Windows Analysis Report
rwzBBMVxUb.exe

Overview

General Information

Sample name: rwzBBMVxUb.exe
renamed because original name is a hash value
Original sample name: 4f28687d01e29f37854b840c3f5f0fe2cd506c87d4f7b036bdddcd147dc2cbc3.exe
Analysis ID: 1559434
MD5: 5b65abb4776d7bae7624c3085a5a227a
SHA1: 7eedb005b4e3a79aa4482f8fe04c16ee4490bfb6
SHA256: 4f28687d01e29f37854b840c3f5f0fe2cd506c87d4f7b036bdddcd147dc2cbc3
Tags: exeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: rwzBBMVxUb.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Avira: detection malicious, Label: HEUR/AGEN.1306098
Found malware configuration
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "chimaobi@alruomigroup.com", "Password": "LtURz%y7", "Host": "smtp.alruomigroup.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe ReversingLabs: Detection: 89%
Multi AV Scanner detection for submitted file
Source: rwzBBMVxUb.exe ReversingLabs: Detection: 89%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: rwzBBMVxUb.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: rwzBBMVxUb.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: rwzBBMVxUb.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_086A9D28
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 4x nop then cmp dword ptr [04AFE44Ch], 04h 0_2_086A7FD0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_086AAB78
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_086AAB74
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_086AAC28
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_086AAC38
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_086A9D18
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 4x nop then cmp dword ptr [04AFE44Ch], 04h 0_2_086A7FC0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 6_2_08349D28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then cmp dword ptr [04E2E44Ch], 04h 6_2_08347FD0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 6_2_0834AB74
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 6_2_0834AB78
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 6_2_0834AC38
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 6_2_0834AC28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 6_2_08349D18
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then cmp dword ptr [04E2E44Ch], 04h 6_2_08347FC0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 8_2_09CD9D28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then cmp dword ptr [0596E44Ch], 04h 8_2_09CD7FD0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 8_2_09CDAB6D
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 8_2_09CDAB78
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 8_2_09CD9D18
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 8_2_09CDAC28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 8_2_09CDAC38
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 4x nop then cmp dword ptr [0596E44Ch], 04h 8_2_09CD7FCF

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: smtp.alruomigroup.com replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: smtp.alruomigroup.com
Source: rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.00000000031E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: qXLPL.exe, 00000009.00000002.4156381468.00000000031E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DhvEkZ.com
Source: qXLPL.exe, 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: rwzBBMVxUb.exe, 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000006.00000002.2061546845.0000000002611000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000008.00000002.2151775959.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: rwzBBMVxUb.exe, 00000000.00000002.1761494966.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: qXLPL.exe, 00000009.00000002.4156381468.0000000003567000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://409Yv1c1gFV6m.com
Source: rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000003135000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://409Yv1c1gFV6m.comL:
Source: rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000003135000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.0000000003567000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://409Yv1c1gFV6m.comt-
Source: rwzBBMVxUb.exe, 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4139305912.0000000000434000.00000040.00000400.00020000.00000000.sdmp, qXLPL.exe, 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.00000000031E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.qXLPL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.qXLPL.exe.2a1a5a0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000002.00000002.4139303062.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 00000002.00000002.4139303062.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000009.00000002.4139300989.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000009.00000002.4156381468.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: Process Memory Space: rwzBBMVxUb.exe PID: 6256, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: qXLPL.exe PID: 5228, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: qXLPL.exe PID: 2056, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_02322838 0_2_02322838
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_02321AC0 0_2_02321AC0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_0236AF08 0_2_0236AF08
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_0236C1B8 0_2_0236C1B8
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_0236DBD0 0_2_0236DBD0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_086A9E98 0_2_086A9E98
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_086A0040 0_2_086A0040
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_086A6028 0_2_086A6028
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_086A003B 0_2_086A003B
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_086A601A 0_2_086A601A
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_086A56A9 0_2_086A56A9
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 0_2_086A6740 0_2_086A6740
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_0121A058 2_2_0121A058
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_01215F20 2_2_01215F20
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_0121CBE0 2_2_0121CBE0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_01217207 2_2_01217207
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_012144F8 2_2_012144F8
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_01213330 2_2_01213330
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_01220040 2_2_01220040
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_0122CF10 2_2_0122CF10
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_012283E0 2_2_012283E0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_01221670 2_2_01221670
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_0122D970 2_2_0122D970
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_0122D870 2_2_0122D870
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_01225A47 2_2_01225A47
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_01224AE3 2_2_01224AE3
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_01225AC0 2_2_01225AC0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_02C747B4 2_2_02C747B4
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_02C75D08 2_2_02C75D08
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_02C769F1 2_2_02C769F1
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_02C75CF8 2_2_02C75CF8
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_064F23B0 2_2_064F23B0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_064F0040 2_2_064F0040
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_064F1958 2_2_064F1958
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_064F0DA8 2_2_064F0DA8
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_065E2AF0 2_2_065E2AF0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_065E3E04 2_2_065E3E04
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_065EA239 2_2_065EA239
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_0248AF08 6_2_0248AF08
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_0248C1B8 6_2_0248C1B8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_0248DE28 6_2_0248DE28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_02502070 6_2_02502070
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_02502838 6_2_02502838
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_02502061 6_2_02502061
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_02501AC0 6_2_02501AC0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_02501AAF 6_2_02501AAF
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_02502828 6_2_02502828
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_025068F0 6_2_025068F0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_025068EC 6_2_025068EC
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_08349E98 6_2_08349E98
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_08346028 6_2_08346028
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_0834601A 6_2_0834601A
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_08340006 6_2_08340006
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_08340040 6_2_08340040
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_08344B37 6_2_08344B37
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 6_2_083456A9 6_2_083456A9
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00EFAEE0 7_2_00EFAEE0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00EFF670 7_2_00EFF670
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00EFCA58 7_2_00EFCA58
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00EF4568 7_2_00EF4568
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00EF5560 7_2_00EF5560
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00EF7F11 7_2_00EF7F11
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00EF0040 7_2_00EF0040
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00EFD3B8 7_2_00EFD3B8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00F0A058 7_2_00F0A058
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00F06030 7_2_00F06030
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00F0CD91 7_2_00F0CD91
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00F0D14F 7_2_00F0D14F
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00F07207 7_2_00F07207
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00F03330 7_2_00F03330
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_010F47B4 7_2_010F47B4
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_010F5D08 7_2_010F5D08
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_010F69F1 7_2_010F69F1
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_010F5C20 7_2_010F5C20
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_0565BDC1 7_2_0565BDC1
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_0565C3F8 7_2_0565C3F8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_05653D50 7_2_05653D50
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_05654968 7_2_05654968
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_05654098 7_2_05654098
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_05F317D8 7_2_05F317D8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_05F30D80 7_2_05F30D80
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_05F30040 7_2_05F30040
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_0154C1B8 8_2_0154C1B8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_04F42070 8_2_04F42070
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_04F42838 8_2_04F42838
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_04F42061 8_2_04F42061
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_04F468F0 8_2_04F468F0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_04F468E0 8_2_04F468E0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_04F42828 8_2_04F42828
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_04F41AC0 8_2_04F41AC0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_04F41AAF 8_2_04F41AAF
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_09CD9E98 8_2_09CD9E98
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_09CD0040 8_2_09CD0040
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_09CD601B 8_2_09CD601B
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_09CD6028 8_2_09CD6028
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_09CD003F 8_2_09CD003F
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 8_2_09CD56A9 8_2_09CD56A9
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_014647B4 9_2_014647B4
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_01465D08 9_2_01465D08
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_014669F1 9_2_014669F1
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_01465CC1 9_2_01465CC1
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015B8011 9_2_015B8011
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015B4568 9_2_015B4568
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015BF670 9_2_015BF670
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015BCC6A 9_2_015BCC6A
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015B7F28 9_2_015B7F28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015B0040 9_2_015B0040
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015BD3C8 9_2_015BD3C8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015B5560 9_2_015B5560
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015B4666 9_2_015B4666
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015C6030 9_2_015C6030
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015C7207 9_2_015C7207
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015C9F78 9_2_015C9F78
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015CCEE0 9_2_015CCEE0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015C3330 9_2_015C3330
Sample file is different than original file name gathered from version info
Source: rwzBBMVxUb.exe Binary or memory string: OriginalFilename vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1750084173.00000000029B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTimeSpan.dll2 vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000000.1672709866.00000000000D2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTokeniz.exeF vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1748666635.000000000076E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTimeSpan.dll2 vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1762903949.0000000007020000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSinkProvider.dllB vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCIBEOIBROQOECByykQuGv.exe4 vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCIBEOIBROQOECByykQuGv.exe4 vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSinkProvider.dllB vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000002.00000002.4140278542.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000002.00000002.4139303062.0000000000438000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCIBEOIBROQOECByykQuGv.exe4 vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe Binary or memory string: OriginalFilenameTokeniz.exeF vs rwzBBMVxUb.exe
Uses 32bit PE files
Source: rwzBBMVxUb.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.2.qXLPL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.qXLPL.exe.2a1a5a0.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000002.00000002.4139303062.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 00000002.00000002.4139303062.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000009.00000002.4139300989.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000009.00000002.4156381468.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: Process Memory Space: rwzBBMVxUb.exe PID: 6256, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: qXLPL.exe PID: 5228, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: qXLPL.exe PID: 2056, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: rwzBBMVxUb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qXLPL.exe.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, Q6j.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, Q6j.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, hU.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, hU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, hU.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, hU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, YF.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, YF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, YF.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, YF.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, YF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, YF.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, YF.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, YF.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, YF.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, hU.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, hU.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/7@3/0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rwzBBMVxUb.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Mutant created: NULL
Source: rwzBBMVxUb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rwzBBMVxUb.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: rwzBBMVxUb.exe, 00000002.00000002.4151129136.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.000000000351B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: rwzBBMVxUb.exe ReversingLabs: Detection: 89%
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe File read: C:\Users\user\Desktop\rwzBBMVxUb.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rwzBBMVxUb.exe "C:\Users\user\Desktop\rwzBBMVxUb.exe"
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process created: C:\Users\user\Desktop\rwzBBMVxUb.exe "C:\Users\user\Desktop\rwzBBMVxUb.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process created: C:\Users\user\Desktop\rwzBBMVxUb.exe "C:\Users\user\Desktop\rwzBBMVxUb.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe" Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: rwzBBMVxUb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rwzBBMVxUb.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, Q6j.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, Q6j.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, Q6j.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, YF.cs .Net Code: M4V System.Reflection.Assembly.Load(byte[])
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs .Net Code: A System.Reflection.Assembly.Load(byte[])
Source: 0.2.rwzBBMVxUb.exe.2310000.0.raw.unpack, EO.cs .Net Code: hF System.AppDomain.Load(byte[])
Source: 0.2.rwzBBMVxUb.exe.29b1258.1.raw.unpack, EO.cs .Net Code: hF System.AppDomain.Load(byte[])
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, YF.cs .Net Code: M4V System.Reflection.Assembly.Load(byte[])
Source: 6.2.qXLPL.exe.2a1a5a0.0.raw.unpack, EO.cs .Net Code: hF System.AppDomain.Load(byte[])
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, YF.cs .Net Code: M4V System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_0121C14E push es; ret 2_2_0121C150
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_01213735 pushfd ; retf 2_2_01213741
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_012210C2 push esp; ret 2_2_01221111
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_064F4228 push esp; ret 2_2_064F4271
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00EFC8FA push eax; iretd 7_2_00EFC8FD
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00EF0C12 push esp; ret 7_2_00EF0C61
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00F02177 push edi; retn 0000h 7_2_00F02179
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_00F0373D pushfd ; retf 7_2_00F03741
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 7_2_05F3364A push esp; ret 7_2_05F33699
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015BC8FA push eax; iretd 9_2_015BC8FD
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015B0C12 push esp; ret 9_2_015B0C61
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Code function: 9_2_015C2177 push edi; retn 0000h 9_2_015C2179
Source: rwzBBMVxUb.exe Static PE information: section name: .text entropy: 7.429122512994657
Source: qXLPL.exe.2.dr Static PE information: section name: .text entropy: 7.429122512994657
Source: 0.2.rwzBBMVxUb.exe.2310000.0.raw.unpack, EO.cs High entropy of concatenated method names: 'Dispose', 'R6', 'hF', 'op', 'cI', 'pW', 'oE', 'Sx', 'BM', 'kq'
Source: 0.2.rwzBBMVxUb.exe.29b1258.1.raw.unpack, EO.cs High entropy of concatenated method names: 'Dispose', 'R6', 'hF', 'op', 'cI', 'pW', 'oE', 'Sx', 'BM', 'kq'
Source: 6.2.qXLPL.exe.2a1a5a0.0.raw.unpack, EO.cs High entropy of concatenated method names: 'Dispose', 'R6', 'hF', 'op', 'cI', 'pW', 'oE', 'Sx', 'BM', 'kq'
Drops PE files
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe File created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Jump to dropped file
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qXLPL Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qXLPL Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon (126).png
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe File opened: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 6.2.qXLPL.exe.2a1a5a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2061546845.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rwzBBMVxUb.exe PID: 6256, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 5228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 2056, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rwzBBMVxUb.exe, 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000006.00000002.2061546845.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: rwzBBMVxUb.exe, 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000006.00000002.2061546845.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: 22C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: 2580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: 22C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: 8640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: 6C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: 9640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: A640000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: AA40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: BA40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: 2C20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: 2DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: 4DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 980000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 2610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 24A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 7FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 6970000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 8FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 9FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: A390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: B390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: A390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 10B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 2BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 2AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 12A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 2EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 4EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 8BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 7390000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 9BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: ABF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: AFD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: BFD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 1420000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 31E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory allocated: 1680000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Window / User API: threadDelayed 1517 Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Window / User API: threadDelayed 8340 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Window / User API: threadDelayed 3178 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Window / User API: threadDelayed 6655 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Window / User API: threadDelayed 3088 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Window / User API: threadDelayed 6748 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe TID: 6520 Thread sleep time: -48805s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe TID: 6456 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe TID: 6652 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe TID: 6424 Thread sleep count: 1517 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe TID: 6424 Thread sleep count: 8340 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 2208 Thread sleep time: -59082s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 7100 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6364 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6364 Thread sleep time: -35971150943733603s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6376 Thread sleep count: 3178 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6376 Thread sleep count: 6655 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 1880 Thread sleep time: -53376s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 3552 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6956 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6956 Thread sleep time: -35971150943733603s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6988 Thread sleep count: 3088 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6988 Thread sleep count: 6748 > 30 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Thread delayed: delay time: 48805 Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Thread delayed: delay time: 59082 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Thread delayed: delay time: 53376 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: qXLPL.exe, 00000009.00000002.4198958338.00000000069C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: rwzBBMVxUb.exe, qXLPL.exe.2.dr Binary or memory string: 385eGEzfv<pf385eG<IgogJD3Y6e8IJWo4Zg}YpXDTKhoU4[3Y5fDj[]n8ZVlIJYiU[]}ET]9o5XiU[]}Ez]xo5gkMKUx3Z]3Q[hWET]9o5XDXZek83[3Y5fDXJelI5fyE6fsUXVDL[]xoZ\385eGoHD}gpesUKgoQIDtYIDdsJD}gpesUKgoQ4[3Y5]DTKe4Ip]oUHD[UIDOMID}jIDnYphs85e|k5\xo6XDX5fkM3fq8Zd3U[]WETU}EDgvY[\pYJUiU[]qET]m8Z\3QqeMUKe4Ip]oUJD]gKD}{Z\4I[UoQpeoM[]pYpXDXI]DnKel4Z]}Q[TDnKel4Z]}Q[TiU[]qEjeyoJgks[dvIp\y{5Ux3Z]3Q[hWEzep8ZVoM[g3{ZgGEzfoQpf4<5foMoOwYJg}o6XDL[]qIpek4X]mM[gyQ[]VEz\xEDdP<HD7{XgDXZgvIpYiU[]}ET]4{
Source: qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: rwzBBMVxUb.exe, 00000002.00000002.4196267618.00000000065F0000.00000004.00000020.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4140934304.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Code function: 2_2_01227B30 LdrInitializeThunk, 2_2_01227B30
Enables debug privileges
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Memory written: C:\Users\user\Desktop\rwzBBMVxUb.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory written: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Memory written: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Process created: C:\Users\user\Desktop\rwzBBMVxUb.exe "C:\Users\user\Desktop\rwzBBMVxUb.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Users\user\Desktop\rwzBBMVxUb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Users\user\Desktop\rwzBBMVxUb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rwzBBMVxUb.exe PID: 6256, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 5228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 2056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.4156381468.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rwzBBMVxUb.exe PID: 6256, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 5228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 2056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559434 Sample: rwzBBMVxUb.exe Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 29 smtp.alruomigroup.com 2->29 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 9 other signatures 2->47 7 rwzBBMVxUb.exe 3 2->7         started        11 qXLPL.exe 3 2->11         started        13 qXLPL.exe 2 2->13         started        signatures3 process4 file5 23 C:\Users\user\AppData\...\rwzBBMVxUb.exe.log, ASCII 7->23 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->51 53 Injects a PE file into a foreign processes 7->53 15 rwzBBMVxUb.exe 1 10 7->15         started        55 Antivirus detection for dropped file 11->55 57 Multi AV Scanner detection for dropped file 11->57 59 Machine Learning detection for dropped file 11->59 19 qXLPL.exe 7 11->19         started        21 qXLPL.exe 7 13->21         started        signatures6 process7 file8 25 C:\Users\user\AppData\Roaming\...\qXLPL.exe, PE32 15->25 dropped 27 C:\Users\user\...\qXLPL.exe:Zone.Identifier, ASCII 15->27 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->31 33 Tries to steal Mail credentials (via file / registry access) 15->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->35 37 Tries to harvest and steal ftp login credentials 21->37 39 Tries to harvest and steal browser information (history, passwords, etc) 21->39 signatures9
No contacted IP infos

Contacted Domains

Name IP Active
smtp.alruomigroup.com unknown unknown