function 0286D780 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0286D7FE
GetCurrentThread.KERNEL32 ref: 0286D83B
GetCurrentProcess.KERNEL32 ref: 0286D878
GetCurrentThreadId.KERNEL32 ref: 0286D8D1

Memory Dump Source

Source File: 00000000.00000002.2051489930.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_Payment List.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1552dda0a70673865a875c32350c622cb2c7b2e086ddd50a6e57b894227f3690
Instruction ID: e99cbe587a134fe8d7c85da22e183581a90d7ad46f69702a5e3787408f0e5540
Opcode Fuzzy Hash: 1552dda0a70673865a875c32350c622cb2c7b2e086ddd50a6e57b894227f3690
Instruction Fuzzy Hash: 825167B4A003098FDB14DFAAD548BAEBBF5FF88304F208459E119A7360D778A944CF65

Function 08831C98 Relevance: 4.0, Strings: 3, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8aq, xrefs: 08831FD3
8aq, xrefs: 08831FA5
8aq, xrefs: 08831F97

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: 8aq$8aq$8aq
API String ID: 0-3448709602
Opcode ID: 5304a205714e364d5fa82c870d7b0cb9c2a7ec47316cff8d3519ec9928cb51a4
Instruction ID: a88ee0c9f6d503a0f739e7fd70effc1d4575e7d3319f08f50ceeb8c1e8803455
Opcode Fuzzy Hash: 5304a205714e364d5fa82c870d7b0cb9c2a7ec47316cff8d3519ec9928cb51a4
Instruction Fuzzy Hash: A8A13538A09265CFC7158BACD8057AABBA2FF46712F04857BF016CB692C735D801CBD2

Function 0883184C Relevance: 2.7, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 088319DE
$]q, xrefs: 08831AAD

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 561abe7aa18769fa2ec56d806a35a2bd1cc67e67214eaf2d0166f4865d1f13b6
Instruction ID: f4cf3b6ff7b2b200593b9f7f5b3309a059a70c20c20af0d69cc14de8b292ad36
Opcode Fuzzy Hash: 561abe7aa18769fa2ec56d806a35a2bd1cc67e67214eaf2d0166f4865d1f13b6
Instruction Fuzzy Hash: 44819438B40228DFDB248B69D959BBD76B2FB84B12F148429F402EB7C4CB758C41CB94

Function 088318FC Relevance: 2.7, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 088319DE
$]q, xrefs: 08831AAD

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 547ea4525baedabcb41deb02222183d15a6d1e8d238d73412a65b9cb9fd698f8
Instruction ID: e82c2d630722e3588ee3b43b4e8bee0ba94a22ba1d71a959cab137334c163d89
Opcode Fuzzy Hash: 547ea4525baedabcb41deb02222183d15a6d1e8d238d73412a65b9cb9fd698f8
Instruction Fuzzy Hash: 1C618538B40228DFDB148B79D959BBD76B2FB84B12F148429F402EB7D4CA759C01CBA5

Function 08835700 Relevance: 2.6, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 08835AB1
Haq, xrefs: 0883592F

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: bce5ae5c555f6657b181e7c861c9e6e99919e1edc123897b1698af52e8213c2a
Instruction ID: 5716b1cfbc8015acc62fc397d46c8c804367ca8d3fefc213205d66b036c9fdbc
Opcode Fuzzy Hash: bce5ae5c555f6657b181e7c861c9e6e99919e1edc123897b1698af52e8213c2a
Instruction Fuzzy Hash: FE115670604324DFD7129B18EC95FAA7BF8EB85706F005837F006CA6C1C6749E05C7A1

Function 07084B84 Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07084DC6

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dc529885cf6a7076e5c43aa0ca09ab8a9cea36ad2738062009f18fd2e2d33882
Instruction ID: f44a0c5041cea369f167a062c06c76e972452912e7445b4a4f99320ed781c985
Opcode Fuzzy Hash: dc529885cf6a7076e5c43aa0ca09ab8a9cea36ad2738062009f18fd2e2d33882
Instruction Fuzzy Hash: 1BA15DB1D0025ACFDBA4DF68C8417EDBBF2BF44314F14866AE858A7240DB749985CF91

Function 07084B90 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07084DC6

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1dd3fc0793648d6b2ef08b17442e72e1fee248d088c691fe0f900481d90dd7f2
Instruction ID: 21aa4a9bb902572703198805c7574ef08d4fa5c2d5825f159b1d29b941d9b40c
Opcode Fuzzy Hash: 1dd3fc0793648d6b2ef08b17442e72e1fee248d088c691fe0f900481d90dd7f2
Instruction Fuzzy Hash: 89915CB1D0025ACFDBA4DF68C8417EDBBF2BF48314F14866AE858A7240DB749985CF91

Function 0286B4D9 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0286B73E

Memory Dump Source

Source File: 00000000.00000002.2051489930.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_Payment List.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1f3badb7d55888ef0e23b118fe6b47614da0317f8578183114ce65a3559dad67
Instruction ID: f498d13ed73df7abdb5bfcd6b193fca37bdb3921befd3889c6c683ccd994ed8b
Opcode Fuzzy Hash: 1f3badb7d55888ef0e23b118fe6b47614da0317f8578183114ce65a3559dad67
Instruction Fuzzy Hash: 06815B78A00B458FD724DF29D4497AABBF1FF48308F00892DD44AE7A50D775E946CB91

Function 028658EC Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 028659A9

Memory Dump Source

Source File: 00000000.00000002.2051489930.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_Payment List.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2f803d283f919432af0b156ba3e80e3f0b186852cea7c0df958e17b3ad14b8b5
Instruction ID: 8238cfc0534eb8ac998169f91d5b55586a4e0df300c157657da578be5ab88f25
Opcode Fuzzy Hash: 2f803d283f919432af0b156ba3e80e3f0b186852cea7c0df958e17b3ad14b8b5
Instruction Fuzzy Hash: 6F4115B4C0061DCFDB24DFA9C8847DDBBB2BF45304F60805AD408AB255DB76694ACF90

Function 028644B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 028659A9

Memory Dump Source

Source File: 00000000.00000002.2051489930.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_Payment List.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5c74843230dd83e29814839e1defd9409ace84f411e92a689570b385ea0cddd8
Instruction ID: 6b4b05f808787199bb48bd67e98e39be6dee34318a33a17602a0c524510e3c70
Opcode Fuzzy Hash: 5c74843230dd83e29814839e1defd9409ace84f411e92a689570b385ea0cddd8
Instruction Fuzzy Hash: 6F41F3B4C0071DCBDB24DFA9C848B9EBBF5BF48304F20806AD418AB255DB75694ACF90

Function 02865A64 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051489930.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85cb106957c4cd5b7839705141baa0b40a4668ba18e7c674967210df1c3b8dbd
Instruction ID: 19bc75e1604ccee0f0670c698d4f4430ac0d00a4a7191f3cd19b8425509df6f2
Opcode Fuzzy Hash: 85cb106957c4cd5b7839705141baa0b40a4668ba18e7c674967210df1c3b8dbd
Instruction Fuzzy Hash: EB31EFB880424DCFEB11DFA8C9597EDBBF1AF06308F54418AC005AB255CB7AA94ACB51

Function 070844CA Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07084560

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: df4031e95d5732627bc45409ff2c56c73a4176046b837002b5ba31d47196b292
Instruction ID: cefacf58c22434f120b746f809fcb21d5bc79c032a5a6f8c438ac45866bdd373
Opcode Fuzzy Hash: df4031e95d5732627bc45409ff2c56c73a4176046b837002b5ba31d47196b292
Instruction Fuzzy Hash: 5E2127B5900359DFCB10DFAAC885BEEBBF5FF48310F10852AE959A7241C7789945CBA0

Function 070844D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07084560

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a38887de57f5f72d4603b29ffa1fa94eb011a64e6ca26bfeffa50976ae5dab8d
Instruction ID: 3e5c4e4b08dcd1b7da5195e88e1fd1a97effee5dfd643f8e6df0a79d1646bd5b
Opcode Fuzzy Hash: a38887de57f5f72d4603b29ffa1fa94eb011a64e6ca26bfeffa50976ae5dab8d
Instruction Fuzzy Hash: 6E2139B5D003599FCB10DFAAC885BEEBBF5FF48310F10852AE959A7241C7789944CBA0

Function 07084332 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070843B6

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1f03ffb82d8e9e44f3d164b83b6893310dcfb396c099d7fa691e54cf982e182c
Instruction ID: f9353fc3532427e9180ca037fdfe79d0e7a1f608c8a2aeb6709da4055c210bc3
Opcode Fuzzy Hash: 1f03ffb82d8e9e44f3d164b83b6893310dcfb396c099d7fa691e54cf982e182c
Instruction Fuzzy Hash: D82138B1D003099FDB54DFAAC4857EEBBF4EF49314F10842AE459A7240CB78A985CFA0

Function 070849F1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07084A78

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b7534c2c1b11549696fae05b8d6d9601d256cf0a85dbfb584e6237de22661b88
Instruction ID: 69b95a5c5f89a1ce2fb981d8859612f5744d9f29e499e7cbe98da7a803c56312
Opcode Fuzzy Hash: b7534c2c1b11549696fae05b8d6d9601d256cf0a85dbfb584e6237de22661b88
Instruction Fuzzy Hash: 852136B18002499FCB10DFAAC884AEEFBF5FF48310F10842AE958A7250D7389545CBA1

Function 07084338 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070843B6

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 095135c56c08a0739478637a833a771f523ed0ce7ff8a401989dc803e84732c2
Instruction ID: f3db2123215bd114837e4adb035a91f0a2aa79b337aced44bfa5fe7c7ce43561
Opcode Fuzzy Hash: 095135c56c08a0739478637a833a771f523ed0ce7ff8a401989dc803e84732c2
Instruction Fuzzy Hash: 142135B1D003098FDB50EFAAC4857EEBBF4EF48324F10842AD459A7240CB78A944CFA0

Function 070849F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07084A78

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9419e9c9057f4ffeef520d3a09193de6e8f6878bb53866f115a2228ba75a104a
Instruction ID: fa610fd73dc3f70e945f2ae86fff19a32b02c1c8fb1d4e4c73803fcd77136bd0
Opcode Fuzzy Hash: 9419e9c9057f4ffeef520d3a09193de6e8f6878bb53866f115a2228ba75a104a
Instruction Fuzzy Hash: 9E2118B1C003599FCB10DFAAC885AEEFBF5FF48310F50842AE559A7250C778A945CBA5

Function 0286D9C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0286DA4F

Memory Dump Source

Source File: 00000000.00000002.2051489930.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_Payment List.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f96c2f07aec2eeb686ad0fbbcfabfcbca66c733449414ef49929378446c18743
Instruction ID: 67114200ea6daccbe642eebafafd8ea6d5be3a780b3522daa34b181bff898cfa
Opcode Fuzzy Hash: f96c2f07aec2eeb686ad0fbbcfabfcbca66c733449414ef49929378446c18743
Instruction Fuzzy Hash: 3921C4B59002489FDB10DF9AD584AEEBBF9FB48310F14841AE918A3350D379A954CFA5

Function 0708440A Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0708447E

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6077737530ec0d5ea734a8d1bc10f227f539c2f549f84163b935ef04d29b32a2
Instruction ID: 208c20fab0514762c3c021096c555e0c9ff25c294b2efba850a3444220043cab
Opcode Fuzzy Hash: 6077737530ec0d5ea734a8d1bc10f227f539c2f549f84163b935ef04d29b32a2
Instruction Fuzzy Hash: A11126B18002499FDB20DFAAC845AEFFFF5EF48314F24881AE559A7250C779A545CFA0

Function 0286B959 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0286B7B9,00000800,00000000,00000000), ref: 0286B9CA

Memory Dump Source

Source File: 00000000.00000002.2051489930.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_Payment List.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cc908d5e4967dfcfe5f286d9c2a5ebef2ed824094b8e336150c79e5dcee0958a
Instruction ID: f915bf1debd14407c3e057a0afa580417f26c2d8d0953c836e1be6159c3b81f4
Opcode Fuzzy Hash: cc908d5e4967dfcfe5f286d9c2a5ebef2ed824094b8e336150c79e5dcee0958a
Instruction Fuzzy Hash: AB1117BA8002098FDB10DF9AD445BEEFBF4EB88314F10842AD529B7200D375A545CFA5

Function 0286B208 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0286B7B9,00000800,00000000,00000000), ref: 0286B9CA

Memory Dump Source

Source File: 00000000.00000002.2051489930.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_Payment List.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 09e1bb5d0e7ae88abd7d282d4078ff9df4b84ff2f75b21e2cc0a990f9ed5005b
Instruction ID: 8a4b11a9f1aead64cb1665584a0763b0949e157df9551f7302ca0fa36c5513d3
Opcode Fuzzy Hash: 09e1bb5d0e7ae88abd7d282d4078ff9df4b84ff2f75b21e2cc0a990f9ed5005b
Instruction Fuzzy Hash: 2E11E7B99002499FDB10DF9AD448BAEFBF4EB48318F10841AD519B7210D375A945CFA5

Function 07083E48 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07083EB2

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1403e4770d80dba2ac9a3c8a301b096912300b6ada758a22d2b811a7a6a204b9
Instruction ID: 85651379c933a4147e3bb547a72a5dfcc0182a482feda39e22c4679de6583663
Opcode Fuzzy Hash: 1403e4770d80dba2ac9a3c8a301b096912300b6ada758a22d2b811a7a6a204b9
Instruction Fuzzy Hash: E81149B18003498FCB20EFAAC4457EFFBF4EF88724F20841AD459A7240C738A545CBA0

Function 07084410 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0708447E

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1dc20e06da17fb79a63a2d951f86b429acedb2f63fa066cd328eab17d20811a7
Instruction ID: 6cb43f8c035ac3d4e377d301ed481927ab92de0cc71acc005c5e8efc7007b936
Opcode Fuzzy Hash: 1dc20e06da17fb79a63a2d951f86b429acedb2f63fa066cd328eab17d20811a7
Instruction Fuzzy Hash: 9B1137B18002499FCB10DFAAC844AEFBFF5EF48314F148819E519A7250C779A544CFA0

Function 07083E50 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07083EB2

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 626a4c9f57664d7eb3f3a54b56986f6b55632f80e61ac0442a12c05b920894d7
Instruction ID: a1c45be4ecf501bb3ed6d3ce392ef04c5a72db60e55feedd493ff89f83c069e7
Opcode Fuzzy Hash: 626a4c9f57664d7eb3f3a54b56986f6b55632f80e61ac0442a12c05b920894d7
Instruction Fuzzy Hash: 9C113AB1D002498FCB10EFAAC4457EEFBF5EF88724F20841AD519A7240CB79A944CFA0

Function 070892A0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07089305

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7ff7c1125207f15375053707ccfb9c7b4c656fd58f77d94b77f76785827888ab
Instruction ID: d7ce3f325a4e2a65e2176255ae3b7d203840f2b1d127acaeb9931ad3abe168c3
Opcode Fuzzy Hash: 7ff7c1125207f15375053707ccfb9c7b4c656fd58f77d94b77f76785827888ab
Instruction Fuzzy Hash: 3D11F5B58003499FDB10DF9AC885BDEFBF8EB59314F20841AE959A7640C375A544CFA1

Function 0286B6D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0286B73E

Memory Dump Source

Source File: 00000000.00000002.2051489930.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_Payment List.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 39a9c02116c28557412e2d68cfc406b50e8fa86255b9219442ee62aa45298e79
Instruction ID: cdc0d5c56f1d13d629af809b0c530f85a48fd60973d970eaa9e2e868891de0ae
Opcode Fuzzy Hash: 39a9c02116c28557412e2d68cfc406b50e8fa86255b9219442ee62aa45298e79
Instruction Fuzzy Hash: 7C11E3B9C006498FDB10DF9AD448AEEFBF5EF48318F10845AD529B7210C379A545CFA1

Function 07085A0C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07089305

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e18b15d37d86f38b447e6af8b6367a115e90665df5506f534c32f1be2e379bcf
Instruction ID: 51fdb9a0860c7ef6f24dfc93929ed7ee11c9eabc462fd8372eec36dfb1bed600
Opcode Fuzzy Hash: e18b15d37d86f38b447e6af8b6367a115e90665df5506f534c32f1be2e379bcf
Instruction Fuzzy Hash: 081106B58007499FDB50EF9AC845BEEFBF8EB58314F108819E558A7240C375A944CFA1

Function 08834CC4 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Te]q, xrefs: 08838331

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 50797f8cb38c7c6d004bd3edeabe0d367fcb73349dcae4bf5f6459f0dcb0ebf9
Instruction ID: adffa0b8fee54c3e0485102a972655963d36340d4d572f5a824b24f1d03625be
Opcode Fuzzy Hash: 50797f8cb38c7c6d004bd3edeabe0d367fcb73349dcae4bf5f6459f0dcb0ebf9
Instruction Fuzzy Hash: 8651AE34B002198FCB15EF7998448BEBBF6FFC5321B248969E459D7351EB309D068791

Function 08835E77 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

V, xrefs: 08835EE8

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 7853594dd73875e4d8edbbfd0b8aac7365a93f80d75c1d2ba5f8e56c5fbef95c
Instruction ID: bf9d630cdb990aa0da9c55d4b834416c2f6d2d376471ec66820e495cb2301701
Opcode Fuzzy Hash: 7853594dd73875e4d8edbbfd0b8aac7365a93f80d75c1d2ba5f8e56c5fbef95c
Instruction Fuzzy Hash: 5E519030904138DBDF10DF69C5527FEBAB1AF8830BF04856BE466EA691D739C980DB91

Function 0883E030 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0883E163

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 5bfb987f0ec562bae144c2087cc8fe35f439967f84d65c9ab67f496635799e89
Instruction ID: da47f2b770802f5a601db886e7642ee7eb1524220d7e44e5bbce88fe7568e9dc
Opcode Fuzzy Hash: 5bfb987f0ec562bae144c2087cc8fe35f439967f84d65c9ab67f496635799e89
Instruction Fuzzy Hash: 82413574E05268CFDB04DFAAC8946EEBBF6BF89301F10902AD409EB754DB355846CB80

Function 0883E040 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0883E163

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 7d3143bac7f1224d68055767acc21b38d023228698c5e118518e09a96e6afe6c
Instruction ID: 663cc239827fe79eb52a388cd5a42d1faca6c47b610f733aeecd9b1aaf062595
Opcode Fuzzy Hash: 7d3143bac7f1224d68055767acc21b38d023228698c5e118518e09a96e6afe6c
Instruction Fuzzy Hash: AC41F6B4E0522CCBDB44DFAAC8956EEBBF6BF88301F109429D409AB754DB755845CF80

Function 08834118 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

l.]q, xrefs: 0883422A

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: l.]q
API String ID: 0-1248894718
Opcode ID: 318cacaf40f537b5deab60a211633fe51579011dca6164920b7f4943d99fe8e1
Instruction ID: 1c8d9b89eda0914e947f9d41eba2bcfb397d479dd334d76154d966704be74b6e
Opcode Fuzzy Hash: 318cacaf40f537b5deab60a211633fe51579011dca6164920b7f4943d99fe8e1
Instruction Fuzzy Hash: 57319231905A28CBCB618FAEC84066AF7B0FF61306F05856BE466E7751C230D941CB8A

Function 0883E0BF Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0883E1BC

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: fd2b237cac0865948040072f1d9626f0e863ce0cba1b693a59ef2661fc22b7a1
Instruction ID: 4e506ee67468a84e34bc855088c4a867aa34a93d351de36812b788d1cac10291
Opcode Fuzzy Hash: fd2b237cac0865948040072f1d9626f0e863ce0cba1b693a59ef2661fc22b7a1
Instruction Fuzzy Hash: 45219D78E00219CFCF44CFE8D4859ACBBB1FB88311F10816AE919AB365C731A946CF50

Function 0883F9CE Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

r, xrefs: 0883FB6E

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 65d0bc404d81eedb1fdf67f092effbf46c93f2fd772e3495b30c950b3b5437e9
Instruction ID: d5945ef12864e9f22854d132837e826bfee94bb454b34605c2be7659a9349202
Opcode Fuzzy Hash: 65d0bc404d81eedb1fdf67f092effbf46c93f2fd772e3495b30c950b3b5437e9
Instruction Fuzzy Hash: F7012570D0A128EFC704CFA8D4944FCB739FB8E31B7009095D61A96202CB39A845CFD0

Function 0883FA9C Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

r, xrefs: 0883FB6E

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 892782d7704a9ca1e9a6afdbafcbc2610455c54f59d02109a441ae542201f670
Instruction ID: 38de62f366943f0e3e22fb3ee9bb7cf36cedc218c5998e142d86960e3c95c5c5
Opcode Fuzzy Hash: 892782d7704a9ca1e9a6afdbafcbc2610455c54f59d02109a441ae542201f670
Instruction Fuzzy Hash: C9017C35D09128DFC744DF68C4954FCB739FB4E31B7109155C61A96252CB39A885CFD0

Function 08838A88 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

Haq, xrefs: 08839CC1

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 83a826c0a971a6b19f084a7157531c6dedbf5e927fc5d4c9aeb4f3136c19ef17
Instruction ID: ab3a70910974c00b5a07b14cd0e1ad55ca150dbefa76d726829a09e7a6a6f088
Opcode Fuzzy Hash: 83a826c0a971a6b19f084a7157531c6dedbf5e927fc5d4c9aeb4f3136c19ef17
Instruction Fuzzy Hash: 8301D6346093489FD7059FB899611AD7FB1EF82300F2048EFC444E7256DA349E0AC751

Function 08838157 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0883815B

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 2413f463b0ff344a3d8a75cf7fc074ea6960a2557ef56225b3bc69435bda675d
Instruction ID: b4d7e48d21d82cbcc80aaa766738fccfdde74b19550bfbe65a2bd1f469ba95e0
Opcode Fuzzy Hash: 2413f463b0ff344a3d8a75cf7fc074ea6960a2557ef56225b3bc69435bda675d
Instruction Fuzzy Hash: DDF09035B1011A87DB09EBA8CA519FE72B3AFD8701B204079C406EB384EF358E03C792

Function 0883AD78 Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

=n>, xrefs: 0883AD7B

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: =n>
API String ID: 0-3924685907
Opcode ID: fb535f1e7a6749859a1e421f6fa1bd814fcf6070609881ac18068244269d7574
Instruction ID: 1b147df4ac60e2c9fe4d1c8e9108a5dedd80061faa85414b554450e830ab6ee2
Opcode Fuzzy Hash: fb535f1e7a6749859a1e421f6fa1bd814fcf6070609881ac18068244269d7574
Instruction Fuzzy Hash: 9CD0123611011C9E5B80EE9AE840C5277DCFB147017008872F548C7521E621E929DB91

Function 0883AE00 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3320018038cdd4f51be74818af40987d8268b18d65b6ee4ea0eeb836246143e1
Instruction ID: 6b785988117b8fa3c31cd1f45410087d8fe9d60fc9addb51ee88c8287f9bb293
Opcode Fuzzy Hash: 3320018038cdd4f51be74818af40987d8268b18d65b6ee4ea0eeb836246143e1
Instruction Fuzzy Hash: 84D1F470A04679CFC719AFA8D4506ADBFF1EF06312F148256E0A1DB2A1D334D941DB91

Function 08834EF0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aff128d9f40385162421e1e416e30ebab341acfa6ae12a708e4ea44a55d689f
Instruction ID: fd94bca602a86ad6acdd9db0a5e9f09a16fddac19568d69b46aee33ae3d44799
Opcode Fuzzy Hash: 3aff128d9f40385162421e1e416e30ebab341acfa6ae12a708e4ea44a55d689f
Instruction Fuzzy Hash: A5E1E4B0804629DFCB019FA4E4557BE7FB1FF0530AF04899AD061DB692C77A9948CF91

Function 0883E25F Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf5541a5b552ecb74fbc624f4f287595acdc85b109e9d209b28b2560760a481
Instruction ID: 28415201e9b98a6bda058da4388813b069f7a9fac87710fdbd90a74bdfe22c6b
Opcode Fuzzy Hash: 8cf5541a5b552ecb74fbc624f4f287595acdc85b109e9d209b28b2560760a481
Instruction Fuzzy Hash: E3B14070E05229CFCB54DFA8D580AEDBBB9FF88304F109625E509EB755DB34A946CB80

Function 0883ADF1 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3067a79bfc6a752518001b0d961ec73fc29644191b30e8ff660095aed943ebfe
Instruction ID: 5a3e0598bcdf976b865a78c8c8be597c86460144340eb2b8ad1581510a3d3397
Opcode Fuzzy Hash: 3067a79bfc6a752518001b0d961ec73fc29644191b30e8ff660095aed943ebfe
Instruction Fuzzy Hash: DEA1AD70A08979CFC719EBA9E450BBDBBF2EB04316F048167E095EB681D334E951CB91

Function 08835B68 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d09834d33b52dbbdc2f709ddb448dbab3b05366cb5503104a958bd2e81c5eca
Instruction ID: d034f98d34f5b79780210b62d81bbc4c2d6bd13ef52bb86fcb110761bb86fd8e
Opcode Fuzzy Hash: 7d09834d33b52dbbdc2f709ddb448dbab3b05366cb5503104a958bd2e81c5eca
Instruction Fuzzy Hash: 32A18131504229CFC708CF68D485A6ABBF1FF45321B1586A6D462DBAF6C771EC81CBA1

Function 08834738 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8077dbe4f5e4e5269df549c3b68744950f89a4462e7ae2612494a922b76a466
Instruction ID: 2c4a90c35d47f08a0535336d340b63d3da68a9b1ec6ff5da88d461645289ee25
Opcode Fuzzy Hash: c8077dbe4f5e4e5269df549c3b68744950f89a4462e7ae2612494a922b76a466
Instruction Fuzzy Hash: 59712930909269CFC7248F6DC84027ABBF1FF56316F14866BD5B6DB2A2D3349841CB99

Function 088350D0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54c304eb89d92cc7d6764aa551c3e50b990ad6a488c8a0dce1e408528a5b7c2
Instruction ID: 6e44b8eecb8124740bb32f4f5e58e25b9593c9c69e712f6af808127b139a26b8
Opcode Fuzzy Hash: c54c304eb89d92cc7d6764aa551c3e50b990ad6a488c8a0dce1e408528a5b7c2
Instruction Fuzzy Hash: E0816DB0C0462ADFDB018F95E4496BE7FB1FB0430AF04899AD4A1D7681C7BA9658DF81

Function 08839710 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d18eb20f11ba319a006a2762f1edd7de4115719405e98d7e35273b9dfac9e68
Instruction ID: 40a9f206bd3aa938f756496f49d6e536ec219182162b12d3666ba73a613c9ef0
Opcode Fuzzy Hash: 2d18eb20f11ba319a006a2762f1edd7de4115719405e98d7e35273b9dfac9e68
Instruction Fuzzy Hash: 9661BF70A04228DFCB158FA8DC85AEDBFB6FF46311F054156E552EB2E2C7B09946CB90

Function 088350E0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f6bd61f7c93a7ba34be90bd646264516bbf6c4a07095e0660589379f36614c
Instruction ID: 73ab94b1ecacd1f04a1b4988c3962136e118caf5b5ed79bca841197ad7128f77
Opcode Fuzzy Hash: b3f6bd61f7c93a7ba34be90bd646264516bbf6c4a07095e0660589379f36614c
Instruction Fuzzy Hash: 48817CB0C0462ADFDB01CF95E4496BE7FB1FB0430AF04899AD4A1D7681C7BA9658DF81

Function 0883A8C0 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96dadbbd91413e7846823c3409c22d239a241274de7a6db514d9dce44820669
Instruction ID: fe5e0ec3c1f4144886d256df12629d91c4bd93c5bb454f882017379dbdc3f7c1
Opcode Fuzzy Hash: c96dadbbd91413e7846823c3409c22d239a241274de7a6db514d9dce44820669
Instruction Fuzzy Hash: E351F531919A78CFCB198F69D9006BBBBB4FF45312F008167E9E5DB291D3349941CBA2

Function 08835B67 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea27bd07de2109993773d1aec28c91542d1c079899c3459e9774f619b945a6d
Instruction ID: 24f9e1cbe229fa051a960d5196706b833c3cb8d7985f9268e2fec7cdb2dee7dc
Opcode Fuzzy Hash: eea27bd07de2109993773d1aec28c91542d1c079899c3459e9774f619b945a6d
Instruction Fuzzy Hash: 52615131A04228CFCB14CF68C588A6AF7F1FF44316F5586AAE452DB6A6C774E841CBD0

Function 08838D90 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf4da283dc64da4a73d827a26c7836a58200c25bcdfd2d9453ad811e03f0179
Instruction ID: ef3320846025a387548caccefdab30889bf14467b79719ae32ae4ddf00974fd0
Opcode Fuzzy Hash: 6bf4da283dc64da4a73d827a26c7836a58200c25bcdfd2d9453ad811e03f0179
Instruction Fuzzy Hash: 9F715B35A00619DFCB14DFA8C454AADBBF2FF88315F108169E909EB361DB71AD85CB80

Function 08839701 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d337b1693a07d061b89027a896eb41c2753a3b5647fa7e92c12013bd49b16f29
Instruction ID: 616407ddb3c9dfd4d6f3f93ddf5e1803d9377d889b2c3cf4c26fe2454cdcab5f
Opcode Fuzzy Hash: d337b1693a07d061b89027a896eb41c2753a3b5647fa7e92c12013bd49b16f29
Instruction Fuzzy Hash: DF518D71A04228EFCB118FA8DC84AFEBFB6FF45312F04416AE505EB281D7B49945DB91

Function 088328F0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb625620f4134663ca0e30144d689bb1d80206f2773dba59e41a923056444af
Instruction ID: 9d9a68739f162d7161f03792eb5a4a988e03e02b48e8a6ebcdf4a9356891dfe0
Opcode Fuzzy Hash: edb625620f4134663ca0e30144d689bb1d80206f2773dba59e41a923056444af
Instruction Fuzzy Hash: EB41E370D082698FCB219F79C884AE9BBF1BF45306F0841ABD461EB292D3749851CBE1

Function 08834BC7 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c4886a65314a3aab361026347b6301bb4483f39061b3f5ddc112a6dba25eb55
Instruction ID: 5e0009880a8aac93cca75d7951492da6331208375190378f6653a62d5d201a3a
Opcode Fuzzy Hash: 6c4886a65314a3aab361026347b6301bb4483f39061b3f5ddc112a6dba25eb55
Instruction Fuzzy Hash: C2315D1285F3F05ED703A73C6A758E67F64AC5322570A01D7D0D0CF4B794588A9DC3AA

Function 0883FB3D Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9aa39c977cccb33f40d1508fb29a51065b925c2c95ea91c7087bfd58cf5197d
Instruction ID: 60b6713c588d6d11bc915e4b268fcdde9ca3f9a30fc4b6e7bb56698a385e1189
Opcode Fuzzy Hash: b9aa39c977cccb33f40d1508fb29a51065b925c2c95ea91c7087bfd58cf5197d
Instruction Fuzzy Hash: 2A41D274D09129EFCB00CFA8C1849EDBBB9BB4D306F109555DA1AE6212DB35A985CFD0

Function 0883B660 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fdc976305d980fea9337e70cc2d4671f4f4729283cecff20098a7fc81f5f15
Instruction ID: bef46f704dfbb502725255807ceb51b492b9812e7f6f73a70994427e3549476e
Opcode Fuzzy Hash: f6fdc976305d980fea9337e70cc2d4671f4f4729283cecff20098a7fc81f5f15
Instruction Fuzzy Hash: 5F3192B5A04629CFCB50CFADD8406AAF7F5FF45236F04856BE019D7692E334EA018B91

Function 08838A6C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea177520957a436f4ce34adae4ad50ef96e7ab462b86754e9dbe3a9e91158ef
Instruction ID: aef688cf8f3617d8fcd755b1e0a6fc0c04adb9083efcd2147ae2b06612e2caa7
Opcode Fuzzy Hash: 2ea177520957a436f4ce34adae4ad50ef96e7ab462b86754e9dbe3a9e91158ef
Instruction Fuzzy Hash: 5B3167B1900219AFCB10DFA9D844ADEBFF9FF49320F10842AE909E7310D774A940CBA1

Function 08831C88 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6610498a893509c701dde88e821b22db2508dda39e83778ed7077d29c01e0245
Instruction ID: 30d06c1ac4e7d5f4c0dcc66728d265aaeda800f9fcd1d680cf7716c65b30c05b
Opcode Fuzzy Hash: 6610498a893509c701dde88e821b22db2508dda39e83778ed7077d29c01e0245
Instruction Fuzzy Hash: D931E639A191248FC714CB68D8887B9BBE2EB42716F08867BE015CB792C775984287D5

Function 00EED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050738742.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f669e37c790f1a2f40983831f27f4ddbc889fdc5456c7f9d567a777cb6f03e1
Instruction ID: 2a4334b7dfd51ea332f465edc2d2c72c2c268507109f587dc480d67bbecd344e
Opcode Fuzzy Hash: 3f669e37c790f1a2f40983831f27f4ddbc889fdc5456c7f9d567a777cb6f03e1
Instruction Fuzzy Hash: 7321F571508288DFCB15DF24D984B16BF66FB84314F28C569D9095B296C33AD807CA61

Function 00EED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050738742.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f1e37908911882341d3f05dbb9bdb4d0aa94aed9f74ff197df511ab279648b
Instruction ID: d7c7b1a50037dcf904766408d12cae8fcd11c73434de4ddbb3a1040b8563cfe4
Opcode Fuzzy Hash: 73f1e37908911882341d3f05dbb9bdb4d0aa94aed9f74ff197df511ab279648b
Instruction Fuzzy Hash: 16213771508288DFCB05DF65D9C0F26BB65FB88318F20C56DDA095B3A6C33AD806CA61

Function 08838375 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec6086d568f47ae4e0fa59217e252ec4ade3815844ea88021d7d7a38f504000
Instruction ID: cd2f29d22a04b82116c00a629f4fcfd56153abae3d6e0d2fbb4ef1bd9ebb0d1a
Opcode Fuzzy Hash: 5ec6086d568f47ae4e0fa59217e252ec4ade3815844ea88021d7d7a38f504000
Instruction Fuzzy Hash: D33105B0D01258DFDB20DF99C584BDEBFF0AB08714F24846AE404AB740C3B55849CFA5

Function 0883EFA2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195f8893c87683461f251da41c507e3afc81bf9953cff9032ed66484ad1a4180
Instruction ID: 5b9ebd10ba7e2799d92b17568c9b5627ef1769c19919490cb7d58629ac90a399
Opcode Fuzzy Hash: 195f8893c87683461f251da41c507e3afc81bf9953cff9032ed66484ad1a4180
Instruction Fuzzy Hash: 39212570D08628CBDB18CF56D9442EEFBB6BFC9302F14D46AC51AA2264DF7559468E80

Function 08834E64 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae00b371110c7da6c3f302ee6bab8576e55c2bdef9eba40b1d0f4602792cb4d6
Instruction ID: 10c4cfe9dfb8d27e7d841c8ef53d0e00cad9e06b18f59f5ae06d925347433962
Opcode Fuzzy Hash: ae00b371110c7da6c3f302ee6bab8576e55c2bdef9eba40b1d0f4602792cb4d6
Instruction Fuzzy Hash: 4631A0B0D41318DFDB20DF99C588B9EBFF5AB08714F24846AE404BB750C7B9A845CBA5

Function 0883E15B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63517cbc11495c21b90c77791d7d25ae3836f8a137a2cd0ced7e619c2a2b79f
Instruction ID: f1abbf83f6cab4bc585f8e87685c476576c8322dc0098c45412e1e2ff79d31ea
Opcode Fuzzy Hash: d63517cbc11495c21b90c77791d7d25ae3836f8a137a2cd0ced7e619c2a2b79f
Instruction Fuzzy Hash: F521CE78E09268DFCB40DFA4D895AEDBBB6BB49302F105429E409EB745D734A806CF41

Function 0883FDC8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4bf0f83babf7ca6540f195024deb12fc5da5d0b08df3dcefc8e6854a941445
Instruction ID: 737671676acfe2e373260db9ac47c1788d89f5318349fe43cc98d037006402a7
Opcode Fuzzy Hash: 9d4bf0f83babf7ca6540f195024deb12fc5da5d0b08df3dcefc8e6854a941445
Instruction Fuzzy Hash: D5110130D0E298DFC701DF69A8459F8BFB8EF86202F14999AD144CB5A3CB308949CBC1

Function 00EED005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050738742.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67526475ddc136cc27d5262c8c6e9f9e769c1ca261280307e2220a7a8af6e323
Instruction ID: 4fe7bf22267baa7edf83e37f1305f1d7cd0b918b112bed2b05ba2cf136211ab7
Opcode Fuzzy Hash: 67526475ddc136cc27d5262c8c6e9f9e769c1ca261280307e2220a7a8af6e323
Instruction Fuzzy Hash: 6921507550D3C48FDB12CF24D994715BF72EB46314F28C5EAD8498B6A7C33A980ACB62

Function 0883EF13 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87bdec3e689ff617f1437c4be37b572cd2c739d1fd1ba8805e7c8be57eb842f
Instruction ID: 969ccb5278d0d20a2157e6e760415ac7ebeaa70b79208e647943d0227118c894
Opcode Fuzzy Hash: b87bdec3e689ff617f1437c4be37b572cd2c739d1fd1ba8805e7c8be57eb842f
Instruction Fuzzy Hash: 732147B0D056688BDB18CF6BC8447EEBFB6AFC9300F04C46AD509A6264DB740A49CF90

Function 088381C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fdb3ff625699db4d174eaf66394304cc94901ba6b8888b1f19c38d4aade4db
Instruction ID: 9622e465ac31863e7b06ba1165f26ba643c41efd30365dcb10f6677144fdeaad
Opcode Fuzzy Hash: 60fdb3ff625699db4d174eaf66394304cc94901ba6b8888b1f19c38d4aade4db
Instruction Fuzzy Hash: AB11E075A007254F8B15EB799C408BFBBFAEFC4261B24892DE814E3340EB309D0687E1

Function 0883B598 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21aa96107e6cc9e9aea2f8508c775ee3d2608e8168aec58576cdf26451c1a51
Instruction ID: 78a29096c35659445f5dd46717b670c13961f13f829d78a19bfe2e47b0abaf34
Opcode Fuzzy Hash: a21aa96107e6cc9e9aea2f8508c775ee3d2608e8168aec58576cdf26451c1a51
Instruction Fuzzy Hash: 5611E570781628DFD7184E29880ABBA3697AF85B21F208869E102CF3D6DB65EC01C7C1

Function 08838A7C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deaecd4350d5aa983b2c26dadc1df27c64f586c86f4b1c55cde95d42745691f6
Instruction ID: abd60bad5683a25d609426e957224529c36a60e1a4bc9581bb7b1ef6f9578dc7
Opcode Fuzzy Hash: deaecd4350d5aa983b2c26dadc1df27c64f586c86f4b1c55cde95d42745691f6
Instruction Fuzzy Hash: 442112B58003499FCB10DF9AC888ADEBFF8FB49310F10841AE919A7310C378A955CFA1

Function 0883EF20 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bd74901b0e5d9df0b85be8918eb55de1838b7912cfc582fa741e5bb20f5fd0
Instruction ID: b8cdc6363183250f8feef446c627a0dcfb3914da2606db77d9b0b5a7bee3833a
Opcode Fuzzy Hash: 67bd74901b0e5d9df0b85be8918eb55de1838b7912cfc582fa741e5bb20f5fd0
Instruction Fuzzy Hash: C41128B0D046288BDB18CF6BC9447EEFAF7AFC8301F04C46AD50AB6264DB751A45CE80

Function 00EED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050738742.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_eed000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: b364829fee392a2a6c870231575de244ed384b08687afe4b398073a64e4fc5d2
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 8811BB75508284DFCB02CF50C9C4B15BBA1FB88318F24C6A9D9494B2A6C33AD81ACB62

Function 08838AA4 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6080e4c72a4eec0700dadebf6cff1d6a36eb28fdbc893955f1e4e24b0cee9b20
Instruction ID: bdd52463d0a849323682d78377a78ad6a5ec764a5153852e32a2904010a8cf6d
Opcode Fuzzy Hash: 6080e4c72a4eec0700dadebf6cff1d6a36eb28fdbc893955f1e4e24b0cee9b20
Instruction Fuzzy Hash: 9001A775B0122A5B8B14EE5DDD804AFBBBAEFC5212B14483AF905D3340EB70DA0587E2

Function 08835630 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8746becd359a33f01cfd812bfe1eeb496a287c93f4e8dfdf45f1e6944b47721
Instruction ID: aabc3c4a181a4bf6b23cbae45cfc47afdb661fb225dd66ac5ddc70c7ca6e140c
Opcode Fuzzy Hash: a8746becd359a33f01cfd812bfe1eeb496a287c93f4e8dfdf45f1e6944b47721
Instruction Fuzzy Hash: 1E1184B060452CDBC780DF94F4412B67BB4F74831AB2048E9D48AC6241EB77EA66D782

Function 0883FE40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009ce2735595cfa9512f2c072ac11d69b685ba38495ec31ef524e38eb1e2f846
Instruction ID: 5b730f4bda4e655f87589f13e4c6d8c9ed834e190e0550f3dd3fe62d2e06c62c
Opcode Fuzzy Hash: 009ce2735595cfa9512f2c072ac11d69b685ba38495ec31ef524e38eb1e2f846
Instruction Fuzzy Hash: 07012934E09118EFCB04DFA8C685AA8BFF5EB4A301F159095E509DB262CB359E04EB80

Function 08835638 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5b3bdb0107ce55982ca663ba1099669edcf38c3933a95f8b012d0246605478
Instruction ID: 80bdcf4ba4aa181475c244354a919d7d9415f8872dc6a3d1fd33b7502de891cf
Opcode Fuzzy Hash: 0e5b3bdb0107ce55982ca663ba1099669edcf38c3933a95f8b012d0246605478
Instruction Fuzzy Hash: DF01527060442CDBC780DF94F4416767BB4F74831AB6048EDD48AC6241EB77EA6AD786

Function 00EDD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050663923.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_edd000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddf1e308e574289b565e2a69ec2cc2dd8fe09aadffc87b37935679865165838
Instruction ID: 0270b69b34bab14cae5da2c645df246dbcd95dbb7c4593dbc34cbfe46e5f495b
Opcode Fuzzy Hash: 5ddf1e308e574289b565e2a69ec2cc2dd8fe09aadffc87b37935679865165838
Instruction Fuzzy Hash: 40012B310087049AD7209A1ACC84BA7FF9CEF55324F18C4ABED081A386C3399C41CA71

Function 08834A10 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec021184d7d458ea991587d130166c3a0e020afd62ca3b6064b76cb65a52e24
Instruction ID: ca839dc6e7e5b4e12c9ec551d85685be3909520e92b02835d492648f397bd8df
Opcode Fuzzy Hash: 0ec021184d7d458ea991587d130166c3a0e020afd62ca3b6064b76cb65a52e24
Instruction Fuzzy Hash: FC111BB0D0020DAFCB45EFE8D9516EEBBF5FF48300F1089A6D115AB355EB345A069B81

Function 088387D0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6545cf30d502990ae5850389a5a8c075cf30418806b94e13ca264a196a849ef0
Instruction ID: 372e1fd2d6d206c4ddd90618e6080360d487c6d6be42dc6409adc431ba19ce08
Opcode Fuzzy Hash: 6545cf30d502990ae5850389a5a8c075cf30418806b94e13ca264a196a849ef0
Instruction Fuzzy Hash: 2BF0BE727042142F93148AAA9C91CA7BBEDEBC93603258076F408DB311C9208D0183F0

Function 0883FDD8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f81ff091e772275f1f7161f72155124b345870173d66b979b2825d913096f1
Instruction ID: d479da2493e87beb6cc1a2887e2898656f92471af050e2ecfb29ac37d5b90dab
Opcode Fuzzy Hash: 48f81ff091e772275f1f7161f72155124b345870173d66b979b2825d913096f1
Instruction Fuzzy Hash: 1EF06930D09228EBC704CF5AD545AB8BBBCAF89306F14A1A4D109DB212DB309A04EBC0

Function 08838734 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decc22a86041ee095a22bc4b07d1e8e776eec7a64cf9f6474750d23e2ad4d58f
Instruction ID: 346f517e64a5d9ae04d2d0071ccc0956337e693921b33de124a9e37678dadae7
Opcode Fuzzy Hash: decc22a86041ee095a22bc4b07d1e8e776eec7a64cf9f6474750d23e2ad4d58f
Instruction Fuzzy Hash: F5010875900229DEEB14DF69C9047EEBAB2BF49311F148269E464EA291C3794A80CBD1

Function 0883ACC9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d17cfa89ec877e47dd8efed817209c201f08649b710d432924a8a4de289e59e
Instruction ID: 974b0e2c6bfb517be8c4408b1c82719eaad9af52effc1cb11a58f9df2a054b13
Opcode Fuzzy Hash: 2d17cfa89ec877e47dd8efed817209c201f08649b710d432924a8a4de289e59e
Instruction Fuzzy Hash: 27F03CB0E0422AAFE754DFA8D845ABEBFF9EB48200F108569E440D7241D7748A44CBE1

Function 0883EFD0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0da8890a2577be055a91b81145c494416bde442da107f8d6a7bb80018b1715
Instruction ID: 7180e74d086bf2674a7409189600746fb4de7def1a75bcde420abf45fc226414
Opcode Fuzzy Hash: 4c0da8890a2577be055a91b81145c494416bde442da107f8d6a7bb80018b1715
Instruction Fuzzy Hash: 0D01B6B1D04618CBDB08CF97C9446EEFBF7BFD9305F14D06AC50AA6268EB7515468E80

Function 00EDD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050663923.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_edd000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820c4fce64c77c23b7df7b743bcf75c567680e1f90105f790b1a04d79e2d4252
Instruction ID: 9e7de3f2f30b5683d84c1480d6e4a171fc9792f09bdbd50a1b2116843d0913f5
Opcode Fuzzy Hash: 820c4fce64c77c23b7df7b743bcf75c567680e1f90105f790b1a04d79e2d4252
Instruction Fuzzy Hash: C6F062714097449EE7208E1ADC84B62FFA8EF55738F18C49BED485A386C279A845CAB1

Function 08839B80 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3b2aee6b707bfcf5499ec4716fde2d1042efa1302f860f85f418128b66c6de
Instruction ID: 5d9befb40d5b71098efd7f3c54ddfcbb32d5fe3a99aeec37729fa91fd890f356
Opcode Fuzzy Hash: db3b2aee6b707bfcf5499ec4716fde2d1042efa1302f860f85f418128b66c6de
Instruction Fuzzy Hash: 17F0E232A041197FEF04DFACED5189ABFAAEF54224B00817BF408E7255EA31D85087A2

Function 08838740 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc2bb000a9b313e3208789a9764acda6e9b72d4ee3d1dbcbe75567c9e3efd0e
Instruction ID: acba72113e8ae0bca1954bbcf2b0ac40ba652e9f02af4ef0fe61dd1d915a7ed3
Opcode Fuzzy Hash: 8cc2bb000a9b313e3208789a9764acda6e9b72d4ee3d1dbcbe75567c9e3efd0e
Instruction Fuzzy Hash: 4E01FB70800229DFDB14DF6AC9043EEBAF2BF48351F148229E824EA290D7794A40CFD0

Function 088387E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6a4965b86384babe6154ac1679365d1320fa57c7ac85cf0279e3be3ff4e5f2
Instruction ID: ee04f77ed1466fc1a28185109f3aaf735b6aa1bafd1771856b03f3374da35fff
Opcode Fuzzy Hash: 8c6a4965b86384babe6154ac1679365d1320fa57c7ac85cf0279e3be3ff4e5f2
Instruction Fuzzy Hash: E9E03972B001286F93049AAED884C6BBBEDEBCC660361807AF508D7310DA319C0186A0

Function 0883AC70 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecce62f45973d392c067e5a532295e07dfccb0c36b5bdb27cdeca1730531030d
Instruction ID: 1751c80e8d47294103b451f59efee644310675059f75a4876eec1f9e15673898
Opcode Fuzzy Hash: ecce62f45973d392c067e5a532295e07dfccb0c36b5bdb27cdeca1730531030d
Instruction Fuzzy Hash: 13F0A075945629EFD300DF789945AAEBFF5AF09200F1084A9D044D7311D7714A45CBE2

Function 0883ACD8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8abbbc882ff16b414de2bbca42afce2208fdb556cee84365845a8c9bfd16c0a
Instruction ID: c601df1f6553d87d535c9a66d689d71cd01f4ad64bdde9d29914eb858d960c95
Opcode Fuzzy Hash: e8abbbc882ff16b414de2bbca42afce2208fdb556cee84365845a8c9bfd16c0a
Instruction Fuzzy Hash: 19F0DAB0D0431EDFDB48DFA9D845AAEBBF4EB48601F1085A9D918E7341EB7495448BD0

Function 0883D9D5 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74a51062e5a47eddd3163f9a964df876996bd28fe814f62fc4de374a29c948d
Instruction ID: d571b5b997f5877fbd6d4d5c4ffe5fefe174f30d92be681344803952405e829c
Opcode Fuzzy Hash: b74a51062e5a47eddd3163f9a964df876996bd28fe814f62fc4de374a29c948d
Instruction Fuzzy Hash: 22F0C4B4A05228EFDB519FA4C844BEEBBF5BB0A305F108499E149A6251DB341A898F52

Function 08831520 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ee5b9df95621504cc95d77bba01db20f9bc0d1bd76310f7701e5341b526cf7
Instruction ID: 156d229f866084c25be75a567e737b2e9d642bf8cd7c7e11319d751c665d5fd5
Opcode Fuzzy Hash: c7ee5b9df95621504cc95d77bba01db20f9bc0d1bd76310f7701e5341b526cf7
Instruction Fuzzy Hash: 16E01A762009246BC714EE5EE8116EABBABEFD4720B14812AE849D3350DA35A91286D5

Function 08831530 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadb581365acf63ae5a15e98e8cf6ac3a492cf538604a74ba668b7cc04bae7b4
Instruction ID: 023b532072f0f133ed61b64e48a61d76804c946a816587b08383ce1f9b3a8ec5
Opcode Fuzzy Hash: cadb581365acf63ae5a15e98e8cf6ac3a492cf538604a74ba668b7cc04bae7b4
Instruction Fuzzy Hash: 4FD01236300924578B18AA1EA80489EFB9BDFC5721714C13BE80DC7350CE75590286D5

Function 0883D661 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97723fd14025f068e07b2c04beb1101ec94c25310129f9d933b3552d6456a44
Instruction ID: 7794ace8a78ae7a9620dfdbfd07304bf518d1043a835776c96df18233981b56b
Opcode Fuzzy Hash: e97723fd14025f068e07b2c04beb1101ec94c25310129f9d933b3552d6456a44
Instruction Fuzzy Hash: 4BD05B3004B394DFD3132B64B8592F17F746703212F44459BF548D1D52961A55ACD7E6

Function 08834568 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13b9fc2b40153267f5d25c96ef48fea6b143e6b7b7ed9c66a9405738048664a
Instruction ID: e19471d789ff1dddb8ea9fcddcb5ddedfa2befb927d36b1669728df09ec61f60
Opcode Fuzzy Hash: c13b9fc2b40153267f5d25c96ef48fea6b143e6b7b7ed9c66a9405738048664a
Instruction Fuzzy Hash: 75D05E70A093618FD7361B60981A3507B70FB62242F6600A7D142C6992E7654418CBAA

Function 0883D88C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300f6ce34fc59830195cbb9848a6b514384b381b9b9fb2b0779355fec94dc703
Instruction ID: ea748e6ed90917cd5e341bed7e19b4bfb3f8be628588545ebff78e063389b4cc
Opcode Fuzzy Hash: 300f6ce34fc59830195cbb9848a6b514384b381b9b9fb2b0779355fec94dc703
Instruction Fuzzy Hash: 31D09E35A4611DDFCB10DB58E9417E8B779EB85315F0011A2D60D96115DB311A55CF41

Function 08839B58 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560f963db2bbe4d684a886b6e2993446ff423dd3cd039756b4e5ad6279598797
Instruction ID: 5b28351edeb91865b488935725cca737a8c7f9a8f2b38bedae8b1a476a632d36
Opcode Fuzzy Hash: 560f963db2bbe4d684a886b6e2993446ff423dd3cd039756b4e5ad6279598797
Instruction Fuzzy Hash: F2D0126A10E3D0AEE2132A3428928A0BF60DE67A00F680CDFE6D4C6853C01814DEC323

Function 08834AC0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005f63a356a0a95b83da17ca60c989488213ca0a0d974ed9600a2a3771ccbbf2
Instruction ID: f620e8396129b876f3d9475272fb2af28c3438fac6afe6123e1e57c9f5fd13b3
Opcode Fuzzy Hash: 005f63a356a0a95b83da17ca60c989488213ca0a0d974ed9600a2a3771ccbbf2
Instruction Fuzzy Hash: 24B012E3880F295BCD402261EC4FBE27B6CD388112F448DB3E00E84EC3DD1AE103484A

Function 0883D670 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7fb54848cb42fa9c4f1ff7fdb3f2b801ef5090584629ef5d554f098904a7a0
Instruction ID: 5b6ad097ad9bdda1d9b6e703464afe063b51bcb005b752ee7824fcae0cc245bf
Opcode Fuzzy Hash: cc7fb54848cb42fa9c4f1ff7fdb3f2b801ef5090584629ef5d554f098904a7a0
Instruction Fuzzy Hash: 0DC08C30042614CBC2002BA8F80D3F437A8A702313F401019E20D80551AB6A7068EAD5

Function 0883560D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87aa4a197e5504e8611a40a18c10d5259af6d212e4aff080ba5df6c55ee79a76
Instruction ID: 354de37fe0ddd43bffbafeddecc1fff0afee4bc716c2d2a167304d27b69b381c
Opcode Fuzzy Hash: 87aa4a197e5504e8611a40a18c10d5259af6d212e4aff080ba5df6c55ee79a76
Instruction Fuzzy Hash: 3EC04CB1240620CFC718DF5DD048954B7F4FF48715B1105DAE159CB672C7B2D840CB40

Function 08838A24 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108faaf896635c308f53e65548c4d70a27d2e7fad80b932133c888270f182220
Instruction ID: 24845f943a88867c9d1081b6a71d66e29a26550f6de155f07d6a24e3379f90c5
Opcode Fuzzy Hash: 108faaf896635c308f53e65548c4d70a27d2e7fad80b932133c888270f182220
Instruction Fuzzy Hash: BDB012BA9E4230B5400462784F50DBFA844FFB2703B509C21B304C0414C4698438D15B

Function 0883F918 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4e4797799f0f9808207a1c387b021a02fa67b8cfdd82fc09337eac1c3a195b
Instruction ID: 6fddf92cb72ea0fea7046a0e32330a40a0dc71850e1b9b74f9799fb7ac0790e3
Opcode Fuzzy Hash: 6a4e4797799f0f9808207a1c387b021a02fa67b8cfdd82fc09337eac1c3a195b
Instruction Fuzzy Hash: 25B09230504274DFC3549F20C144AA837BABF4A206F4044D8E00A96212C776DC85CE40

Function 08834AD0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f395f324cbae09c9cee9e79ba58d0e201094160120fc4be4298f0dc4934f8391
Instruction ID: db40004febd47a03a0473273cebf9bc9d695b63b8ed1098cc423ac8890c22f90
Opcode Fuzzy Hash: f395f324cbae09c9cee9e79ba58d0e201094160120fc4be4298f0dc4934f8391
Instruction Fuzzy Hash: B590023104461C8BC5802796784A5A5B75C9588516B904852A50D419826A6B65155995

Non-executed Functions

Function 08833630 Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

$]q, xrefs: 088337B1

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: bcc537a56d08ba6e8a26de96abc6e6fc103a38190c25a3e4784c60533058825b
Instruction ID: 5cd073ca52bfd38d24ddab2ac3705ae3b1316b07bb147ec9c335340d8a690616
Opcode Fuzzy Hash: bcc537a56d08ba6e8a26de96abc6e6fc103a38190c25a3e4784c60533058825b
Instruction Fuzzy Hash: 76E1F570908769CFD7158F68E8412AABBB1FF42316F04826BD4B6DB7A2D3349941CB91

Function 0708B2D0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586251c3b147e0ef6851a1f19dd665cdaa1338d81e8bda18ede2f5ddfa559c0d
Instruction ID: fe6925cf756c16b1d6db13dca010b834f724f78cb384220688496a8db8cfd013
Opcode Fuzzy Hash: 586251c3b147e0ef6851a1f19dd665cdaa1338d81e8bda18ede2f5ddfa559c0d
Instruction Fuzzy Hash: BCD19AF47006058FDBA9EB79C560BAEB7EAAF89700F144569D186DB390CF35E801CB52

Function 07083F00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c03637f92b0238fdb1d6903235f0a3c1aac6698f6098b32e6e13764a33757a6
Instruction ID: e3c1701eb8a93b206f86e69e2aa340e4ee79ce02b174ceee081a82e86650cf9b
Opcode Fuzzy Hash: 0c03637f92b0238fdb1d6903235f0a3c1aac6698f6098b32e6e13764a33757a6
Instruction Fuzzy Hash: 73E13EB4E0425A8FCB54DFA8C5809AEFBF2FF89305F248269E454AB355C731A941CF61

Function 07081F80 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52bd76f0d250392121dad2ccdd153567fb6f146ad360682b58e289ca3e41689
Instruction ID: c579d88d7e16430e0078d0735dfec4fed9cf807638e8ed8501e3557273503e5d
Opcode Fuzzy Hash: a52bd76f0d250392121dad2ccdd153567fb6f146ad360682b58e289ca3e41689
Instruction Fuzzy Hash: C7E12CB4E102198FCB54DFA8C5809AEFBF2FF89305F248269D554AB356C731A981CF61

Function 070845C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23b8e28e67f2ada34fedfe34a07e5b68435d4649fd9d5a24405af0cda3be2b8
Instruction ID: fac3890a5405dd1dea2fe1877ccb7846e43409d7e28d28a60808b631a8b340ee
Opcode Fuzzy Hash: e23b8e28e67f2ada34fedfe34a07e5b68435d4649fd9d5a24405af0cda3be2b8
Instruction Fuzzy Hash: 24E12BB4E0015A8FCB54DFA8C5809AEFBF2FF89305F248269E454AB356D731A941CF61

Function 07081B48 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23217f2e436a9fa9c20096a3fd7fba1219c99f657e33213ccfe036a6a1497b72
Instruction ID: 231e092d671cc0ce447a08cbcbf86ff53bcf898d2bd82f743560646423fc4d4d
Opcode Fuzzy Hash: 23217f2e436a9fa9c20096a3fd7fba1219c99f657e33213ccfe036a6a1497b72
Instruction Fuzzy Hash: 42E12DB4E001198FCB54DFA9C5809AEFBF2FF89305F248269D454AB356D731A942CF61

Function 070823B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d2f9bad34c6294d131c08657f531fa998d454de41f6a4bb93f888f47d0faf0
Instruction ID: 3a24c6acca3360fcae7c8be5adacfefc90ea20ddebde2c2b2f23c668690fa57d
Opcode Fuzzy Hash: 77d2f9bad34c6294d131c08657f531fa998d454de41f6a4bb93f888f47d0faf0
Instruction Fuzzy Hash: 1DE11BB4E001198FCB54EFA9C5809AEFBF2FF89305F248269D454AB356D731A981CF61

Function 08839150 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153d480daf89888a9f9d164ab3a2ed7c722c9c7767d99cfe5398d822c849f3a1
Instruction ID: e60aaa570d47b52e71fbd5e21e626d99426cb2b8c2641d1b13bd44fd914a1e27
Opcode Fuzzy Hash: 153d480daf89888a9f9d164ab3a2ed7c722c9c7767d99cfe5398d822c849f3a1
Instruction Fuzzy Hash: 23D11931D1465ACACB11EF78D950AEDB7B5FF95300F20979AE0097B214EB706AC9CB81

Function 0286E2EC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051489930.0000000002860000.00000040.00000800.00020000.00000000.sdmp, Offset: 02860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2860000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b993a694ef139eb6a83a0e3ecb4ca91a914aeb0842edc826e4dd4a9986462372
Instruction ID: 6ff53a72459864d59f3554f919c86512188073561ce17c86638768658142fe6d
Opcode Fuzzy Hash: b993a694ef139eb6a83a0e3ecb4ca91a914aeb0842edc826e4dd4a9986462372
Instruction Fuzzy Hash: 2AA1913AE002098FCF05DFB5D9449AEB7B2FF85305B19456AE906EB264DB31E916CF40

Function 08839160 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2592547003b51b7fc65ae057b9607ec8b0c71384af28b96ddc037ebacee391fe
Instruction ID: 1d4a0a99d42a054ec005316ef79c2e37320114e9363f3a77d792d19e69284d6f
Opcode Fuzzy Hash: 2592547003b51b7fc65ae057b9607ec8b0c71384af28b96ddc037ebacee391fe
Instruction Fuzzy Hash: 78D1E935D1065A8ACB11EF78D950AEDB7B5FF95300F10D79AE0097B214EB70AAC9CB81

Function 07081F71 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ac55800daef8f797ae1b0a7b8f255820154388ccbcd0fb620ed28be1070e0a
Instruction ID: 0e01ebd40b7395229233d3d7e0a82285665265746736a0b39e068e78cdb777f2
Opcode Fuzzy Hash: 68ac55800daef8f797ae1b0a7b8f255820154388ccbcd0fb620ed28be1070e0a
Instruction Fuzzy Hash: 95513BB4E052198FCB14DFA9C9805AEFBF2BF89304F24C16AD518AB316D7319942CF61

Function 070845B0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058961926.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7080000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659f7d10d499e8d019859d3bdf43f27fc53406061ab41c1341681a873fd288a6
Instruction ID: 7830bbeed3ad048d2ca0dc002c56f168404b08c65e7f2d417fe2527c78866aec
Opcode Fuzzy Hash: 659f7d10d499e8d019859d3bdf43f27fc53406061ab41c1341681a873fd288a6
Instruction Fuzzy Hash: BE513AB4E0521A8FCB54DFA9C5805AEFBF2BF89304F24816AD458AB316D7319942CF61

Function 08830318 Relevance: 10.1, Strings: 8, Instructions: 84COMMON

Download Yara Rule

Strings

4']q, xrefs: 0883040D
4']q, xrefs: 088303A4
4']q, xrefs: 0883035E
4']q, xrefs: 08830430
4']q, xrefs: 08830381
4']q, xrefs: 0883033B
4']q, xrefs: 088303C7
4']q, xrefs: 088303EA

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-692194742
Opcode ID: 96ba0628567360680fc981deb2d9c6c3114c172a6d8958a15594f6db35cee872
Instruction ID: 8d36d07b24228bea35d887c91e5000c54b23c7c7b57abd1495664c04fb43ed8e
Opcode Fuzzy Hash: 96ba0628567360680fc981deb2d9c6c3114c172a6d8958a15594f6db35cee872
Instruction Fuzzy Hash: 64317030A0010A8FCF0DEFB9E9919DD7BB5FF80604B11456AC045BB264DF356E0ACBA2

Function 08830328 Relevance: 10.1, Strings: 8, Instructions: 78COMMON

Download Yara Rule

Strings

4']q, xrefs: 0883040D
4']q, xrefs: 088303A4
4']q, xrefs: 0883035E
4']q, xrefs: 08830430
4']q, xrefs: 08830381
4']q, xrefs: 0883033B
4']q, xrefs: 088303C7
4']q, xrefs: 088303EA

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
API String ID: 0-692194742
Opcode ID: 4e1374d30acea69dcd91cd87f858a25eecd902bedd45fa065060ba985abd2bbc
Instruction ID: dba0b2f2bbfaf5a619296d8c082e6753b6d0ce4753a8cd25330980447580a786
Opcode Fuzzy Hash: 4e1374d30acea69dcd91cd87f858a25eecd902bedd45fa065060ba985abd2bbc
Instruction Fuzzy Hash: 24311A30A0010A8FCF0DEFB9E9919ED7BB5FF84604B11456AD0557B264DF356E0A8BA2

Function 088323E8 Relevance: 7.8, Strings: 6, Instructions: 273COMMON

Download Yara Rule

Strings

$]q, xrefs: 08832826
$]q, xrefs: 08832816
LR]q, xrefs: 088327E0
LR]q, xrefs: 088326F7
LR]q, xrefs: 088326E7
LR]q, xrefs: 088327D0

Memory Dump Source

Source File: 00000000.00000002.2059082543.0000000008830000.00000040.00000800.00020000.00000000.sdmp, Offset: 08830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8830000_Payment List.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$LR]q$LR]q$$]q$$]q
API String ID: 0-2875722158
Opcode ID: 132bb2eda9ddb636ca587428930921b499b25b1a6bc42e836947050c0c79ae08
Instruction ID: 1aac750ec45ac9df49ed3856a2d156f81ceb293ab5af65dd380e84729a9534dd
Opcode Fuzzy Hash: 132bb2eda9ddb636ca587428930921b499b25b1a6bc42e836947050c0c79ae08
Instruction Fuzzy Hash: 5AC10970E04228DFCB18DF98C584AADB7F2BF48306F158569E416AB355D734EC82CB91

Analysis Process: Payment List.bat.exePID: 7228, Parent PID: 4268COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	173
Total number of Limit Nodes:	20

Executed Functions

Function 068C2420 Relevance: 9.0, Strings: 6, Instructions: 1478COMMON

Download Yara Rule

Strings

$]q, xrefs: 068C382C
$]q, xrefs: 068C37F7
$]q, xrefs: 068C3803
$]q, xrefs: 068C3844
$]q, xrefs: 068C3820
$]q, xrefs: 068C3850

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 9fa13991097236663b38560556b08f86f66e5350801d3344b9c9a2f8d299d994
Instruction ID: 9e0670d8166ec2219298f3f30f5939607e774d283f0abe6c5a83d39ad07f9a94
Opcode Fuzzy Hash: 9fa13991097236663b38560556b08f86f66e5350801d3344b9c9a2f8d299d994
Instruction Fuzzy Hash: 41D25930E006098FDB64DF68C594A9DB7B2FF85314F54C56AE409EB2A5DB34ED86CB80

Function 068CB2C8 Relevance: 8.3, Strings: 6, Instructions: 763COMMON

Download Yara Rule

Strings

$]q, xrefs: 068CBC6D
$]q, xrefs: 068CBCA1
$]q, xrefs: 068CBC45
$]q, xrefs: 068CBC39
$]q, xrefs: 068CBCAD
$]q, xrefs: 068CBC79

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: d09f95f025d474de6bb3479e780f5aca365b649340a94fa62a5e0092933c0528
Instruction ID: 2eb89283f59e791ad122ed7f7a711d75ca497120c7b3a4bc0dad7c744268889a
Opcode Fuzzy Hash: d09f95f025d474de6bb3479e780f5aca365b649340a94fa62a5e0092933c0528
Instruction Fuzzy Hash: AC527130E006098FDF64CFA8D581BAEB7B6EF85320F10882AE549EB355DA35DD45CB91

Function 068C7E08 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 068C8145
$]q, xrefs: 068C8151

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: a13b966355699a7587cf6785a9adf9283b9d1c23cd7590dfaec4d3f2145d88d0
Instruction ID: be104c11aed1488dbcb4805db96b7460a1a9564dd5ec844241bfe47cdf94e503
Opcode Fuzzy Hash: a13b966355699a7587cf6785a9adf9283b9d1c23cd7590dfaec4d3f2145d88d0
Instruction Fuzzy Hash: 43028D31B002058FDB54DF68E490AAEBBE6FF84324F148529D50ADB395DB35ED46CB81

Function 068C5630 Relevance: 1.8, Strings: 1, Instructions: 595COMMON

Download Yara Rule

Strings

$, xrefs: 068C59E7

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: c7e49b446a6782806768e3ebfb84308e8063c43e8929a9cae2e57a7020a5cbd1
Instruction ID: 7273d9ef89b3f36d6d61ae03a78ffc0004ec360e16c808d18b3cdf39c39cb57e
Opcode Fuzzy Hash: c7e49b446a6782806768e3ebfb84308e8063c43e8929a9cae2e57a7020a5cbd1
Instruction Fuzzy Hash: 9C22D275E002058FDF60CBA4D4806AEBBF2EF84320F14856AD649EB355DA30ED55CB92

Function 068C6678 Relevance: .8, Instructions: 813COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe64d996e942322b31d33b993c118d4fc28d6b4755a1bf5cae726b5cffd706e
Instruction ID: 4d655bcaf1d4ec10ebbacc8d777d13ad97b49911af8033d26bb2ce5c47972c70
Opcode Fuzzy Hash: fbe64d996e942322b31d33b993c118d4fc28d6b4755a1bf5cae726b5cffd706e
Instruction Fuzzy Hash: B2629E34B002058FDB54DB68D594AADB7F2EF84324F148479E50AEB395EB35EC86CB81

Function 068CC220 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290106fe5c97b7aaaa0cf0e6cc9231b47cf4765e3bad6f57a54a755210210d97
Instruction ID: d7f6f208cfd8d64f5067a0685dedfdf171dd43601eb8373d5447a0c466cf98d3
Opcode Fuzzy Hash: 290106fe5c97b7aaaa0cf0e6cc9231b47cf4765e3bad6f57a54a755210210d97
Instruction Fuzzy Hash: 06329F31B002098FDB54DFA8D990BAEB7B2FB88324F109529E509E7355DB35EC46CB91

Function 068CAD60 Relevance: 12.9, Strings: 10, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 068CAF38
$]q, xrefs: 068CAF03
$]q, xrefs: 068CAF2C
$]q, xrefs: 068CAE8D
$]q, xrefs: 068CAF0F
XM, xrefs: 068CB212
$]q, xrefs: 068CAEE0
XM, xrefs: 068CB131
$]q, xrefs: 068CAE81
$]q, xrefs: 068CAED4

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: XM$XM$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1012131581
Opcode ID: d77799249f5c70b98f1492205cd2725b389eec082e5d01e8713ef005a22a1723
Instruction ID: cf7ad0d64c07fd8e71ae07c1b6275b7f496f61d3c5c91a8dab0c8b135bb08ba0
Opcode Fuzzy Hash: d77799249f5c70b98f1492205cd2725b389eec082e5d01e8713ef005a22a1723
Instruction Fuzzy Hash: 12E1A030E102098FCB68DFA8D8916AEB7B6EF85314F10852DE909EB354DB75DC46CB81

Function 068BB228 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|b, xrefs: 068BB3B6
|b, xrefs: 068BB3DB

Memory Dump Source

Source File: 00000009.00000002.3248872482.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68b0000_Payment List.jbxd

Similarity

API ID: HandleModule
String ID: |b$|b
API String ID: 4139908857-2757074553
Opcode ID: b0461b4a9e7e662f918641b1b4137e59390a214dfe0df0a49d0ceb2788ee38a3
Instruction ID: 59dc2305c8547ebbbe5797d58fea698fdd4ad20c9ed3abeac639b8469d6866aa
Opcode Fuzzy Hash: b0461b4a9e7e662f918641b1b4137e59390a214dfe0df0a49d0ceb2788ee38a3
Instruction Fuzzy Hash: 12812170A00B058FD7A4DF6AD4447AABBF1FF88204F009A29D59AD7B50DB74E849CB91

Function 068C91D8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 068C925A
$]q, xrefs: 068C9266
$]q, xrefs: 068C922B
$]q, xrefs: 068C921F

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 4533c0880f548e01b5b4b3d2e27edc815a1f2552a3f7a2098f6059d6ef1c3141
Instruction ID: de5680d7fd12f0aba8b8087f58eb6185c9a29fd043220694324ce6ef02d76d9c
Opcode Fuzzy Hash: 4533c0880f548e01b5b4b3d2e27edc815a1f2552a3f7a2098f6059d6ef1c3141
Instruction Fuzzy Hash: 44914E31B0021A9FDB54DF69D8507AEB3F6BB84314F1084A9D91DEB348EB70DD468B91

Function 068CCFE8 Relevance: 4.5, Strings: 3, Instructions: 797
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 068CD3E7
$]q, xrefs: 068CD3DF
$]q, xrefs: 068CD3F3

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: a25035705a8b701a1838bfb214dfd7fc2f7d1f71a2c74a3029853ecae617ec15
Instruction ID: caee09aedfd6f8df0686b48b0bfef3ebf98cf15e0d771a107302d53465e56c82
Opcode Fuzzy Hash: a25035705a8b701a1838bfb214dfd7fc2f7d1f71a2c74a3029853ecae617ec15
Instruction Fuzzy Hash: 2A622C3460020A8FCB55EF68E580A5DB7E6FF84314B20CA79D009DF269EB75ED46CB81

Function 068C4C08 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 068C4C33
XPbq, xrefs: 068C4D59
\Obq, xrefs: 068C4DE3

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: dcebd90075e4cdd238034a5a0d9097105bab96fe83b0b461efad299b20a88738
Instruction ID: 5dbec4610cebcdb894e7c636ba0a17b9c17e954f3ccb93760ae579999faf7e7a
Opcode Fuzzy Hash: dcebd90075e4cdd238034a5a0d9097105bab96fe83b0b461efad299b20a88738
Instruction Fuzzy Hash: CA617E30F002099FEB549FA4C8557AEBBF6EF88710F208429E50AEB395DF759C458B91

Function 068C91D6 Relevance: 2.7, Strings: 2, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 068C925A
$]q, xrefs: 068C921F

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: d2f055399051c73479cbba2d28084902bfcc12cab7a1617bb4b5e4560443b8ba
Instruction ID: f9f55c97fc305d659eb2db965bbbcc1109a18befe7c7bd0db8a26ea3d50adce6
Opcode Fuzzy Hash: d2f055399051c73479cbba2d28084902bfcc12cab7a1617bb4b5e4560443b8ba
Instruction Fuzzy Hash: E0514F31B001059FDF58DB78D8A0BAEB3F6AB88714F10846AD51DEB398DA71DC068B91

Function 068C4BF8 Relevance: 2.6, Strings: 2, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 068C4C33
XPbq, xrefs: 068C4D59

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: d907534907ca666e0a2d772526a63dac7f8d7e9a18347d66590ae768e637d210
Instruction ID: bbc429d037a48b62fc97f8d30945cc6ecae764cf870ad12a7166be64b16f02e1
Opcode Fuzzy Hash: d907534907ca666e0a2d772526a63dac7f8d7e9a18347d66590ae768e637d210
Instruction Fuzzy Hash: B1517F70F002089FDB549FB4C8557AEBBF6AF88700F208529E50AEB395DE758C419B91

Function 00F1EB58 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3235898801.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20921537332761caa0a272c02843ea5c534c9f0a99b493db29a903e9530b2387
Instruction ID: 81752eaf2ea74459decaa6bff5aa240a0cc327930b5cddae6a2395f5b889e0ce
Opcode Fuzzy Hash: 20921537332761caa0a272c02843ea5c534c9f0a99b493db29a903e9530b2387
Instruction Fuzzy Hash: 59513571D087858FC715CF78D8542EABFF1AF89320F0585ABD849E7282DB389985CB91

Function 068BD804 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068BD922

Memory Dump Source

Source File: 00000009.00000002.3248872482.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68b0000_Payment List.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c6c7f6b5460c188a146ddd74f09f34f77879d6f9a32be370a7b77de62b3f5a4a
Instruction ID: a402daafe9d03b79b77697f2f1477713aab9ebd01bb7e73a36128fcf90fab721
Opcode Fuzzy Hash: c6c7f6b5460c188a146ddd74f09f34f77879d6f9a32be370a7b77de62b3f5a4a
Instruction Fuzzy Hash: 7D51CFB1D00349AFDB14CFA9C884ADEBBF5BF49310F24952AE819AB210D7759845CF90

Function 068BD810 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068BD922

Memory Dump Source

Source File: 00000009.00000002.3248872482.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68b0000_Payment List.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a344604d5734435481e1cfd8f2b03bd632b91442f8d54e0d4a312292946682cf
Instruction ID: b52f1c4f393cacfd0e292a91004a99aad76379bd1c7738d26f54039e203cb58f
Opcode Fuzzy Hash: a344604d5734435481e1cfd8f2b03bd632b91442f8d54e0d4a312292946682cf
Instruction Fuzzy Hash: 4041A0B1D00309AFDB14CFA9C894ADEBBF5BF48310F24952AE419AB210D7759845CF90

Function 068BCD6C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 068BFE91

Memory Dump Source

Source File: 00000009.00000002.3248872482.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68b0000_Payment List.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ac66c1d0d07de24b097672b6d68e91597beca64869418a455e5e76f058150ab4
Instruction ID: 56795502e66c80aef8cc13b47b48edb7951a6107a608f609d2c2399e188841c3
Opcode Fuzzy Hash: ac66c1d0d07de24b097672b6d68e91597beca64869418a455e5e76f058150ab4
Instruction Fuzzy Hash: F84117B49003099FDB54CF99C888AAEBBF5FF88314F24C459D619AB321D374A845CFA0

Function 068B3050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068B30D7

Memory Dump Source

Source File: 00000009.00000002.3248872482.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68b0000_Payment List.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eec8eb6aac470b7de6dbbe0d9e01ab33b3f126e000045a04370a444b3b70a92d
Instruction ID: 45214d1d3887859f4be2071cb7b55e89cc3a0232b31d3a4a194388aa106d9f82
Opcode Fuzzy Hash: eec8eb6aac470b7de6dbbe0d9e01ab33b3f126e000045a04370a444b3b70a92d
Instruction Fuzzy Hash: E121B3B59002489FDB10CFAAD984ADEBBF9EB48310F14841AE918A3350D379A944CFA5

Function 068B3048 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068B30D7

Memory Dump Source

Source File: 00000009.00000002.3248872482.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68b0000_Payment List.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eb250c73b4f20b458292a25dcac478735328850e2ff3a81cc9eacc49f55b1218
Instruction ID: 4f03371565a3a0060886532784534be22decbcd36d51636ae21868f726ac5e8f
Opcode Fuzzy Hash: eb250c73b4f20b458292a25dcac478735328850e2ff3a81cc9eacc49f55b1218
Instruction Fuzzy Hash: 1421E0B5D00209DFDB10CFAAD584AEEBBF5EF48310F14845AE919A3350C379A944CFA1

Function 068BB679 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 068BB6EA

Memory Dump Source

Source File: 00000009.00000002.3248872482.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68b0000_Payment List.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1aec52fce988047592873ebc040a7c66c2173829e7c11e9c8fa38c5f0c009307
Instruction ID: 0653bda055595646ddbfeb37cffbd7994c4583f7c5d2f88dec7b717bbd9bd1bb
Opcode Fuzzy Hash: 1aec52fce988047592873ebc040a7c66c2173829e7c11e9c8fa38c5f0c009307
Instruction Fuzzy Hash: BC1106B6C002099FDB10CF9AD844ADEFBF5EB89310F10841AD519A7210C775A545CFA5

Function 068BB680 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 068BB6EA

Memory Dump Source

Source File: 00000009.00000002.3248872482.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68b0000_Payment List.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7d73485646fc5bbac1585289610686a91f4bead5ae60903639538b04e8ad62df
Instruction ID: 13f6cbf004892e23ff84951fed7834fbd0312147207d34ed8bcd0762c4531979
Opcode Fuzzy Hash: 7d73485646fc5bbac1585289610686a91f4bead5ae60903639538b04e8ad62df
Instruction Fuzzy Hash: 9811F3B6C003099FDB10CFAAD844ADEFBF8EB49320F10842AD519A7310C779A945CFA5

Function 00F1EC40 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 00F1ECA7

Memory Dump Source

Source File: 00000009.00000002.3235898801.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_Payment List.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 17420a7872d59036c85d7280ec92e693733d885bad0b459054f10e0f2ca3351e
Instruction ID: 606a59b30ab288b949f7c7594e2177d92c7d3582a038c56674da79d92e6233db
Opcode Fuzzy Hash: 17420a7872d59036c85d7280ec92e693733d885bad0b459054f10e0f2ca3351e
Instruction Fuzzy Hash: 3311EFB1C006599BDB10DFAAD944ADEFBF4EF48320F14816AD818A7241D778A944CFE5

Function 068BA17C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,068BB244), ref: 068BB47E

Memory Dump Source

Source File: 00000009.00000002.3248872482.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68b0000_Payment List.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5e2c1d5b1e4ccb51a2f48a0ee5e1cddcf9c391e3762cc9542e7fa559a79e59ac
Instruction ID: 2dbfa3507ec02393960eedd6bade3fde769b5c9ac3df0a3cd5dd12f27f0ba03e
Opcode Fuzzy Hash: 5e2c1d5b1e4ccb51a2f48a0ee5e1cddcf9c391e3762cc9542e7fa559a79e59ac
Instruction Fuzzy Hash: 7D11FDB5C007498FDB24DF9AC844ADEFBF4FB88224F10846AD919A7311C379A545CFA1

Function 068CDB70 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PH]q, xrefs: 068CDCB9

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 0e1dd5ef9e9876cdecfaef1c08bcd216ff3843dd9c689b83c6fd17ae0c7c9f8e
Instruction ID: 9fb529739854a36706070486e8c34a2f6f6dc20519536b88836bb2ea3db7eb67
Opcode Fuzzy Hash: 0e1dd5ef9e9876cdecfaef1c08bcd216ff3843dd9c689b83c6fd17ae0c7c9f8e
Instruction Fuzzy Hash: 07419D30E102099FDB54EF65C89469EBBB6BF85350F10893AE505EB340EB70E946CB81

Function 068CDB5D Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PH]q, xrefs: 068CDCB9

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 9a247f461678d953aad7ebc05361e64e0febf62abf3e98ce9e517ebf122f0528
Instruction ID: 7cbf89dffcf2eaf28ffedd3ec7f746fd0a541a28614599646e1c55628833dd8b
Opcode Fuzzy Hash: 9a247f461678d953aad7ebc05361e64e0febf62abf3e98ce9e517ebf122f0528
Instruction Fuzzy Hash: 33418E70E102099FDB55EF65C98069EBBB2AF85310F10893AE505EB340EB70D906CB81

Function 068C2285 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

PH]q, xrefs: 068C23D3

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: b9f2b8a26726634632f03255cbc1cf58c0bbaa58a776085e5c4303888ebaaccf
Instruction ID: b125415bc0d836c7d11643e990ac71e7352a49a37a8eca5aae0f4bdc0cf3f7da
Opcode Fuzzy Hash: b9f2b8a26726634632f03255cbc1cf58c0bbaa58a776085e5c4303888ebaaccf
Instruction Fuzzy Hash: 1131E330B002058FDB59AB74C56066E7BE6BF89214F10847ED406DB3A5DF39CE46CB91

Function 068C2298 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 068C23D3

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 630776a5f8897476eb8885855029d530b1fd387b146bbf0c6f0763aa03cfec03
Instruction ID: 11d3d8293bfc78717c0fa0eeb7f6d8f61deeb282fb6fb0a4e525caa902cc2637
Opcode Fuzzy Hash: 630776a5f8897476eb8885855029d530b1fd387b146bbf0c6f0763aa03cfec03
Instruction Fuzzy Hash: C231D030B002058FDB58AB74D46466E7BE6BF89220F20843DD406EB3A4DF35DE46CB95

Function 068CB2BB Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12c05d4818d3793be786e1fe2fd94963f1fc8b0850b33c12dc983b3fd019270d
Instruction ID: ab86f53f00f9fbbc1a98647d725c79ba8f7bf20b95518e541680839db7ee0f5c
Opcode Fuzzy Hash: 12c05d4818d3793be786e1fe2fd94963f1fc8b0850b33c12dc983b3fd019270d
Instruction Fuzzy Hash: 50B19770F105098FDF64DBADD491BAE77E6EB89320F204829E509E7395CA39DC41CB52

Function 068C6270 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce1a90b013a0d49579644f6689cdacab74b5a88426a6ab5cca176bc0aba27c6
Instruction ID: d70bd3aed2e40c5f35d554f9386e1dfe3e160ee29d25f36fe06f49998004d7b4
Opcode Fuzzy Hash: cce1a90b013a0d49579644f6689cdacab74b5a88426a6ab5cca176bc0aba27c6
Instruction Fuzzy Hash: 8C61D071F000214FDB54AA7AC890A5FBADBAFD4220F144439D90EDB364EE75DD0287D2

Function 068C4658 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6883d6cb7eeb0e952e3a03c175531cebee5fe5ccaab76adcc48a33f431b24542
Instruction ID: 6b22f011f2634df5ad910b4f69ef568f7aaa7c528294563edcf7569f6da710a4
Opcode Fuzzy Hash: 6883d6cb7eeb0e952e3a03c175531cebee5fe5ccaab76adcc48a33f431b24542
Instruction Fuzzy Hash: A4913C30E006198FDF60DF68C890B9DB7B1FF89310F208599D54DEB295DB70AA86CB91

Function 068C4339 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ce32b0ef1396cc1f14ccbfcc74c9e195a5a9aa1b672b85cdd72928535b3e0a
Instruction ID: a607cd8c46c4843a886fbca5b7859b17c3fb7bcc2918ce7f0f9fc7fa76dd66f8
Opcode Fuzzy Hash: f5ce32b0ef1396cc1f14ccbfcc74c9e195a5a9aa1b672b85cdd72928535b3e0a
Instruction Fuzzy Hash: B9815F31B006068FDB54DFB9D46469EB7F2AF85314F108429E90ADB399DF35EC868B81

Function 068C4670 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c383810c1df6a0c2eab751f0f82ea469e383f491490af5779bd2fab74ed0b84
Instruction ID: 7bbe669abf589de7af2ffafa5de63d3afea114d094ceb7ad791dbc0a021ca826
Opcode Fuzzy Hash: 8c383810c1df6a0c2eab751f0f82ea469e383f491490af5779bd2fab74ed0b84
Instruction Fuzzy Hash: 5A911A30E0061A8BDF60DF68C890B9DB7B1FF89310F208599D54DAB255DB70AA86CB91

Function 068CEBB0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7675550974807c76e9ef04d575401916cc296a3b1d906dd63048aea059a68064
Instruction ID: 40699fab20a28a3640b67deedcd04eef34df5bd20550f14a4ff8632040b6ca6c
Opcode Fuzzy Hash: 7675550974807c76e9ef04d575401916cc296a3b1d906dd63048aea059a68064
Instruction Fuzzy Hash: 12816F30A002499FDB94DFA8D984AADBBF6FF84310F148429E509EB355DB34ED46CB41

Function 068CEBC0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89cbeb20d2e8e99fafc2076a035140e16f64c14508de7e0cfdbae7f9062605e
Instruction ID: 2e3950fdc514037a6b2a7906fdf463c937d52857f5746ecdbb3032eab56a26e5
Opcode Fuzzy Hash: c89cbeb20d2e8e99fafc2076a035140e16f64c14508de7e0cfdbae7f9062605e
Instruction Fuzzy Hash: 3D712C30A002099FDB94DFA8D994AADBBF6FF88310F148429E509EB355DB34ED46CB51

Function 068CFD20 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9a66acec0cfa26a88addb2461af6d52ed2670f3f20fcb1c118d6a03272d3b9
Instruction ID: c0b806370907534b39fa9e1469985b296c28b235b8c9a3a0a10cf599024b1371
Opcode Fuzzy Hash: 8f9a66acec0cfa26a88addb2461af6d52ed2670f3f20fcb1c118d6a03272d3b9
Instruction Fuzzy Hash: FD51B331E101058FEB54AB78E8546ADB7B3FF85325F10886EE30ADB290DB35D855CB81

Function 068CFAD1 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877aca97c6645cbc44d10ef17548d42d4fe8b37f746e7d391e7e3757ce9a9598
Instruction ID: 4ab52e2f5c31ff03403c046895a50adb025107d69fef7f745cbb986bb8b42452
Opcode Fuzzy Hash: 877aca97c6645cbc44d10ef17548d42d4fe8b37f746e7d391e7e3757ce9a9598
Instruction Fuzzy Hash: 0451E874B102148FFFA4666CE95476F265FDF89320F20442EEA0AC3395CA3CCC568392

Function 068CFAE0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74d1c4dba40da29977fd74c4b326ae905924720057178c06534519c40cda4093
Instruction ID: 567bf0601ff3d8818c09ac8d5dd3c283dc975d56ce21d5d0a85f8eb8c3ee411b
Opcode Fuzzy Hash: 74d1c4dba40da29977fd74c4b326ae905924720057178c06534519c40cda4093
Instruction Fuzzy Hash: BD51C674B102148FFFA4666CE95476F265FDF89320F204829EA0AC3399CA38CC468392

Function 068C54C0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7f66ebb7851f194b3771ad5c38441cf5882a7374521ce74b0e20947ca9d658
Instruction ID: 70ba68c2572f5c5ceefca7d3e62af2e3431698470a2823b1415c2d9487277051
Opcode Fuzzy Hash: 9c7f66ebb7851f194b3771ad5c38441cf5882a7374521ce74b0e20947ca9d658
Instruction Fuzzy Hash: BB413D71E006099FDF70CEA9D880AAFFBB6EB84320F10492AD616D7650D731F9558B92

Function 068C2148 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08189b44525a1f43df0714149059c71a4c9a89dba6a97f6516473b756be1707
Instruction ID: d7e8384dab719a020d185f3fbbd9926dbea5bead08fdc084df322bbdd088b0a2
Opcode Fuzzy Hash: b08189b44525a1f43df0714149059c71a4c9a89dba6a97f6516473b756be1707
Instruction Fuzzy Hash: B8319C34E10209CBCB59CFA8D86469EB7F2BF89310F10852AE906E7290DB71E946CB41

Function 068C5620 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae204df3cd9c5714431be4248ca5258ef0072b822a6f191d2efc8609545e06f0
Instruction ID: 2f6f0a674c8395a9bf38fbea339e5839bada953370646d891c2c9ac02afbede9
Opcode Fuzzy Hash: ae204df3cd9c5714431be4248ca5258ef0072b822a6f191d2efc8609545e06f0
Instruction Fuzzy Hash: 07317375E105058FDF60CFA9C481BAEFBF1EB45320F10892ED25AD7291D634E991CB92

Function 068C2158 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd47620a06952af0791c9028bc23516197dcc79382557e79ec3d7db61489eca2
Instruction ID: 15fc655234a381513977317b9e11207d94d4f491028854a139d3658e3fd8657a
Opcode Fuzzy Hash: dd47620a06952af0791c9028bc23516197dcc79382557e79ec3d7db61489eca2
Instruction Fuzzy Hash: 06317C34E102098BCB59DFA8D86469EB7F2BF89310F108529E906E7390DB71ED46CB50

Function 068C3B38 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81bda09e1ae1dcd61295fc9c37373bfe1f780a2ec9c7a007059736e0f57d3851
Instruction ID: 49229a80928352cb1a79fb63ce6ad379d98827df6fb85e772da5ab8c4bbea22d
Opcode Fuzzy Hash: 81bda09e1ae1dcd61295fc9c37373bfe1f780a2ec9c7a007059736e0f57d3851
Instruction Fuzzy Hash: 71218D75E012199FDB50DF79D841BEEBBF5AB88720F10802AE905E7395DB34DD428B90

Function 068C3B48 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c368f3fc2c7475f188e6f7e581a8810cc111ee5b8fda6ef47f81e8fe989934
Instruction ID: 2655c841abc259adc4cb7d1451660c825e961bda097fcbb5b36d155382a5f29b
Opcode Fuzzy Hash: d1c368f3fc2c7475f188e6f7e581a8810cc111ee5b8fda6ef47f81e8fe989934
Instruction Fuzzy Hash: 51218E75F016199FDB50DF79D881AAEBBF5EB48720F10802AEA05E7340EB30DD028B91

Function 00E8D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3235530456.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e8d000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e57dd8524e0f69c397a95928d2d9175e9dea710ee144365e0ebbd5850e6b02e
Instruction ID: a1c4bcc69a8b2937145ec5c15147fe62b82feb0a7dd450e974828795004a2d61
Opcode Fuzzy Hash: 2e57dd8524e0f69c397a95928d2d9175e9dea710ee144365e0ebbd5850e6b02e
Instruction Fuzzy Hash: 3C21F271508204AFCB15EF24CDC4B26BB66FB84318F20C569E94D5B292C73AD846DB62

Function 068C6DA0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b9999fbcf2e4085f98ea6570aa19e0cfddb072b6ee91baca65eee91d95e121
Instruction ID: 7a74a2ec068177b8c2b79e04864127ef0af50eefcef407b1c223b40161100332
Opcode Fuzzy Hash: 03b9999fbcf2e4085f98ea6570aa19e0cfddb072b6ee91baca65eee91d95e121
Instruction Fuzzy Hash: 6B21AF30B101199BDF94EA69E8506ADB7B7EB84324F24843AE509E7344EB31ED568B81

Function 068C30F8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209f13d907c6c9e6e2fcacc15e9c023228a0233958e248e8f67cfed2eb0bd933
Instruction ID: bf2155d6891f5f4c962f82af69b3666ff3dd69e4e6a629fa03f7526c4a5ef56b
Opcode Fuzzy Hash: 209f13d907c6c9e6e2fcacc15e9c023228a0233958e248e8f67cfed2eb0bd933
Instruction Fuzzy Hash: 8211B170E002189FCB58DB6DD8405DEF7B5EB89324F00856EE10AEB200DA31DA46CB91

Function 068C3C58 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b388ee64bf92be1286dc13565b83ee15ec55c95fccde905f19482e4ad8d60465
Instruction ID: 7de4f2af1cc848d6732013c3f71b4c1e10167ea9a6bf3b4a7e42f6b1b652a219
Opcode Fuzzy Hash: b388ee64bf92be1286dc13565b83ee15ec55c95fccde905f19482e4ad8d60465
Instruction Fuzzy Hash: 0D11E132B100298BDB54D678DC146AE73E6ABC8721F008139D90AE7344DE34DC028BD1

Function 068C429B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c65b377ce4d437511316ac8ba5fd3069dd119624cf2a1b27cd8e234c8ebbe2a
Instruction ID: 6bbab3f878bd045d98626469401eb4b1c17af131861fbcf96c74067fc5019240
Opcode Fuzzy Hash: 7c65b377ce4d437511316ac8ba5fd3069dd119624cf2a1b27cd8e234c8ebbe2a
Instruction Fuzzy Hash: 0A01F531B001110FDB6686BC9420B6FBBE6DBCA720F14843EE50ACB356CA65CD468391

Function 068CA398 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb20d24356c49a0fc0789f43995360d79458567ff301e2e7e110edd07c4f57cd
Instruction ID: 95b2583c30f087b813fbbafaf9e14d30c4af7c978bd9cb352b527b67a45fb45b
Opcode Fuzzy Hash: eb20d24356c49a0fc0789f43995360d79458567ff301e2e7e110edd07c4f57cd
Instruction Fuzzy Hash: 68014731B012144FC7A99A7DE82871E7BE6DF87720F10846EE60AC7351EE21DC028381

Function 068C3C48 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310c56b2ba2612822bcfe1aff5a73cd544ba45b2860797e648f198d2a258f766
Instruction ID: c08b456988339d7c3c60e762de69116d0feb27e246a160a1af300d1b527a7dbb
Opcode Fuzzy Hash: 310c56b2ba2612822bcfe1aff5a73cd544ba45b2860797e648f198d2a258f766
Instruction Fuzzy Hash: C5014536F101654BDB518678DC103AE3BE6ABC5225F08067FCA05D32D0DE34CC068782

Function 00E8D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3235530456.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e8d000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: a67f6e979730a326eef1e4491a5d7bf1d95d2a9034dffe496514bde59cb246dc
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 0A11DD75508284CFCB12DF10C9C4B16BFA2FB84318F24C6A9D84D4B292C33AD84ACF62

Function 068C3918 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ba49d00c9f1b0fcb50d6a8fd9be8f3def53b39c7a71c2e3abbf47f103cde8d
Instruction ID: e8741987d3a11ac47b6da0a097486d23b0d809915525f50b4db664b987a4dece
Opcode Fuzzy Hash: 82ba49d00c9f1b0fcb50d6a8fd9be8f3def53b39c7a71c2e3abbf47f103cde8d
Instruction Fuzzy Hash: 8611B3B5D012599FCB00DF9AD884ADEFBB4FF49324F10852AE518A7340C375A554CFA5

Function 068C42A8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b6eddec24d6e3d2045b52f69d8e6341d6e5cbf851f5272ba6d4f901cf21154
Instruction ID: fdee29b5a3f55fb1122349634c619d3fba432cc403063db6f4f16b3a4ab82f4f
Opcode Fuzzy Hash: a1b6eddec24d6e3d2045b52f69d8e6341d6e5cbf851f5272ba6d4f901cf21154
Instruction Fuzzy Hash: 40016D35B000110BDB6595BDE425B2EB6DADBCA721F10843DE60EC7359DA65DC424791

Function 068CEE31 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5c5ba04d387e9ea2fdff78826c0643399c033925d87fab41a2e93b2176a92b
Instruction ID: ac66509bf56cb54aa3d390c7a226136e85af4e344a886994ee7c1561d2f4d47e
Opcode Fuzzy Hash: 3c5c5ba04d387e9ea2fdff78826c0643399c033925d87fab41a2e93b2176a92b
Instruction Fuzzy Hash: 2A017C31B110114FDBA5EA6C9458B2E6BE6EBCA620F14882EE54ACB341DE31ED064385

Function 068C3910 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407d61067671da1aefd5a3065d94b6a69adeec4df4865037a035a895bbfd4d71
Instruction ID: 8c7d4e5ddabfb811989d6554576b7eb17ee851ca85cad8a81099ec1e95e8fda6
Opcode Fuzzy Hash: 407d61067671da1aefd5a3065d94b6a69adeec4df4865037a035a895bbfd4d71
Instruction Fuzzy Hash: B421CFB5D012599FCB00CFA9D984ADEFBF4FB09324F10862AE518A7240C378A544CFA5

Function 068CEE40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb2dcf008d5640d662bda0000b797ae16a78cc40d4f013b42bf5d1eedce9c21
Instruction ID: 354708cbba489ec330cc3baeef3a88eb0ec082e9e3de015eeaa6b988fa239b39
Opcode Fuzzy Hash: cbb2dcf008d5640d662bda0000b797ae16a78cc40d4f013b42bf5d1eedce9c21
Instruction Fuzzy Hash: 62018C31B104154BDBA5AA6D9458B2EA7DADBCA660F24883DF60AC7340DE35EC024385

Function 068CA3A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10eb1cfc0c8b92eef3787e477fbfa2412d0b5171d2c6f647824306b2a82682b6
Instruction ID: 1d1325bf85652db16fb8e96356ecdb69ec953597eddc71d9d51c96b938b7c14e
Opcode Fuzzy Hash: 10eb1cfc0c8b92eef3787e477fbfa2412d0b5171d2c6f647824306b2a82682b6
Instruction Fuzzy Hash: BF018135B115184FCBA8AA7DE858B2E77D6EB86720F108439E60AD7354DE31EC424381

Function 068CAFB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef0b85bb0888b24aeb341f9f8bce242240cb7b1c9cbefc009fb78c98d3c2b8a
Instruction ID: 381d86958f84ba6f090d12ddcc9b2282ef065329275c53f984a68998a6dd7750
Opcode Fuzzy Hash: 7ef0b85bb0888b24aeb341f9f8bce242240cb7b1c9cbefc009fb78c98d3c2b8a
Instruction Fuzzy Hash: 89F0E572F2022C8BEF748569D80979EBBA8E745370F00483FEA1AE7340D671EC858781

Function 068CC870 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c360c71f96a2792d5320b2aae11643927ebb3524404838cf3ce370b3eec19bd4
Instruction ID: 4204f3669ba6a796a1bf20fcd654e8e6a1f3fa73167ff0c16341bb0ff2a5db73
Opcode Fuzzy Hash: c360c71f96a2792d5320b2aae11643927ebb3524404838cf3ce370b3eec19bd4
Instruction Fuzzy Hash: DBF0A032E21268ABDB54A9B6EC05A9EB739E784764F004429FA05F7344DA76AC04CBC0

Function 068C64F9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8de7ff5bd230311015a09e61b2824181c6d71441435ca54be22e07ba9846f7
Instruction ID: e123bab2413131c2488993b27b6acb897ff4afb9e12e03a07c2f7f7313f1b23f
Opcode Fuzzy Hash: da8de7ff5bd230311015a09e61b2824181c6d71441435ca54be22e07ba9846f7
Instruction Fuzzy Hash: 21E0D8B0D183845BEB118A64C90975D7B64974222CF2487AED544CB182E67ACE06CB81

Function 068C6508 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff06f97b8ae29cbbafe7b777b9a0c3b9abbc76b52a7c3517cc9004b6f22fea2
Instruction ID: 1b4ebcd6d9d58846bb2806540ebcdfc87be9f3e72cd92ce70e0592888138a542
Opcode Fuzzy Hash: aff06f97b8ae29cbbafe7b777b9a0c3b9abbc76b52a7c3517cc9004b6f22fea2
Instruction Fuzzy Hash: 2FE0C2B1E10108ABDF60CEB4C90575E77ECDB01228F7084B8D608C7202F272CE418780

Non-executed Functions

Function 068C7728 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 068C7CB8
$]q, xrefs: 068C788D
$]q, xrefs: 068C7899
$]q, xrefs: 068C7CDA
$]q, xrefs: 068C7C25
$]q, xrefs: 068C785C
$]q, xrefs: 068C7CCE
$]q, xrefs: 068C7CC4
$]q, xrefs: 068C7868
$]q, xrefs: 068C7C19

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 89946a7fd736b3ddbd45a1923a0c4cb5b983b35251c2b959b372d0c81a3b7ad0
Instruction ID: ac589d5406d7db8d946534ed1b21aa2906ede2e94e76559cd44098ee54b944eb
Opcode Fuzzy Hash: 89946a7fd736b3ddbd45a1923a0c4cb5b983b35251c2b959b372d0c81a3b7ad0
Instruction Fuzzy Hash: 1C121A30E002198FDB68DF69C994AADB7B2BF84314F208969D50AEB355DB34DD85CF81

Function 068CA9C8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 068CAABE
$]q, xrefs: 068CAB25
$]q, xrefs: 068CAB50
$]q, xrefs: 068CAB86
$]q, xrefs: 068CAB44
$]q, xrefs: 068CAB7A
$]q, xrefs: 068CAB19
$]q, xrefs: 068CAACA

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: e487da1d512fc30abe790459cbe63fde975c87b6ea8eb89a3585ae175f1c6a5e
Instruction ID: edfa8ea78ac8d0d21f82fd07f663cfebaa9e0982409598ac469819cca9936445
Opcode Fuzzy Hash: e487da1d512fc30abe790459cbe63fde975c87b6ea8eb89a3585ae175f1c6a5e
Instruction Fuzzy Hash: A1916C30A0020D9FDB6CDB69D995BAE7BB6AF84314F10852DE901E7394DB79DC45CB80

Function 068C7128 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 068C740A
$]q, xrefs: 068C7630
$]q, xrefs: 068C75C4
$]q, xrefs: 068C7464
$]q, xrefs: 068C7470
$]q, xrefs: 068C763C
.5uq, xrefs: 068C7183

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: ed4b490d68d0b178279ba18bc378f1af99ad46c3a066f587502556e8cd46e3f3
Instruction ID: 83cbe5b8b5c5b4fe268af6a2b330578fefa58980a0effae4c96a89b029952e41
Opcode Fuzzy Hash: ed4b490d68d0b178279ba18bc378f1af99ad46c3a066f587502556e8cd46e3f3
Instruction Fuzzy Hash: 50F13030A00208CFDB59EF69D994A6EB7B6BF84310F148569E406DB369DB75DC82CB40

Function 068C8460 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 068C872B
$]q, xrefs: 068C86BA
$]q, xrefs: 068C871F
$]q, xrefs: 068C86C6

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 437675f8c245fd9291cb5c96c4d187e3879d3bba2a1b63cd81a93c20a5f2bd46
Instruction ID: 92b12efeecfd7db439d1d0b199ebd6c1cbb940fd18a99a6d353cb0d4d3da3b4e
Opcode Fuzzy Hash: 437675f8c245fd9291cb5c96c4d187e3879d3bba2a1b63cd81a93c20a5f2bd46
Instruction Fuzzy Hash: F8B15E70A40208CFDB58DFA4D984AAEBBB6FF84314F24842AD406DB355DB75DC82CB81

Function 068CAD50 Relevance: 5.2, Strings: 4, Instructions: 179COMMON

Download Yara Rule

Strings

$]q, xrefs: 068CAF03
$]q, xrefs: 068CAF2C
$]q, xrefs: 068CAE81
$]q, xrefs: 068CAED4

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 50e3d48716ddcae1e824036ece2be591e05615b95934266214073cdbc39a3409
Instruction ID: 835390937aac9d15c92ec9dded3fa0ab8c4999d16f7474a0d7283a30775aba3e
Opcode Fuzzy Hash: 50e3d48716ddcae1e824036ece2be591e05615b95934266214073cdbc39a3409
Instruction Fuzzy Hash: 0A519130E1020D9FDB69DB68E980AADB7B2EF84321F14852EE505E7254DB75DC41CB91

Function 068C8878 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR]q, xrefs: 068C89BA
$]q, xrefs: 068C88F7
LR]q, xrefs: 068C896B
$]q, xrefs: 068C8903

Memory Dump Source

Source File: 00000009.00000002.3248992203.00000000068C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_68c0000_Payment List.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 4826ddf9a7ccc57806e8830faa0e942cf89be8594d34fdab7aba8df8f20e2621
Instruction ID: 03775bf7804e3b77e8ee72fe4aa49d41db3ed5a5885205a3bd92178fe8bc4ff7
Opcode Fuzzy Hash: 4826ddf9a7ccc57806e8830faa0e942cf89be8594d34fdab7aba8df8f20e2621
Instruction Fuzzy Hash: 1151D030B402058FDB58DB68E980A6EBBE6FF84314F14856DE506EB3A5DB30EC45CB91

Analysis Process: qicqbuFUGCXO.exePID: 7336, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	253
Total number of Limit Nodes:	12

Executed Functions

Function 0167D780 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0167D7FE
GetCurrentThread.KERNEL32 ref: 0167D83B
GetCurrentProcess.KERNEL32 ref: 0167D878
GetCurrentThreadId.KERNEL32 ref: 0167D8D1

Memory Dump Source

Source File: 0000000A.00000002.2087033693.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1670000_qicqbuFUGCXO.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7a3921731a3667dd3dc8000873c3e871098233e6b2503c931868c9511546fcbe
Instruction ID: 6187e435bd03a9969d40b8899c6257e37b27e3ea823fb61db2e0d9504e8ca11b
Opcode Fuzzy Hash: 7a3921731a3667dd3dc8000873c3e871098233e6b2503c931868c9511546fcbe
Instruction Fuzzy Hash: E35154B09013098FDB18DFA9D948BAEBFF5FF89314F208459E109A7364D738A944CB65

Function 077E4B84 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077E4DC6

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 14ebcd520e84b538479313368f32b9ac1eb479aacc96cff35481ff6e0c42c89f
Instruction ID: ab16c71ecd29c54bca5190dbbf6c7d70dac1137a877276cb048fcfba13299636
Opcode Fuzzy Hash: 14ebcd520e84b538479313368f32b9ac1eb479aacc96cff35481ff6e0c42c89f
Instruction Fuzzy Hash: 83A18BB1D0025ADFDF24DFA8C841BEDBBB6BF48314F148569E808A7250DB749985CF92

Function 077E4B90 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077E4DC6

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2d7de303efbab65c863d4376acc8e2806909dff46d497441c9d21e8c9595399f
Instruction ID: 9fe22f056c356a86f8ca153f8e8f9c028331d3e006e7242b7e3cd0bb40487e64
Opcode Fuzzy Hash: 2d7de303efbab65c863d4376acc8e2806909dff46d497441c9d21e8c9595399f
Instruction Fuzzy Hash: C3917AB1D0025ADFDF24CFA8C841BEDBBB6BF48314F148569E809A7250DB749985CF91

Function 0167B4D9 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0167B73E

Memory Dump Source

Source File: 0000000A.00000002.2087033693.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1670000_qicqbuFUGCXO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dd193ac1a737106963f2e97db4d89d0d37a5a99b55d395e63950fa187154c5c2
Instruction ID: 20b9a7fe31308dccdbe62e02ce7f282a79cd42aebeabafb98e33ba89433c4d96
Opcode Fuzzy Hash: dd193ac1a737106963f2e97db4d89d0d37a5a99b55d395e63950fa187154c5c2
Instruction Fuzzy Hash: DB810070A00B458FE724DF29D8447AABBF1BF88310F048A2DD58ADBB50DB75E945CB94

Function 058021C5 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058022E2

Memory Dump Source

Source File: 0000000A.00000002.2090135305.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5800000_qicqbuFUGCXO.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c57a8c00193d417421f5ac0b0e193dd831218fd9115a10519b09067670187dac
Instruction ID: f12cb1a292eb372b25803585cca2125c3345f15a6ebe353c00408de1626143ac
Opcode Fuzzy Hash: c57a8c00193d417421f5ac0b0e193dd831218fd9115a10519b09067670187dac
Instruction Fuzzy Hash: 1951C1B5D00359AFDB14CFA9C884ADEFFB5BF48310F24812AE819AB250D774A945CF90

Function 058021D0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058022E2

Memory Dump Source

Source File: 0000000A.00000002.2090135305.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5800000_qicqbuFUGCXO.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b9b2ee1fa7d7701f9caad177856ff9289a9c46639c764729a507f9a54feac841
Instruction ID: 86f5284f7f85f670cc68e9f783945020c6c9b15899244d8f1f52dab69c016ab7
Opcode Fuzzy Hash: b9b2ee1fa7d7701f9caad177856ff9289a9c46639c764729a507f9a54feac841
Instruction Fuzzy Hash: A641C0B5D00309AFDB14CF99C884ADEFBF5BF48310F24812AE819AB250D774A885CF90

Function 016758EC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016759A9

Memory Dump Source

Source File: 0000000A.00000002.2087033693.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1670000_qicqbuFUGCXO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9e59a3274d6cbde0c473b460af6681990c3471f3fb37769ac00fd299bba36385
Instruction ID: a62993c65fe211a766e970b868b965101c84d9d893945c9db3a21c8e094af2d8
Opcode Fuzzy Hash: 9e59a3274d6cbde0c473b460af6681990c3471f3fb37769ac00fd299bba36385
Instruction Fuzzy Hash: F441D4B0C00719CFDB25DFA9C884ADDBBB5BF89304F20806AD409AB255D7756946CF91

Function 05801764 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05804861

Memory Dump Source

Source File: 0000000A.00000002.2090135305.0000000005800000.00000040.00000800.00020000.00000000.sdmp, Offset: 05800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5800000_qicqbuFUGCXO.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: d1a27e1893fd6653c8cd7f3c99b81fdf507ae9339a09c89887d4cc0c6388d476
Instruction ID: 645b22c2d2511a0969752726d87c2a6ab82ff7b0be607a7bc36152fb58452583
Opcode Fuzzy Hash: d1a27e1893fd6653c8cd7f3c99b81fdf507ae9339a09c89887d4cc0c6388d476
Instruction Fuzzy Hash: AC412CB4900349DFDB54CF99C849AAAFBF5FF88314F24C859D619A7361D374A841CBA0

Function 016744B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016759A9

Memory Dump Source

Source File: 0000000A.00000002.2087033693.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1670000_qicqbuFUGCXO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ca7fe6d76afdceef7430dafed0782cace3d7b8ae442832fe0498e6b978d725ce
Instruction ID: 75887a8c54cc757c5569a732a5ab9fd73d36a05089fd382717fd1160cdd4bad0
Opcode Fuzzy Hash: ca7fe6d76afdceef7430dafed0782cace3d7b8ae442832fe0498e6b978d725ce
Instruction Fuzzy Hash: 4F41D4B0C0071DCBDB24DFA9C844B9DBBF5BF89304F20806AD409AB255DB756946CF91

Function 077E44CA Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077E4560

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ac7b15e6f89caf10739706fd803595175d6a4cf66c7b1636ee7f524d6671d408
Instruction ID: b1442588ff6124723934561b49f6d9ecbc6b2b710ed677a3ac71b30c679e21cd
Opcode Fuzzy Hash: ac7b15e6f89caf10739706fd803595175d6a4cf66c7b1636ee7f524d6671d408
Instruction Fuzzy Hash: 192128B59003599FCB10DFA9C845BEEBBF5FF48310F10882AE959A7240D7789554CBA0

Function 077E44D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077E4560

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 70bc309019653dabc3fad31ae2da3f05b45dc6e247b0ce08135714ff6f5bbb71
Instruction ID: 799e11bae160d302e1c0122f804b35583f6fbb600c41860e89a0f4ff0a6e6b74
Opcode Fuzzy Hash: 70bc309019653dabc3fad31ae2da3f05b45dc6e247b0ce08135714ff6f5bbb71
Instruction Fuzzy Hash: F82119B5D003599FCB10DFA9C885BEEBBF5FF48310F10882AE959A7240D7789954CBA4

Function 077E49F1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077E4A78

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 93d076560deaefc7d4bcc822b86d02ba84e00826de03898009b240f127c38e6a
Instruction ID: a39fda9e7df8a2a901960fdf13a7ef5940911377692569af1adc342400a6dd19
Opcode Fuzzy Hash: 93d076560deaefc7d4bcc822b86d02ba84e00826de03898009b240f127c38e6a
Instruction Fuzzy Hash: 992128B1C013599FCB10DFAAC885AEEFBF5FF48310F108429E519A7250D7789941CBA5

Function 077E4332 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077E43B6

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4ca35647097ddff8ffe7a4cca10c38fea357e18e256c17ca8c6b0a1c24c6db37
Instruction ID: cb577b9aa6284f80684f8def9fdf245600c58a89d4f39850f079f77b24478d1d
Opcode Fuzzy Hash: 4ca35647097ddff8ffe7a4cca10c38fea357e18e256c17ca8c6b0a1c24c6db37
Instruction Fuzzy Hash: 992157B1D003099FCB10DFAAC4857EEBBF4EF48354F148429D559A7240CB78A944CFA0

Function 077E4338 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077E43B6

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1a7543e6dae205e12dd4cd06fc0e02b5aa923a7e716add3a411f34d4eb635b97
Instruction ID: d40420171540f4b09676142ef34302cb3834ad1277ff1f3150eee1a0d2ebd9b6
Opcode Fuzzy Hash: 1a7543e6dae205e12dd4cd06fc0e02b5aa923a7e716add3a411f34d4eb635b97
Instruction Fuzzy Hash: 4D2135B1D003099FDB10DFAAC4857EEBBF8EF48354F14842AD559A7240CB78A944CFA0

Function 077E49F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077E4A78

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6449a178489220ee1283abe9a0ef2e04554f55ad6d6ce786597829b29e98fe68
Instruction ID: 7fc0a4d0fa4882128d2910a08a6ba3e7b17ae39821e6c9fa15834d54fcfda2b6
Opcode Fuzzy Hash: 6449a178489220ee1283abe9a0ef2e04554f55ad6d6ce786597829b29e98fe68
Instruction Fuzzy Hash: A52139B1C003599FCB10DFAAC845AEEFBF5FF48310F108429E519A7250C7389540CBA5

Function 0167D9C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0167DA4F

Memory Dump Source

Source File: 0000000A.00000002.2087033693.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1670000_qicqbuFUGCXO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 611072ea094dc2bf135fa627e2bd9e3d2956011d6ed959c5ef11a5e18fbd6d1f
Instruction ID: dd3687b8e1a4ca774dafd7aaa74abd8a7574177481cfb69e434263159bef33f4
Opcode Fuzzy Hash: 611072ea094dc2bf135fa627e2bd9e3d2956011d6ed959c5ef11a5e18fbd6d1f
Instruction Fuzzy Hash: 1A21C6B59012489FDB10DF9AD984ADEBFF9FF48310F14841AE918A3350D378A954CFA5

Function 0167B208 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0167B7B9,00000800,00000000,00000000), ref: 0167B9CA

Memory Dump Source

Source File: 0000000A.00000002.2087033693.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1670000_qicqbuFUGCXO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5738b006ff4495986805c470c124e9e3801e63219a8860413bd5a5d27703ae66
Instruction ID: b45ca064427243f015951634c652945bb23d79c9062431c1292790f5d849baf0
Opcode Fuzzy Hash: 5738b006ff4495986805c470c124e9e3801e63219a8860413bd5a5d27703ae66
Instruction Fuzzy Hash: 9E11E4B69003099FDB10DF9AC844ADEFBF4EB89310F10842AD569A7310C379A945CFA5

Function 0167B959 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0167B7B9,00000800,00000000,00000000), ref: 0167B9CA

Memory Dump Source

Source File: 0000000A.00000002.2087033693.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1670000_qicqbuFUGCXO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 24badc9331857ca7bfede375a287d3bec6c0c839957b389734ba4578b4a53c9a
Instruction ID: f163b69affe58ec06341e0dee108c12b27a42ee050c507d78582b7d88491abc7
Opcode Fuzzy Hash: 24badc9331857ca7bfede375a287d3bec6c0c839957b389734ba4578b4a53c9a
Instruction Fuzzy Hash: 812103B6C002099FDB10CF9AC844ADEFBF4EB89310F10842AD569A7210D379A545CFA5

Function 077E440A Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077E447E

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f539d7e8cbc6a9a227632d240eec8e71ee21903ef963c610f9678f4cfb9110b3
Instruction ID: d5f5d3df8fe38d22a2f84d6b6f38d6d137b2f99b5814b7043de9f929496d5b0c
Opcode Fuzzy Hash: f539d7e8cbc6a9a227632d240eec8e71ee21903ef963c610f9678f4cfb9110b3
Instruction Fuzzy Hash: C21167B29002499FCB10DFAAC845AEFBFF9EF49314F208819E559A7250C779A540CFA0

Function 077E4410 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077E447E

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cc25f7a80901421dd85b1529243b521c1851d490e5383b96b12102b965fcd30a
Instruction ID: 5b5d7bc271e8decb70e754eb9fecce39862d0de7350de6caad82f555133a5f11
Opcode Fuzzy Hash: cc25f7a80901421dd85b1529243b521c1851d490e5383b96b12102b965fcd30a
Instruction Fuzzy Hash: 151137B59002499FCB10DFAAC845AEFBFF9EF49314F108819E519A7250C779A540CFA0

Function 077E3E48 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 077E3EB2

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 30af3bc1e61d91e82e148c3b41a453ba1e35248b1e4e303d554aa3de67abdff8
Instruction ID: 979afe7c5f69d4e090b413e09cbd32ee0e1711a6b1fae31c1556a0b0295952c4
Opcode Fuzzy Hash: 30af3bc1e61d91e82e148c3b41a453ba1e35248b1e4e303d554aa3de67abdff8
Instruction Fuzzy Hash: FE1149B18002488FCB20DFAAC4456EEFFF8EB88314F148419D559A7240C639A544CBA0

Function 077E3E50 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 077E3EB2

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b8e857591166a34e48493d0dde35410e8eae17e8bb2e0847210e3d448f3d98ea
Instruction ID: c07b04c106924ddd77204bb0d39d9238e64c416e463c9813a471ba7dd56d819d
Opcode Fuzzy Hash: b8e857591166a34e48493d0dde35410e8eae17e8bb2e0847210e3d448f3d98ea
Instruction Fuzzy Hash: 9D1128B19002498FCB20DFAAC4457AEFBF9EF88314F208419D519A7240CB79A944CFA0

Function 077E5A44 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 077E863D

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 25d559fc06395e0cfe94ee2bcfbcef12826d5570673cedcf01472c104c7354fc
Instruction ID: 80847832100c7c24e0b49b2f895cb04926edd549274da7ffcd96605a8473510d
Opcode Fuzzy Hash: 25d559fc06395e0cfe94ee2bcfbcef12826d5570673cedcf01472c104c7354fc
Instruction Fuzzy Hash: D41103B58003499FCB10DF9AC945BDEFBF8FB49314F10881AE918A7250D379A944CFA5

Function 0167B6D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0167B73E

Memory Dump Source

Source File: 0000000A.00000002.2087033693.0000000001670000.00000040.00000800.00020000.00000000.sdmp, Offset: 01670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1670000_qicqbuFUGCXO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3e87455650988f7adff7075b9dc5c4c4e8d82d0831081b2bd0e9584b7e5fa7cb
Instruction ID: 7cdf87615c1531825866fd29cff748fcef2bc3a66638475c3b60b7b5a782b2fc
Opcode Fuzzy Hash: 3e87455650988f7adff7075b9dc5c4c4e8d82d0831081b2bd0e9584b7e5fa7cb
Instruction Fuzzy Hash: 371110B5C002498FDB10DF9AC844AEEFBF9EF88310F14841AD518A7200C379A545CFA1

Function 077E85D8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 077E863D

Memory Dump Source

Source File: 0000000A.00000002.2091015874.00000000077E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_77e0000_qicqbuFUGCXO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0ab5afb38fb0164c86866f94da92531b600447a2835308f63287b036408366f3
Instruction ID: f15fe122c1ed3cdeb72302931516828a223d2882ecaee549610b9f65ec80e6d6
Opcode Fuzzy Hash: 0ab5afb38fb0164c86866f94da92531b600447a2835308f63287b036408366f3
Instruction Fuzzy Hash: 8F1133B5800348AFCB10DF9AC849BDEFBF8FB59314F10881AE518A3200D379A940CFA1

Function 0161D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2086750749.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_161d000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8f3c12b8c04e736e11b32cc88346ca84477ab3c83604f12144f34c50ed26a6
Instruction ID: 304bef777a1df034789c7fcf2ef23e47925cf48686a283e79868d90b15bb5a79
Opcode Fuzzy Hash: ee8f3c12b8c04e736e11b32cc88346ca84477ab3c83604f12144f34c50ed26a6
Instruction Fuzzy Hash: 5A210371500240DFDB15DF58D9C8F26BF65FB88318F28C569E9090B35AC33AD416CAB2

Function 0162D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2086824184.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_162d000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae41f10142875ba5cec88d863fc42dd7110328efb1f9b3ca6f288a5f3a3b1723
Instruction ID: 5ff20902cc0443fdadc33a7f3f16bdc84b6a522332ae8a045047a80763311d4f
Opcode Fuzzy Hash: ae41f10142875ba5cec88d863fc42dd7110328efb1f9b3ca6f288a5f3a3b1723
Instruction Fuzzy Hash: 46210471504604EFDB05DFA8D9C4F26BBA5FB89324F20C56DEA094B356C33AD406CE62

Function 0162D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2086824184.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_162d000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9dc9fcbec3d980bd36b740d0bdd3b6cdcf58b7405d66dd2367b03122e76338
Instruction ID: 59371b2310a8543dd02393c898ab6c635fc85cc8dcb4487daa115640e8894e04
Opcode Fuzzy Hash: 1a9dc9fcbec3d980bd36b740d0bdd3b6cdcf58b7405d66dd2367b03122e76338
Instruction Fuzzy Hash: 31212271604640DFCB15DFA8D980B26BF65FB88314F20C56DD90A0B3A6C33ED407CAA2

Function 0162D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2086824184.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_162d000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef7b8e4224fc53ecf4a6982f6888f52807adf0e49d85f1b2aec2d761cd81500
Instruction ID: 535c91a6894da9d5e68817863c9614fd4ca81d9e9c1ec5e4fde73277a9cc5cf2
Opcode Fuzzy Hash: 7ef7b8e4224fc53ecf4a6982f6888f52807adf0e49d85f1b2aec2d761cd81500
Instruction Fuzzy Hash: 072180755087809FCB03CF64D994B11BF71EB46314F28C5DAD8498F2A7C33A981ACB62

Function 0161D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2086750749.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_161d000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: ebc930416363498c4c3de84a50f8ee3876bd6cadfc5f1087a1c2030327405329
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 6111E172404280CFCB06CF54D9C4B16BF71FB88314F28C6A9D9490B25BC336D45ACBA2

Function 0162D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2086824184.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_162d000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 96a1f188e7e31e2686b1c4bd7b8e4946c0671506a0fbf58c41d22d20bca0d8fc
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 5A11BB75504680DFDB02CF54C9C4B15BFA1FB85224F24C6A9D9494B396C33AD40ACF62

Function 0161D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2086750749.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_161d000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac1e56c85cf18acbae0f5d726c7409d6ba7d8bb33d3da331d6cdeabb029a10c
Instruction ID: 90826ad51dae03169e760d4cb8f71cd833d900ff85ebbfeccb7ee8384dfd5f6a
Opcode Fuzzy Hash: 7ac1e56c85cf18acbae0f5d726c7409d6ba7d8bb33d3da331d6cdeabb029a10c
Instruction Fuzzy Hash: 5B01DB71005384AEE7208A99DD88B77FFDCEF45320F1CC92AED494A39AC3799841CA71

Function 0161D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2086750749.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_161d000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ad1a7da09a86a85608147ecf0a52a2a07303b5e6e88a3dc367c29ad432a0d2
Instruction ID: fdbd30d3d6eec6c2675968c97e3f407ff0de510d9d78ddd5e0bc3035bed7ba0c
Opcode Fuzzy Hash: 98ad1a7da09a86a85608147ecf0a52a2a07303b5e6e88a3dc367c29ad432a0d2
Instruction Fuzzy Hash: 45F06871405344AEE7218A1ADC88766FFA8EF55624F18C55AED484B386C3795844CA71

Analysis Process: qicqbuFUGCXO.exePID: 7600, Parent PID: 7336COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	127
Total number of Limit Nodes:	14

Executed Functions

Function 069030F8 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06903844
$]q, xrefs: 06903820
$]q, xrefs: 0690382C
$]q, xrefs: 069037F7
$]q, xrefs: 06903803
$]q, xrefs: 06903850

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 9d50392fa63a3bbc7d6b65bcd11f37897d902c4110fd229a27bce2cdf13b4590
Instruction ID: 063a5cf578de51e499218760d00b1778a5f599b0e06a32ddd61f9335228c2f17
Opcode Fuzzy Hash: 9d50392fa63a3bbc7d6b65bcd11f37897d902c4110fd229a27bce2cdf13b4590
Instruction Fuzzy Hash: 37325131E1061ACFDB15EF75D89459DB7B6FFC9304F20C6AAD409AB254EB30A985CB80

Function 0690B6E0 Relevance: 8.0, Strings: 6, Instructions: 470COMMON

Download Yara Rule

Strings

$]q, xrefs: 0690BC6D
$]q, xrefs: 0690BCA1
$]q, xrefs: 0690BCAD
$]q, xrefs: 0690BC79
$]q, xrefs: 0690BC39
$]q, xrefs: 0690BC45

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: b08e2cda95d61f9e727259fce1fce4e45f46edc52253a7e0ff82995a3ff4fc15
Instruction ID: 62d2f26a68506ea96595ff73b72c26948ca4dc5a20082f9475d5c2fe5af03e53
Opcode Fuzzy Hash: b08e2cda95d61f9e727259fce1fce4e45f46edc52253a7e0ff82995a3ff4fc15
Instruction Fuzzy Hash: 9F026F30E0021A8FEF64CF68D58066DB7FAEF45310F20892AD415DBA99DB36DD45CB91

Function 06907E08 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06908151
$]q, xrefs: 06908145

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 44745da4c029bcb90c5d77e7564baa634cb91f5bd948e1c21367852f7e544ffd
Instruction ID: 756e7ae46d5fdc9ea280948be7e6ebb186c4484e0d4a1efdc76f4de5bde1fe4f
Opcode Fuzzy Hash: 44745da4c029bcb90c5d77e7564baa634cb91f5bd948e1c21367852f7e544ffd
Instruction Fuzzy Hash: A6029C30B002159FEF54DB68D594AAEB7FAFF84304F248529E4099B795DB35EC42CB81

Function 06905630 Relevance: 1.8, Strings: 1, Instructions: 592
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 069059E7

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 4e0103e767335f97c8ba0850d792fecdcb79a1d59f5752ef514d62611befa14b
Instruction ID: 05f996de9aae2f7460b3f81492754f2368e54b5ca86ebf1ec01120f80d809cb7
Opcode Fuzzy Hash: 4e0103e767335f97c8ba0850d792fecdcb79a1d59f5752ef514d62611befa14b
Instruction Fuzzy Hash: 9622F475E002158FEF64CBA4C6806AEBBF5EF84320F21856AD459EB794DA31DC42CF91

Function 06906678 Relevance: .8, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e281af81a64623329c6fca30208038df4e95313467fd8ebe1a472ef7ed96570
Instruction ID: 2cf5d64956ba673ba6e0c22a96bb1f7c8b85b2f044d0695c2064ecf7a0645fc1
Opcode Fuzzy Hash: 4e281af81a64623329c6fca30208038df4e95313467fd8ebe1a472ef7ed96570
Instruction Fuzzy Hash: D062BD34F002058FEB54DBA8D590AADB7F6EF84314F248569E40AEB794DB35EC46CB81

Function 0690C220 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292409787c91d9bf1024427de503b793539e214f5c8773a0e0a7b78111949e27
Instruction ID: 9041105dda23ff62d76759ac4fefc593ea9e4706f32d7001e48eb9172c4bb53c
Opcode Fuzzy Hash: 292409787c91d9bf1024427de503b793539e214f5c8773a0e0a7b78111949e27
Instruction Fuzzy Hash: DE329034B00216DFEB54DB68D580BADB7B6FB88310F208629E415EB794DB35EC46CB91

Function 0690B2BA Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c6891b62b852fe7632af6096ecd7ab289b7675f53ada02c2516a1bc8dbd8ba
Instruction ID: 27432daaba63c83e28c32b9d3b6c9cf33e81655d21259577c6398abcb5cccda6
Opcode Fuzzy Hash: 39c6891b62b852fe7632af6096ecd7ab289b7675f53ada02c2516a1bc8dbd8ba
Instruction Fuzzy Hash: 35226130E102098FEF64CB69D5807ADB7FAEB45310F308929E409EB799DA36DD81CB51

Function 0690AD60 Relevance: 12.9, Strings: 10, Instructions: 391
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0690AF03
$]q, xrefs: 0690AF2C
XM, xrefs: 0690B131
$]q, xrefs: 0690AED4
$]q, xrefs: 0690AE8D
XM, xrefs: 0690B212
$]q, xrefs: 0690AE81
$]q, xrefs: 0690AF38
$]q, xrefs: 0690AF0F
$]q, xrefs: 0690AEE0

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: XM$XM$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1012131581
Opcode ID: 4dc23326ce666f07c1d2cd09039475a1873e068d2522ebcb5a9c29da0edc0166
Instruction ID: 785ca598ad07f08b2120dcce833eb5a41a2fede20fa92ca554db473b01b3f103
Opcode Fuzzy Hash: 4dc23326ce666f07c1d2cd09039475a1873e068d2522ebcb5a9c29da0edc0166
Instruction Fuzzy Hash: 79E16130E103098FDB65DF69D5906AEB7BAFF84304F208929E409AB795DB35DC46CB81

Function 069091D8 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0690925A
$]q, xrefs: 0690922B
$]q, xrefs: 06909266
$]q, xrefs: 0690921F

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: b363e2551e6a7888fbd6b605a952d42ddb04eb76e9cffb61df4ed2e282eb4c2a
Instruction ID: aff4d0556090a4706f0c05c2a6e8027cd43e0d76187c973136d165c4a7f2e58b
Opcode Fuzzy Hash: b363e2551e6a7888fbd6b605a952d42ddb04eb76e9cffb61df4ed2e282eb4c2a
Instruction Fuzzy Hash: 07916230B1021A9FDB54DF69D850B9EB7F6BF89204F108569D40DEB389EE309D46CB91

Function 0690CFE8 Relevance: 4.5, Strings: 3, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0690D3E7
$]q, xrefs: 0690D3F3
$]q, xrefs: 0690D3DF

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: c7a1909a3c34ce10843d6aa3b068508cef8b4e4977ff335be3f3046543c4af64
Instruction ID: f1de3454919dec7f11440a445ac11c5dcfc9abe1a1159d20fc43a45456c7215a
Opcode Fuzzy Hash: c7a1909a3c34ce10843d6aa3b068508cef8b4e4977ff335be3f3046543c4af64
Instruction Fuzzy Hash: 64624230A002168FDB55EF68E590A5DB7F6FF84304B20CA68D0099F759DB75ED4ACB81

Function 06904C08 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 06904D59
\Obq, xrefs: 06904DE3
fbq, xrefs: 06904C33

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 9f6412f58da3d7e225c0f8d60cb48f9a0115904e78ec14a590c48c5452b4ea52
Instruction ID: a0b04cd1a42f204caa8c96815297691fdc2d5b714e263316dd469089a3d9f61f
Opcode Fuzzy Hash: 9f6412f58da3d7e225c0f8d60cb48f9a0115904e78ec14a590c48c5452b4ea52
Instruction Fuzzy Hash: 7F615130E00219DFEB549FA5C855BAEBBF6FF88700F208429E109AB395DE758D458B91

Function 069091C8 Relevance: 2.7, Strings: 2, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0690925A
$]q, xrefs: 0690921F

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 93462d56aa91056bc101ff09da47a2b4cb5384627a766bf9f24a03a7cbdf34b4
Instruction ID: e7890116e90175b4ad91875048370bee9e3b9c2dcdd10f294a121da5ec402cc1
Opcode Fuzzy Hash: 93462d56aa91056bc101ff09da47a2b4cb5384627a766bf9f24a03a7cbdf34b4
Instruction Fuzzy Hash: 1A514030B101159FDB54DB79D890BAEB7F6AF88604F108569D80DEB399EE309C47CB91

Function 06904BF8 Relevance: 2.6, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPbq, xrefs: 06904D59
fbq, xrefs: 06904C33

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: 613424e5db56bfc00d06743aa3b483c145e648ba4f8bbc911d99a4a39314fb02
Instruction ID: 7d7387be8558e2c8a2a7046f4d0c45859090ec146d95e2c8d16ba675670935f7
Opcode Fuzzy Hash: 613424e5db56bfc00d06743aa3b483c145e648ba4f8bbc911d99a4a39314fb02
Instruction Fuzzy Hash: C0516030F002199FEB549FA5C855BAEBBF6BF88700F20C529E106AB395DA759D01CB91

Function 058FB228 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3247751496.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58f0000_qicqbuFUGCXO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9bbeeaff873a23f913260ec31c84fb656631032d66b9f2975ba21cc6ba35b636
Instruction ID: c89d38a99cfd5d186d1ee4b49aa21ca84c9b70d970171c6bbc5be7fd48b19d82
Opcode Fuzzy Hash: 9bbeeaff873a23f913260ec31c84fb656631032d66b9f2975ba21cc6ba35b636
Instruction Fuzzy Hash: 3E715770A00B058FD724DF6AD444B6ABBF6FF88304F008A2DD98AD7A50DB35E845CB91

Function 058FD804 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058FD922

Memory Dump Source

Source File: 0000000F.00000002.3247751496.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58f0000_qicqbuFUGCXO.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ddc2095ea9ae1018c93b8c8e1032459f517e0133485e73cfd89a95ad49d4d7ba
Instruction ID: 63b8c15fe9c205dba7e2b969c7223ab6b140db10f0f77e32f2224c9a0017ccaa
Opcode Fuzzy Hash: ddc2095ea9ae1018c93b8c8e1032459f517e0133485e73cfd89a95ad49d4d7ba
Instruction Fuzzy Hash: 0F51CFB1D00349AFDB14CF99C884ADEFBB5BF48310F24852AE919AB210D775A845CF90

Function 058FD810 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058FD922

Memory Dump Source

Source File: 0000000F.00000002.3247751496.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58f0000_qicqbuFUGCXO.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5f20f5c074b790eb8e0e6bc73f99bab65d4073005cb8a7facbed76536242b3ee
Instruction ID: c2ba956980a1be57717a9236b54e36b7bc6281d3723416f43a791b43e5a91c5b
Opcode Fuzzy Hash: 5f20f5c074b790eb8e0e6bc73f99bab65d4073005cb8a7facbed76536242b3ee
Instruction Fuzzy Hash: 5541AEB1D103499FDB14CF9AC884ADEFBF5BF48310F24852AE919AB250D775A885CF90

Function 058FCD6C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 058FFE91

Memory Dump Source

Source File: 0000000F.00000002.3247751496.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58f0000_qicqbuFUGCXO.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7fe0e5756a9571ae135ea9874645e7d419e54f161d8148eaf108f9da697984af
Instruction ID: 8a7fbb5a2cdd5d3e84ad3f0f0ae361b3fb0ec9fa82abd3199548bbb98232bd64
Opcode Fuzzy Hash: 7fe0e5756a9571ae135ea9874645e7d419e54f161d8148eaf108f9da697984af
Instruction Fuzzy Hash: 034119B4A003498FCB14DF99C448AAABBF5FF88314F24C459D659AB321D774A845CBA0

Function 010CEC27 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 010CECA7

Memory Dump Source

Source File: 0000000F.00000002.3235992696.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10c0000_qicqbuFUGCXO.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 74304125b4c704af29071f0395e25cf683312ddc10450f77008ffb058d527584
Instruction ID: 9228ba4ce5722aaf1bfd71c3fc6de5d98247ccc00ad322d70a52c2ca0faf710b
Opcode Fuzzy Hash: 74304125b4c704af29071f0395e25cf683312ddc10450f77008ffb058d527584
Instruction Fuzzy Hash: 8E2130B1C006599FCB10CFAAC585BDEFBF4AF08310F10856AE918A7240D338A945CFA5

Function 058FB67D Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 058FB6EA

Memory Dump Source

Source File: 0000000F.00000002.3247751496.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58f0000_qicqbuFUGCXO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 52bca0396e539a95d9c8d7f6306a2e14bdebcf69a37edfcd43418ba015981f11
Instruction ID: 714facb48bf33d1029271cc8cb3044dea8faf7c046342fe02b936aeebd2c4080
Opcode Fuzzy Hash: 52bca0396e539a95d9c8d7f6306a2e14bdebcf69a37edfcd43418ba015981f11
Instruction Fuzzy Hash: 4011F9B5D002499FDB10CF9AD844BDEFBF5FB48310F10841AD919A7210C779A945CFA5

Function 010CEC40 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 010CECA7

Memory Dump Source

Source File: 0000000F.00000002.3235992696.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_10c0000_qicqbuFUGCXO.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 62767208aa15dc41de0df08228576b7fbe98b27eb6779a72379aca9110033a0f
Instruction ID: efaba57bad9b976cc1ab9ceb97ea907b1be37ce38d9176f1996a8728dfa98859
Opcode Fuzzy Hash: 62767208aa15dc41de0df08228576b7fbe98b27eb6779a72379aca9110033a0f
Instruction Fuzzy Hash: BC111FB1C006599BCB10DFAAC545B9EFBF4AF48320F10816AE818A7240D778A944CFA1

Function 058FB680 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 058FB6EA

Memory Dump Source

Source File: 0000000F.00000002.3247751496.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58f0000_qicqbuFUGCXO.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0e247c61f50b1f9b437e3a43531d3c9a6b9065c1fe8ea2a3aa6d3806d56e7b59
Instruction ID: 2e2b5fd15376564c853df09b721b91952da72d04de1af1105705701ebe9ead97
Opcode Fuzzy Hash: 0e247c61f50b1f9b437e3a43531d3c9a6b9065c1fe8ea2a3aa6d3806d56e7b59
Instruction Fuzzy Hash: DC11F3B68002498FDB10CF9AD844BDEFBF8FB88310F10842AD919A7210C379A945CFA5

Function 058FA17C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,058FB244), ref: 058FB47E

Memory Dump Source

Source File: 0000000F.00000002.3247751496.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_58f0000_qicqbuFUGCXO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4b481b69e074c0d62873d677c5f8ed9366d545be2698b083ad1fd4199bc6a38d
Instruction ID: 74c40e357b06c4dad86a0108a01969602e3c60ee1cc6c0e9c42b5d17f4915f44
Opcode Fuzzy Hash: 4b481b69e074c0d62873d677c5f8ed9366d545be2698b083ad1fd4199bc6a38d
Instruction Fuzzy Hash: 661102B5C047498FCB10DF9AC544B9EFBF5EB88314F10842AD919A7310D379A945CFA1

Function 0690DB5D Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0690DCB9

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 4c8e499fc34458678d02dc8f680b9bc98745e23d447a65bf8630c70d4c147fa9
Instruction ID: 223f58fb5649360698bc5e25d8d209e6951759c6b1ff4cd96af866889458c0a8
Opcode Fuzzy Hash: 4c8e499fc34458678d02dc8f680b9bc98745e23d447a65bf8630c70d4c147fa9
Instruction Fuzzy Hash: B3419070E102199FEF54DFA4C5516AEBBB6BF85300F20492AD405E7690DF74D94ACB81

Function 06902298 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 069023D3

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: e7de7330d24cb69a21549f34143c60213f818329aecdcb7a07e236e43473ced2
Instruction ID: b16e88795ae288b2a3f8c7a0ff37b6b2eb8aec1b07a5d0e5eb83de2faff737b5
Opcode Fuzzy Hash: e7de7330d24cb69a21549f34143c60213f818329aecdcb7a07e236e43473ced2
Instruction Fuzzy Hash: 37310430B002058FEB48AB74D95866E7BEBBF89A04F20843DD406DB395DE35DE06CB95

Function 06902293 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

PH]q, xrefs: 069023D3

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 8ab6abe856bcb3f44d94e5ff04fbecc122481f14697f90e6afbb080d2c1c00ae
Instruction ID: 47bb431d99d0b0d3f7db7d98abe0292a3584f0e1916e7e95a80c213b48f11603
Opcode Fuzzy Hash: 8ab6abe856bcb3f44d94e5ff04fbecc122481f14697f90e6afbb080d2c1c00ae
Instruction Fuzzy Hash: E631F030B002058FEB48ABB4D55866E7BEBBF89604F208539D406DB395DF35DD06CB91

Function 06902B7B Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc505217b9c56e2273fb92e2cb73e2726960018903eccba7bbfe884f6d33105
Instruction ID: 6a34d3804213fa4923e822470d777376411dc0f967179bbd8ee6f29c5b2267b1
Opcode Fuzzy Hash: ebc505217b9c56e2273fb92e2cb73e2726960018903eccba7bbfe884f6d33105
Instruction Fuzzy Hash: 77027734A00205CFEB64DB64C588A9DB7F6FF84314F64C8AAD409AB695DB35ED85CF80

Function 06906270 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9f3ba46768349d100ca31eb467de59cac80e542f17f792e4475535b609157c
Instruction ID: 99b9bac11312b4bd61a4c132cedcd0270d7892ef47cbb38fafa0fe91ba098121
Opcode Fuzzy Hash: 0f9f3ba46768349d100ca31eb467de59cac80e542f17f792e4475535b609157c
Instruction Fuzzy Hash: CB61A071F000214FEB54AA6EC89065FBADBAFD4224B254479D80EDB364DF7ADD0287D2

Function 0690433A Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be87a656bafa4f540c6436305ebf0940810257ac6750f77e4bfd1a6e395b24a4
Instruction ID: e801ade542034ff4413f746f159b178f5ef38a2192855a0b378ec62a0237a126
Opcode Fuzzy Hash: be87a656bafa4f540c6436305ebf0940810257ac6750f77e4bfd1a6e395b24a4
Instruction Fuzzy Hash: AE818F30B0020A8FDB44DFA9D45469EB7F6AF89704F208529E50AEB794EB35DC46CB81

Function 06904658 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e55e7b75956b7cb31aeb98c095500888591a530032f615e6e4cc6081cd0223
Instruction ID: 8514a995f06e8c9b31696650fe0ceb69bb1adf5e57bcbe05a6c847723675e730
Opcode Fuzzy Hash: e4e55e7b75956b7cb31aeb98c095500888591a530032f615e6e4cc6081cd0223
Instruction Fuzzy Hash: B6915E30E00219CFEF60DF68C890B9DB7B5FF85700F208599D549AB295DB70AA86CF91

Function 06904670 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c072594ce6504b09a0937ad14bf50a2f597a8a22fb6e108d67b2068879a7108
Instruction ID: 819fae4705e93780bd271db56332220aee07b6ae1edde59b5518e57dfc31eece
Opcode Fuzzy Hash: 5c072594ce6504b09a0937ad14bf50a2f597a8a22fb6e108d67b2068879a7108
Instruction Fuzzy Hash: 0F913C30E00219CFEF64DF68C890B9DB7B5FF85700F208599D549AB295DB70AA86CF91

Function 0690EBB0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 425d679aee958cf89be871ec735b9da2b94ff1ec9edb93f577e236250e68327b
Instruction ID: 75734b9ac595c19e485b64ec6e98c716a87cd4a06786dd2126d0232026f8545c
Opcode Fuzzy Hash: 425d679aee958cf89be871ec735b9da2b94ff1ec9edb93f577e236250e68327b
Instruction Fuzzy Hash: 9E712C31E002099FDB54DFA9D990AADBBF6FF84300F248929D419EB655DB31ED46CB40

Function 0690EBC0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543506336e1b4c94ac7b1443ce66363deb0a446bb46956fb2305ddf83410c926
Instruction ID: 263171c409bc2627ae621c0ed42e38dd7683a75afd765319dce0ae1bc4c388e6
Opcode Fuzzy Hash: 543506336e1b4c94ac7b1443ce66363deb0a446bb46956fb2305ddf83410c926
Instruction Fuzzy Hash: F4712B30E002099FDB54DFA9D990AADBBF6FF88300F248929D419EB655DB31ED46CB50

Function 0690FD20 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11200aa733f64625d90d4279fd52da32d4a482bbe2642be3095ebda16c3eb94b
Instruction ID: 6f6241e3b49b51c2a2cd9c383aff91c91e60abb36b25084c18666896c45f76a1
Opcode Fuzzy Hash: 11200aa733f64625d90d4279fd52da32d4a482bbe2642be3095ebda16c3eb94b
Instruction Fuzzy Hash: 6D510431E00109CFEB64EB78E8546ADB7B6FF84315F20886AE50AD7691DF358A45CB81

Function 0690FAD2 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e714c1f93b3d05bea7efbbacb4a2c0d9ff6ee2b365fd3b467cd0239bd9be1f16
Instruction ID: 2933aead4505842d1fc7f56e5c156e668efd3f733fa20abb764592e80608ce88
Opcode Fuzzy Hash: e714c1f93b3d05bea7efbbacb4a2c0d9ff6ee2b365fd3b467cd0239bd9be1f16
Instruction Fuzzy Hash: 7D51D370F102249FFF745BA9E85072E265EDB89710F304929EC0EC77D6CA68CD459792

Function 0690FAE0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7f10453ad2214d5ec125d199f0be53103008d676a6c22f8f2a985ccd5cb01b
Instruction ID: a2a60b6c99c4bb219f1127c83893232c7e243da232995620d433bc32671c005d
Opcode Fuzzy Hash: 9f7f10453ad2214d5ec125d199f0be53103008d676a6c22f8f2a985ccd5cb01b
Instruction Fuzzy Hash: 7A51D270F102288FFF705AA9E85072E265EDB89710F304929EC0EC77D6CA68CD459792

Function 069054B1 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6f9abe71d5e9f7705a6d53e0cdc8252dbfb3cbe206dbeff5fec18894801306
Instruction ID: 4e3114e4d40674440463c351cc3cc3796c66bd2bd47c5dcca80954ff1397f75f
Opcode Fuzzy Hash: cd6f9abe71d5e9f7705a6d53e0cdc8252dbfb3cbe206dbeff5fec18894801306
Instruction Fuzzy Hash: 1D416D75E006099FDB60CEA9D980AAFBBB6EB44310F21492AD215D7A90D730E8458F91

Function 06905620 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce169e112c40dd67a158afab2ce8c1686491cbfa09a00bc5a7fab397875cd6fb
Instruction ID: 7af3b9b484fd2dce8eb6b6f392546bb5f7f03381ee372bd054771d9d88816451
Opcode Fuzzy Hash: ce169e112c40dd67a158afab2ce8c1686491cbfa09a00bc5a7fab397875cd6fb
Instruction Fuzzy Hash: B8318D31E102098FEF60CEA9C581BAFFBF9EB45320F21892AD159D7691D634D981CF91

Function 06902158 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff17418936bff47b886ecf55f213df3fbf1d7ddc0fc9b6b02e54b529de7f66f
Instruction ID: f2cf1391f033d6e4d9ba58789ba69ffa91558cd2fd12d1bc0bea9fccd5cc93a7
Opcode Fuzzy Hash: bff17418936bff47b886ecf55f213df3fbf1d7ddc0fc9b6b02e54b529de7f66f
Instruction Fuzzy Hash: 57318034E146098FDB59CFA9D85869EB7F6FF89300F208519E806EB790DB71AD42CB50

Function 0690214F Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1503601496889749651d5efbd514ec82b84ebf0df4f9ec492120b0e6ce71f3
Instruction ID: c0b70e9f8f7309a71486d7adca7c8e64c4f3afe8f164923b761d1aa0cb1dc195
Opcode Fuzzy Hash: 1a1503601496889749651d5efbd514ec82b84ebf0df4f9ec492120b0e6ce71f3
Instruction Fuzzy Hash: AD316D35E14605CFDB59CFA8D49469EB7F6BF89300F208519E806EB790DB31A942CB50

Function 06903B38 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac5dba0b23ca8714b1c4f195781a2ab69f10be784f16df94de6f4b8aa3af98f
Instruction ID: 983a090a886081069df5d24c9886e556be4ee8db249fdae9a0b07480d20e8565
Opcode Fuzzy Hash: 0ac5dba0b23ca8714b1c4f195781a2ab69f10be784f16df94de6f4b8aa3af98f
Instruction Fuzzy Hash: 84214F75F0022A9FEB50DFA9D841AEEBBF5AB48714F108129E905E7390E735DD018B91

Function 06903B48 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2eec644a3845cc49f77cdff359b5a19863464408717fac854e4aaa8b3a5dc3
Instruction ID: d5ab7334c83abd41891c6c3e2811d35c2a28e0df627cf6d7e9558c7640253ea3
Opcode Fuzzy Hash: 8d2eec644a3845cc49f77cdff359b5a19863464408717fac854e4aaa8b3a5dc3
Instruction Fuzzy Hash: 43215E75F0062A9FEB50DFA9D980AEEBBF5EB48714F108129E905E7380E735DD018B91

Function 00FED044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3235557691.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fed000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57de6843b70459020ca412a3736d51a403c2579c83f9921ebf6ad780c0632936
Instruction ID: 74d95f4548074c90c0c945d93509ebfe9ad0e5f8415854c40110b980e57f78bf
Opcode Fuzzy Hash: 57de6843b70459020ca412a3736d51a403c2579c83f9921ebf6ad780c0632936
Instruction Fuzzy Hash: 64214671504284DFDB14CF24C9C0B26BB65FB84324F28C56DEA490B79AC73AD846EB62

Function 06903C58 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51d7342fbfa8e4b435400e756ba984b10fce13f3cb9150a22cf0c5d351f2ed0
Instruction ID: b0720b7968b20dea142844b5b41f86b66a745707d63d14220890bb6a9bc2c9ec
Opcode Fuzzy Hash: b51d7342fbfa8e4b435400e756ba984b10fce13f3cb9150a22cf0c5d351f2ed0
Instruction Fuzzy Hash: 37110432B100368FEF54DA79D8146AE77EAEBC8301F104639D80AEB384DE24CC028BD1

Function 06904298 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d284ba17c0fa350c4fe72f83f79a282b038ad1d3a9780def5153a0c944212ea
Instruction ID: 56333642c3f2f1f1efd0abc1eaa50d75326ad39e15389ecd02cf1796f3c2bc09
Opcode Fuzzy Hash: 4d284ba17c0fa350c4fe72f83f79a282b038ad1d3a9780def5153a0c944212ea
Instruction Fuzzy Hash: DE01F131B000504FDB7196BDA950B6FABEADBCAB14F24883DE50ED7B85D966CC038781

Function 00FED03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3235557691.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_fed000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 48e816ceb08148ac98e1f160d383b5856208bd9fdbd2a48aab0a0036f151eef0
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 5411D075904284CFDB11CF10C9C4B15BF61FB44324F28C6AAD9494B656C33AD84ADF62

Function 0690EE31 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c37a7835688d12217e473f0ab1974436c0b6eec3ae0f911f089d8b0fbc8f441
Instruction ID: 5a9516c25d6146281f21a6309de0fa8e699502042da275c462f633b3aa697356
Opcode Fuzzy Hash: 7c37a7835688d12217e473f0ab1974436c0b6eec3ae0f911f089d8b0fbc8f441
Instruction Fuzzy Hash: F8018F31B105154FEB699A7DE494B3F77DAEBC9710F258829E10ACB390EE25DC028785

Function 06903C48 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7e0b3ca62227b3df7f40af877c2431aa1fffdcb70297cdd0eb014499ee4ac5
Instruction ID: af239b3a862d83dc990fd8bd27f71716a814046ee7caf9a4f3abebf9b88d357f
Opcode Fuzzy Hash: 4e7e0b3ca62227b3df7f40af877c2431aa1fffdcb70297cdd0eb014499ee4ac5
Instruction Fuzzy Hash: EA01F532B100259BEF54D6A9D814AEB77AE9BC4750F00013AE806D7290EF24D906CBA1

Function 06903910 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76326df4f5597ae58f02a8831a0fb8031c52328493a68610edd29e907b041933
Instruction ID: 7d48b8ea22fb37b7f6ec54abd6494ebfe43c57aff3ec32d4e702022e039713d8
Opcode Fuzzy Hash: 76326df4f5597ae58f02a8831a0fb8031c52328493a68610edd29e907b041933
Instruction Fuzzy Hash: 7B21CBB5D016199FCB00CF9AD984A9EFBF4FB48310F10862AE918A7240C378A944CFA5

Function 06903918 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2803890e5a0736889d998b564652534a67f4374fe67769a75f43f087624703db
Instruction ID: bcb158d2b488d48078567f2ad34a849174b81c15134dc6396bb05a4b3ae3d1a0
Opcode Fuzzy Hash: 2803890e5a0736889d998b564652534a67f4374fe67769a75f43f087624703db
Instruction Fuzzy Hash: 1011C2B5D012599FCB00DF9AD884ADEFBF8FB48310F10812AE518A7340C3786544CBA5

Function 069042A8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b30158627902c25208e98bc3a99e59d1950d80484bb965d0b5c06de04dbe0a
Instruction ID: ff7b25b6a24d05328e949d6cb6bcb1caf806bad30b7723fa1c9d0e76ef0e371b
Opcode Fuzzy Hash: f6b30158627902c25208e98bc3a99e59d1950d80484bb965d0b5c06de04dbe0a
Instruction Fuzzy Hash: 30016D31B000104FEB6596ADE954B2FB2DEDBCAB15F208839E60EC7795DD66DC034791

Function 0690A398 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6943336d8c7280fa19f29720a0f9c47f4a32a1647afddbee4091516a29e6b69
Instruction ID: daca11e2744692faa4a6178d399a263b2abbf9f5e9c85a4f3f2ab608910c8806
Opcode Fuzzy Hash: a6943336d8c7280fa19f29720a0f9c47f4a32a1647afddbee4091516a29e6b69
Instruction Fuzzy Hash: B801B135B101140FD765DA7EE45571E77EAEB89710F10483DE10AC7795EE21DC0183C1

Function 0690EE40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b89b1b5618fde1ec02f851a7355b91672cd8862d55a45315b32d701f015f59
Instruction ID: add45b8992c72c47e45ce25ccb070a5438cc87d109384bf1bd842acbb1bd0f39
Opcode Fuzzy Hash: 55b89b1b5618fde1ec02f851a7355b91672cd8862d55a45315b32d701f015f59
Instruction Fuzzy Hash: 79018135B100150FEB65966D9454B3F67DEDBC9710F208839E50EC7790EE25DC024385

Function 0690A3A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e0231bf7f420c5d9a0feabc1b3735bec08d4dde600d4193692afc6d3138c6f
Instruction ID: 71b95cb3c2a02da023078d94fd98a1a208279ae045a143930e6745aabf1c6555
Opcode Fuzzy Hash: 72e0231bf7f420c5d9a0feabc1b3735bec08d4dde600d4193692afc6d3138c6f
Instruction Fuzzy Hash: 92016D35B101244FDB65EA6DE455B2E77DAEB89720F208438F10EDB795DE21DC0283C1

Function 0690C870 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ecb99fd9024aff6df24314b52566c171e3036248205d9e6e71ffc3178ab2433
Instruction ID: 8c26cc501fcea600664d9c3011099028b63c2e286bba637e7a6d584cd70f571d
Opcode Fuzzy Hash: 6ecb99fd9024aff6df24314b52566c171e3036248205d9e6e71ffc3178ab2433
Instruction Fuzzy Hash: 61F0A732E20224DFDB549666DC00A9AB739E784764F204529ED01E7684D6716C05CBC0

Function 069064F9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7983338c6c9c0418f69f3d68ad96f6fe3f4ab5939c947d9e55a2db28b261528
Instruction ID: 6e95bbb8bdbb4c80af2bb2f586b30c3179e12b8669c8fd0ef5761cdef32e9e13
Opcode Fuzzy Hash: e7983338c6c9c0418f69f3d68ad96f6fe3f4ab5939c947d9e55a2db28b261528
Instruction Fuzzy Hash: 82E04FB5E241059FEF60CF70DA4575A7BF8EB46208F7089A6C404DB982E23ADD15CB51

Non-executed Functions

Function 06907728 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 06907899
$]q, xrefs: 06907CC4
$]q, xrefs: 06907C19
$]q, xrefs: 06907CCE
$]q, xrefs: 06907868
$]q, xrefs: 06907CB8
$]q, xrefs: 06907CDA
$]q, xrefs: 0690788D
$]q, xrefs: 06907C25
$]q, xrefs: 0690785C

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 1d7e7b6438ef49bc1af116b3adaf1ca5b1b540175337fb4e3f1790a5c02afb0c
Instruction ID: 8a8dcb773e5e8c7c152ad1cb8a820101e6006a936942aa90849ee0d9b1e2d331
Opcode Fuzzy Hash: 1d7e7b6438ef49bc1af116b3adaf1ca5b1b540175337fb4e3f1790a5c02afb0c
Instruction Fuzzy Hash: F1123030E00219CFEB64DFA9C994AADB7F6BF84714F208969D4099B754DB30AD45CF41

Function 0690A9C8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 0690AB7A
$]q, xrefs: 0690AB25
$]q, xrefs: 0690AACA
$]q, xrefs: 0690AB19
$]q, xrefs: 0690AB44
$]q, xrefs: 0690AB50
$]q, xrefs: 0690AABE
$]q, xrefs: 0690AB86

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 7ab3d1eb386fc9272301ef9e94bc867904ae1b7d3a81e302cd05c5c66dabe071
Instruction ID: c030135086b1d32b97144b11550da0ba0d7cbc2aff14339c14e46196dc117475
Opcode Fuzzy Hash: 7ab3d1eb386fc9272301ef9e94bc867904ae1b7d3a81e302cd05c5c66dabe071
Instruction Fuzzy Hash: 5B917E30A00319DFEB68EB65D994BAE77FABF84704F208529E401AB695DB349C41CBC0

Function 06907128 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 06907470
$]q, xrefs: 0690740A
$]q, xrefs: 0690763C
$]q, xrefs: 06907464
.5uq, xrefs: 06907183
$]q, xrefs: 06907630
$]q, xrefs: 069075C4

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 7a9a5b5646a3daf1fbbb64b46e40191c2f98a3a5fe703a8805d6d5a152a1b3db
Instruction ID: 7724aa71f1e667793da3c6af34730f06edb2cc435207714c69d1e1c4239f9cae
Opcode Fuzzy Hash: 7a9a5b5646a3daf1fbbb64b46e40191c2f98a3a5fe703a8805d6d5a152a1b3db
Instruction Fuzzy Hash: CAF12F34B00219CFDB58EFA9D550A6EB7B6BF84314F24852CE4459F7A8CB75AC42CB81

Function 06908460 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 0690872B
$]q, xrefs: 0690871F
$]q, xrefs: 069086C6
$]q, xrefs: 069086BA

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: fdd13c03684bf9132cae4c41cb80aba4391ca1a350ebb76a1d24f517da9961c4
Instruction ID: c4e9a77a60baaebd19e0b0dc25fdc3b55cdd58e218e80bd249bc9fb6bc94ac1c
Opcode Fuzzy Hash: fdd13c03684bf9132cae4c41cb80aba4391ca1a350ebb76a1d24f517da9961c4
Instruction Fuzzy Hash: 37B13C30F10209CFDB58DFA9D690A9EB7B6EF84304F248929D4059B795DB75DC82CB80

Function 06908878 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$]q, xrefs: 06908903
LR]q, xrefs: 069089BA
$]q, xrefs: 069088F7
LR]q, xrefs: 0690896B

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 650c05d70c38002498f166f5db341ac36d0df38e589aee023d6ee85f49eee7ae
Instruction ID: 7bc85c269e3afcefb32ddbcea5255612cf8ce33dee0186f5a071c86937088f23
Opcode Fuzzy Hash: 650c05d70c38002498f166f5db341ac36d0df38e589aee023d6ee85f49eee7ae
Instruction Fuzzy Hash: DA51E630B002018FEF58EF69D650A6A77EAFF84304F14866DE4159B7A5DB31EC41CB91

Function 0690AD5B Relevance: 5.2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

Strings

$]q, xrefs: 0690AF03
$]q, xrefs: 0690AF2C
$]q, xrefs: 0690AED4
$]q, xrefs: 0690AE81

Memory Dump Source

Source File: 0000000F.00000002.3249387994.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6900000_qicqbuFUGCXO.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: ed386dc3f26ca5293125f382b96c338ede3b6ce88bee68ed5a1926ce68950210
Instruction ID: 639a7d8f333b40314305ce83b8353b05f3f84d50734ec35a13f4d442278f5b57
Opcode Fuzzy Hash: ed386dc3f26ca5293125f382b96c338ede3b6ce88bee68ed5a1926ce68950210
Instruction Fuzzy Hash: 55517F30E103058FEB65DB68D590AAEB7BAEF84315F20892AE405DB695DB31DC42CBD1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment List.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment List.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qicqbuFUGCXO.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2b4v25mx.py4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2k25l10s.ehu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ycvunae.3t1.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eex24wbc.iy2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2bj0fhx.uwo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gj4u1ly2.k3q.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ix1k0ng4.d1l.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofzeqo3f.zu0.ps1

C:\Users\user\AppData\Local\Temp\tmpC3DF.tmp

C:\Users\user\AppData\Local\Temp\tmpD43A.tmp

Windows Analysis Report
Payment List.bat.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre