Edit tour

Windows Analysis Report
z1quote93039-pdf.exe

Overview

General Information

Sample name:	z1quote93039-pdf.exe
Analysis ID:	1522584
MD5:	1b772b5b66b9adc3b67eae3627e75059
SHA1:	87cc3b9ceef68d8640aca684e42e15e0b3b4ed13
SHA256:	17ea3ecae5fa2fbe640e5bfdf146dae281256aad17813aa6a30f6c5045845670
Tags:	exeuser-Porcupine
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

z1quote93039-pdf.exe (PID: 6512 cmdline: "C:\Users\user\Desktop\z1quote93039-pdf.exe" MD5: 1B772B5B66B9ADC3B67EAE3627E75059)

RegSvcs.exe (PID: 3276 cmdline: "C:\Users\user\Desktop\z1quote93039-pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.zqamcx.com", "Username": "kingship@zqamcx.com", "Password": "Methodman991"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.3265593518.0000000002D28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3265593518.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3265593518.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3264800180.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3264800180.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 3276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3276	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x333b5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33427:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x334b1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33543:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x335ad:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3361f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x336b5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33745:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 3276, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.zqamcx.com", "Username": "kingship@zqamcx.com", "Password": "Methodman991"}

Multi AV Scanner detection for domain / URL

Source: zqamcx.com	Virustotal: Detection: 9%	Perma Link
Source: mail.zqamcx.com	Virustotal: Detection: 9%	Perma Link
Source: http://mail.zqamcx.com	Virustotal: Detection: 9%	Perma Link
Source: http://zqamcx.com	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for submitted file

Source: z1quote93039-pdf.exe	Virustotal: Detection: 29%			Perma Link
Source: z1quote93039-pdf.exe	ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: z1quote93039-pdf.exe

Joe Sandbox ML: detected

Source: z1quote93039-pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: z1quote93039-pdf.exe, 00000000.00000003.2076116971.0000000004430000.00000004.00001000.00020000.00000000.sdmp, z1quote93039-pdf.exe, 00000000.00000003.2075742491.0000000004430000.00000004.00001000.00020000.00000000.sdmp, z1quote93039-pdf.exe, 00000000.00000003.2074218107.00000000045D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z1quote93039-pdf.exe, 00000000.00000003.2076116971.0000000004430000.00000004.00001000.00020000.00000000.sdmp, z1quote93039-pdf.exe, 00000000.00000003.2075742491.0000000004430000.00000004.00001000.00020000.00000000.sdmp, z1quote93039-pdf.exe, 00000000.00000003.2074218107.00000000045D0000.00000004.00001000.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 78.110.166.82:587

Source: Joe Sandbox View

IP Address: 78.110.166.82 78.110.166.82

Source: Joe Sandbox View

ASN Name: UKSERVERS-ASUKDedicatedServersHostingandCo-Location UKSERVERS-ASUKDedicatedServersHostingandCo-Location

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 78.110.166.82:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.zqamcx.com

Source: RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.zqamcx.com
Source: RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265177834.0000000000F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0#
Source: RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265177834.0000000000F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3267579333.0000000006261000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3267579333.0000000006261000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zqamcx.com
Source: RegSvcs.exe, 00000002.00000002.3264800180.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B54A88	2_2_02B54A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B59B18	2_2_02B59B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B53E70	2_2_02B53E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B5CE68	2_2_02B5CE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02B541B8	2_2_02B541B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060F3F30	2_2_060F3F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060F5750	2_2_060F5750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060F8C08	2_2_060F8C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060FDD73	2_2_060FDD73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060F2B08	2_2_060F2B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060F9B68	2_2_060F9B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060F0040	2_2_060F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060FBD88	2_2_060FBD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060F321F	2_2_060F321F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060F5058	2_2_060F5058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060F49D8	2_2_060F49D8

Source: z1quote93039-pdf.exe, 00000000.00000003.2075865717.00000000046FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs z1quote93039-pdf.exe
Source: z1quote93039-pdf.exe, 00000000.00000003.2073494595.0000000004553000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs z1quote93039-pdf.exe

Source: z1quote93039-pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\z1quote93039-pdf.exe

File created: C:\Users\user\AppData\Local\Temp\Lymnaeidae

Jump to behavior

Source: z1quote93039-pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\z1quote93039-pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\z1quote93039-pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: z1quote93039-pdf.exe	Virustotal: Detection: 29%
Source: z1quote93039-pdf.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\z1quote93039-pdf.exe

File read: C:\Users\user\Desktop\z1quote93039-pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\z1quote93039-pdf.exe "C:\Users\user\Desktop\z1quote93039-pdf.exe"
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z1quote93039-pdf.exe"
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z1quote93039-pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\z1quote93039-pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\z1quote93039-pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: z1quote93039-pdf.exe

Static file information: File size 1200301 > 1048576

Source:	Binary string: wntdll.pdbUGP source: z1quote93039-pdf.exe, 00000000.00000003.2076116971.0000000004430000.00000004.00001000.00020000.00000000.sdmp, z1quote93039-pdf.exe, 00000000.00000003.2075742491.0000000004430000.00000004.00001000.00020000.00000000.sdmp, z1quote93039-pdf.exe, 00000000.00000003.2074218107.00000000045D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: z1quote93039-pdf.exe, 00000000.00000003.2076116971.0000000004430000.00000004.00001000.00020000.00000000.sdmp, z1quote93039-pdf.exe, 00000000.00000003.2075742491.0000000004430000.00000004.00001000.00020000.00000000.sdmp, z1quote93039-pdf.exe, 00000000.00000003.2074218107.00000000045D0000.00000004.00001000.00020000.00000000.sdmp

Source: z1quote93039-pdf.exe

Static PE information: real checksum: 0xa2135 should be: 0x131c8b

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\z1quote93039-pdf.exe

API/Special instruction interceptor: Address: 4142244

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 444			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4734			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99887	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98794	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\z1quote93039-pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\z1quote93039-pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A4B008

Jump to behavior

Source: C:\Users\user\Desktop\z1quote93039-pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z1quote93039-pdf.exe"

Jump to behavior

Source: z1quote93039-pdf.exe

Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3265593518.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3265593518.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3264800180.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3276, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3265593518.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3264800180.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3276, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3265593518.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3265593518.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3264800180.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3276, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	212 Process Injection	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	124 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
z1quote93039-pdf.exe	29%	Virustotal		Browse
z1quote93039-pdf.exe	47%	ReversingLabs	Win32.Trojan.Autoitinject
z1quote93039-pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
zqamcx.com	9%	Virustotal		Browse
mail.zqamcx.com	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://account.dyn.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://mail.zqamcx.com	9%	Virustotal		Browse
http://zqamcx.com	9%	Virustotal		Browse
http://r11.i.lencr.org/0#	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
zqamcx.com	78.110.166.82	true	true	9%, Virustotal, Browse	unknown
mail.zqamcx.com	unknown	unknown	true	9%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.zqamcx.com	RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	true	9%, Virustotal, Browse	unknown
http://zqamcx.com	RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	true	9%, Virustotal, Browse	unknown
https://account.dyn.com/	RegSvcs.exe, 00000002.00000002.3264800180.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r11.o.lencr.org0#	RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265177834.0000000000F99000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://r11.i.lencr.org/0#	RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265177834.0000000000F99000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3267579333.0000000006261000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.3267579333.0000000006220000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3267579333.0000000006261000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.110.166.82	zqamcx.com	United Kingdom		42831	UKSERVERS-ASUKDedicatedServersHostingandCo-Location	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522584
Start date and time:	2024-09-30 11:59:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	z1quote93039-pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:00:02	API Interceptor	25x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
78.110.166.82	COB756883.vbs	Get hash	malicious	CobaltStrike	Browse	windowsupdatesolutions.com/ServerCOB.txt
	Ingreso_SII_Abril_2021.cmd	Get hash	malicious	Unknown	Browse	www.emolcl.com/namaste/puma.php
	Ingreso_SII_Abril_2021.cmd	Get hash	malicious	Unknown	Browse	www.emolcl.com/namaste/puma.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
zqamcx.com	eFatura_ETN2024000000575_Ekleri.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	SecuriteInfo.com.Win32.MalwareX-gen.16545.12050.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	DOC25082024.bat.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Halkbank_Ekstre_20240826_081429_424889.bat.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UKSERVERS-ASUKDedicatedServersHostingandCo-Location	z25RFQ945894-PDF.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	https://client31.webvalue.party/wp-content/uploads/weTranser_edited/weTranser_edited/index.php/	Get hash	malicious	Unknown	Browse	5.101.173.45
	https://client31.webvalue.party/wp-content/uploads/weTranser_edited/weTranser_edited/index.php?email%5C=3mail@b.c	Get hash	malicious	Unknown	Browse	5.101.173.45
	450230549.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	CCE_000110.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	https://qrplanet.com/smdv5p/	Get hash	malicious	Unknown	Browse	5.101.173.45
	22.09.2024-22.09.2024.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	FaturaHat#U0131rlatma.exe	Get hash	malicious	AgentTesla	Browse	78.110.166.82
	Payment_Release-Now cnesst.gouv.qc.ca.html	Get hash	malicious	Unknown	Browse	5.101.173.45
	Payment Advice.pdf.js	Get hash	malicious	Remcos	Browse	178.159.12.230

Process:	C:\Users\user\Desktop\z1quote93039-pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.540118408936613
Encrypted:	false
SSDEEP:	6144:dqnGi1vMoTut2AiEvj4yMV0N4yCFbfI86NhkzED:GGmutkEr4yC0etWSED
MD5:	62E06E1942E981147CA2DFFF8453F6B1
SHA1:	E3E8477053643D1A84432E260077AD409D02F8F6
SHA-256:	A99FF7071866ECAE165C8BE926E92F75CC6B40EFE3C97AD184750CB426809F3F
SHA-512:	1435F0FDFAC293C30DFC194F1A4C9FE243482CEAA47D563C04D44E1230DEA48E4313527DA6D957A6E124D5EBF6B52C082BFFE3B6D23E0B50016432BD790014DC
Malicious:	false
Reputation:	low
Preview:	y..3UOG9NK3J..90.4L93VOGyJK3JP09024L93VOG9JK3JP09024L93VOG9J.3JP>&.<4.0.w.Fu.jg"9C.@@[+KR;o$X$%\>pR\.@A".Z8o.v.k^%4U.=?>h93VOG9J.vJP\|832[./VVOG9JK3J.0;195G93.LG9BK3JP09>.7L9.VOG.IK3J.09.24L;3VKG9JK3JP49024L93VOC9JI3JP09004..3V_G9ZK3JP 90"4L93VOW9JK3JP09024..0V.G9JK.IPv<024L93VOG9JK3JP0902.O9?VOG9JK3JP09024L93VOG9JK3JP09024L93VOG9JK3JP09024L93VoG9BK3JP09024L9;vOGqJK3JP09024L.G3739JK'.S09.24L.0VOE9JK3JP09024L93vOGYd9@83090t1L93.LG9LK3J.39024L93VOG9JKsJPp.BWX#Z3VCG9JK.IP0;024.:3VOG9JK3JP090r4L{3VOG9JK3JP09024L.UOG9JK{JP0;074..1V_v8JH3JP19044L93VOG9JK3JP09024L93VOG9JK3JP09024L93VOG9JK3JP0$....{h.:.@)4.v.^.1....6.vE.&.+$..yrA......?M..P.6....0....L.C63Q..tY8'A/j=d<+.-..n.q.G...?$.I..G..ZJ.....lh..\|6Dll..G..$V'eR: \\.aUXA?.E.KK3JP........?7.cgH<Td"Af.....D7....4P09T24LK3VO&9JKtJP0V024"93V1G9J53JPv902tL93aOG9oK3J=090.4L9MVOG.7D<...PC..L93VOr..{.'...o.....`>.G.)....].y..<`.@/.=.....7.._..$.$A...4KV4<250O5.X....j1NT5;767@.=....k......E...5.EJK3JP0.02.L93..G.JK3.P.9..4L9..O.9.K...0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.428196616763776
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	z1quote93039-pdf.exe
File size:	1'200'301 bytes
MD5:	1b772b5b66b9adc3b67eae3627e75059
SHA1:	87cc3b9ceef68d8640aca684e42e15e0b3b4ed13
SHA256:	17ea3ecae5fa2fbe640e5bfdf146dae281256aad17813aa6a30f6c5045845670
SHA512:	cd652cb7f23a7b15478d1a051f76ed2a056f52367f31debdf61b5c66ff979807fd8049363e25d55a2c7fb4c5f10691885111356093261be11e44da622a462208
SSDEEP:	24576:ffmMv6Ckr7Mny5QLRnYm9fuv1gDri+F4ZWXD:f3v+7/5QLSPyriR8D
TLSH:	CB45E112F3D680B6D9A33971297BE36AEB3575194327C48BA7E02F778F211009B36761
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007FEEF8E00FDCh
jmp 00007FEEF8DF4DAEh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FEEF8DF4F3Ah
cmp edi, eax
jc 00007FEEF8DF50DAh
cmp ecx, 00000100h
jc 00007FEEF8DF4F51h
cmp dword ptr [004A94E0h], 00000000h
je 00007FEEF8DF4F48h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007FEEF8DF4F3Ah
pop esi
pop edi
pop ebp
jmp 00007FEEF8DF539Ah
test edi, 00000003h
jne 00007FEEF8DF4F47h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007FEEF8DF4F5Ch
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007FEEF8DF4F3Eh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007FEEF8DF4EFEh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9298	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9298	0x9400	f6be76de0ef2c68f397158bf01bdef3e	False	0.4896801097972973	data	5.530303089784181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xb2c78	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3278	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb38d8	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3c60	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3db8	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3e40	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3e58	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3e70	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3e88	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb4028	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 12:00:04.334403992 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:04.339457035 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:04.339524984 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:04.896373987 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:04.896959066 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:04.901901960 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.062889099 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.063066959 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:05.067979097 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.229546070 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.235908985 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:05.241631031 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.413662910 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.413676023 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.413695097 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.413768053 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:05.454911947 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:05.456653118 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:05.461582899 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.622407913 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.635878086 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:05.640666962 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.801407099 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.802545071 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:05.807418108 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.968107939 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:05.969196081 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:05.974001884 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.142059088 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.144371986 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:06.149298906 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.310466051 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.310795069 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:06.315843105 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.481287956 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.481585026 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:06.486500978 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.647078991 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.647787094 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:06.647855997 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:06.647855997 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:06.647891998 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:00:06.652635098 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.652645111 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.652808905 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.652812958 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.911539078 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:00:06.954910994 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:01:44.267761946 CEST	49704	587	192.168.2.5	78.110.166.82
Sep 30, 2024 12:01:44.275836945 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:01:44.437308073 CEST	587	49704	78.110.166.82	192.168.2.5
Sep 30, 2024 12:01:44.441055059 CEST	49704	587	192.168.2.5	78.110.166.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 12:00:04.242849112 CEST	55061	53	192.168.2.5	1.1.1.1
Sep 30, 2024 12:00:04.318491936 CEST	53	55061	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 12:00:04.242849112 CEST	192.168.2.5	1.1.1.1	0x20f8	Standard query (0)	mail.zqamcx.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 12:00:04.318491936 CEST	1.1.1.1	192.168.2.5	0x20f8	No error (0)	mail.zqamcx.com	zqamcx.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 12:00:04.318491936 CEST	1.1.1.1	192.168.2.5	0x20f8	No error (0)	zqamcx.com		78.110.166.82	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 30, 2024 12:00:04.896373987 CEST	587	49704	78.110.166.82	192.168.2.5	220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Mon, 30 Sep 2024 11:00:04 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 30, 2024 12:00:04.896959066 CEST	49704	587	192.168.2.5	78.110.166.82	EHLO 210395
Sep 30, 2024 12:00:05.062889099 CEST	587	49704	78.110.166.82	192.168.2.5	250-cphost14.qhoster.net Hello 210395 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Sep 30, 2024 12:00:05.063066959 CEST	49704	587	192.168.2.5	78.110.166.82	STARTTLS
Sep 30, 2024 12:00:05.229546070 CEST	587	49704	78.110.166.82	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	05:59:56
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\z1quote93039-pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z1quote93039-pdf.exe"
Imagebase:	0x400000
File size:	1'200'301 bytes
MD5 hash:	1B772B5B66B9ADC3B67EAE3627E75059
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:00:01
Start date:	30/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\z1quote93039-pdf.exe"
Imagebase:	0x9f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3265593518.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3265593518.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3265593518.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3265593518.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3264800180.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3264800180.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	4

Executed Functions

Function 060F0040 Relevance: 8.4, Strings: 6, Instructions: 941COMMON

Download Yara Rule

Strings

$]q, xrefs: 060F0CA2
$]q, xrefs: 060F0CEF
$]q, xrefs: 060F0CCB
$]q, xrefs: 060F0CFB
$]q, xrefs: 060F0CAE
$]q, xrefs: 060F0CD7

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: a123d057584986f3079511d683631859e1a3fd02c24d2afb3cc55a405bb19674
Instruction ID: 90193ac86525a6776d944fe0a79bb2307d392221d3d9606ccc636d90e711dab6
Opcode Fuzzy Hash: a123d057584986f3079511d683631859e1a3fd02c24d2afb3cc55a405bb19674
Instruction Fuzzy Hash: F4826D30E106198FCB54DF64C994A9DBBF2FF85300F54C6A9D50AAB265EB70ED85CB80

Function 060F5750 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 060F5CF7
$]q, xrefs: 060F5CEB

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 8236c77144f6f6e04fd9bdb5ce4950fe86445b2dab1082e025e04067018ba62d
Instruction ID: 5798726f4e100c96e5f1556793d6ce35a54f0114638cc76e75fbf376cb343bac
Opcode Fuzzy Hash: 8236c77144f6f6e04fd9bdb5ce4950fe86445b2dab1082e025e04067018ba62d
Instruction Fuzzy Hash: 3902D030B602059FCB95DF68D984AAEBBE2FF84310F148528D50ADB794DB35EC42CB91

Function 060FDD73 Relevance: 2.8, Strings: 2, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xaq, xrefs: 060FDE97
$]q, xrefs: 060FDE7E

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 4652ee121cabdc82e9ac5032a750bc15e86b5f66cf15101372256d71eeaf0600
Instruction ID: 4f7b4e77c6455e9d324c575378d549725aba4487d557a207481d3b0763b25f54
Opcode Fuzzy Hash: 4652ee121cabdc82e9ac5032a750bc15e86b5f66cf15101372256d71eeaf0600
Instruction Fuzzy Hash: 39B1D034F442189FDB48AB79985567E7BB7BFC8740B05886ED106E7394CE38CC068B92

Function 02B59B18 Relevance: 2.8, Instructions: 2842COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2031adaa781afd773a308e2ef8371da8f3e570ad5ac5a830becd70cc66a71ff
Instruction ID: acb606f9299af1a8ccb39fb0567234ebf82d5edc35757dba3bc43bcf9f05c2b1
Opcode Fuzzy Hash: b2031adaa781afd773a308e2ef8371da8f3e570ad5ac5a830becd70cc66a71ff
Instruction Fuzzy Hash: 5963F931D10B1A8ADB11EF68C8546A9F7B1FF99300F11D79AE4587B121EB70AAD4CF81

Function 02B5CE68 Relevance: 2.3, Instructions: 2312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d670893d083fbeea129b77ab5bc98ba7703f14371a69962fe35f27f52e2205ce
Instruction ID: 5ac1247c6fdd8319daa8f95d3c02b444c525f2a5936ac30eacc3932aaf2b20c0
Opcode Fuzzy Hash: d670893d083fbeea129b77ab5bc98ba7703f14371a69962fe35f27f52e2205ce
Instruction Fuzzy Hash: AE331131D107198EDB11EF68C8846ADF7B1FF99300F15D79AE458AB211EB70AAC5CB81

Function 060F3F30 Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a18661472f67ab93d592a2e76c49439bfac390aeddeac73765ba1e3c36038f5
Instruction ID: c3583aca93956e1bfcc389f079753c8eaf377452069e486ab5bbfc6ac4c6a83d
Opcode Fuzzy Hash: 1a18661472f67ab93d592a2e76c49439bfac390aeddeac73765ba1e3c36038f5
Instruction Fuzzy Hash: 7262BE34F502049FDB94DB68D584AAEBBF2EF84310F148469E906DB796DB35EC42CB90

Function 060F9B68 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00fbac485f9ce5271a0a43d413675abfa70c2ec0cba3a5bc0864fba469f5515
Instruction ID: 839f3e357b748a34351a30884cba1d5556ebe9f71ce65123b9b0bfd639b66135
Opcode Fuzzy Hash: a00fbac485f9ce5271a0a43d413675abfa70c2ec0cba3a5bc0864fba469f5515
Instruction Fuzzy Hash: 75328D31B502099FDB94EB68E980BADBBF6FB88310F108825E509D7754DB35EC46CB91

Function 060F2B08 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74eb0500ac54b65c0fc30ddc54235d1bb481b61fc7855145e33b15581d26e981
Instruction ID: e4cbb52251ef1eb8577555a8b047169a9640dc909a25cd5e04111f7e0fe0c4e2
Opcode Fuzzy Hash: 74eb0500ac54b65c0fc30ddc54235d1bb481b61fc7855145e33b15581d26e981
Instruction Fuzzy Hash: 3312D431F502059BDBA4DFA4C88076EBBF2FF85310F248869DA199B784DA34DD46CB91

Function 060F8C08 Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def3ba810e2ea225afad184f9b011562e3850235fec011c7e8c50052a8e2246e
Instruction ID: 78d38060c76cac7dfb93d1cd55ffd708ded9f1c4733ab9521d546ed923804a0e
Opcode Fuzzy Hash: def3ba810e2ea225afad184f9b011562e3850235fec011c7e8c50052a8e2246e
Instruction Fuzzy Hash: 6822A130E602098FEFA4CB68D4807ADBBF6EB45310F248926E509DB795DB34DC85CB91

Function 02B54A88 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed863ec483dc6b158681b3c4c19d493379a2b5be91a3863ac35906c3faf29d3f
Instruction ID: 628c4ee43832a769ddf3a977273a50c09461a09d29d79ce2d1cc06501e9f5a9b
Opcode Fuzzy Hash: ed863ec483dc6b158681b3c4c19d493379a2b5be91a3863ac35906c3faf29d3f
Instruction Fuzzy Hash: 5DB16F70E006298FDF14CFA9C98179DBBF2EF88318F148169D815EB294EB749885CF91

Function 02B53E70 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15aeec49e0ad3c9fd21f5628e216f3278cf717c1f87797176e22ca38112ad55
Instruction ID: 002b7caf4d20b1923e61fdb2cd6de49994c59fb87792df65a4339dced27770c3
Opcode Fuzzy Hash: f15aeec49e0ad3c9fd21f5628e216f3278cf717c1f87797176e22ca38112ad55
Instruction Fuzzy Hash: C9915C70E00319DFDF14DFA9C98579EBBF2EF88314F148169E819AB254EB349885CB91

Function 02B56EC0 Relevance: 2.6, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 02B56EF6
LR]q, xrefs: 02B56F8E

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR]q$LR]q
API String ID: 0-3917262905
Opcode ID: 99b6c820c267a2c5acab89635beae9857cf557824c235085fa10275ecbd969bb
Instruction ID: dce371c2fcccecfb01f72a2fd442c505fb5c36f741817b5da8222e924be807b3
Opcode Fuzzy Hash: 99b6c820c267a2c5acab89635beae9857cf557824c235085fa10275ecbd969bb
Instruction Fuzzy Hash: AD51F531F043559FDB05DBB8C45039EB7B6EF85300F5488AAE805EF290EB749842CB51

Function 060FE218 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9a83015b47c1ad23186dedb0fbd984e682cb62b69c4232ff321d0f5a62efc9
Instruction ID: 4e2bf1bf2bb88c2fe0405d1f678832b856141fc22ab2c88e5b8d4ec8399b0836
Opcode Fuzzy Hash: 7a9a83015b47c1ad23186dedb0fbd984e682cb62b69c4232ff321d0f5a62efc9
Instruction Fuzzy Hash: 48415871D143969FCB04CF79D8046DEBFF1AF89310F1485ABD508A7651DB789844CBA1

Function 060FE300 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 060FE367

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 494274b4e08d456543b1f2c2836c3a674c43463feb3946ca4cd0d68935212841
Instruction ID: a848d8a389c50341ae1bb60a97d4e60b6113672faac508a272d16f9b097658a1
Opcode Fuzzy Hash: 494274b4e08d456543b1f2c2836c3a674c43463feb3946ca4cd0d68935212841
Instruction Fuzzy Hash: B3111FB1C006599BCB10DFAAC548A9EFBF4FF48320F10812AD918B7250D378A940CFA5

Function 02B5F3DD Relevance: 1.4, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH]q, xrefs: 02B5F52B

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 6c700add26be83e24f6cbe356b9497ce48981dcb1e5b320438b6a60d0e159385
Instruction ID: 338162daa49c9994651d46e07f2c8ce69c525523616e2544dceba059a0a36bd4
Opcode Fuzzy Hash: 6c700add26be83e24f6cbe356b9497ce48981dcb1e5b320438b6a60d0e159385
Instruction Fuzzy Hash: 70311F31B002118FCB19AB74955076EBBE6EF8A340B1444A8D806DB396DF34DD46CBA5

Function 02B56F60 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR]q, xrefs: 02B56F8E

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 916aed621bbe1860ae1700d131030d94aabb8793f42352a3fcb0bcd563964774
Instruction ID: e27037754b7961e4a36666285d9a3aa7c13bc85d17e1893cba0e95a904ad6dcf
Opcode Fuzzy Hash: 916aed621bbe1860ae1700d131030d94aabb8793f42352a3fcb0bcd563964774
Instruction Fuzzy Hash: 77318131F102199BEF14CFA5D44079EF7B6EF85300F548565E806FB250EBB1A942CB51

Function 02B56B6A Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

LR]q, xrefs: 02B56BBF

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 5a8e9cc28b28ca1cb920ab213e70ae067d078f566a298b03a6007870498b46a4
Instruction ID: f0a87f9fb85013796c7125a94a31ae16cb0c80743f54bedefcd2eaa60f34571d
Opcode Fuzzy Hash: 5a8e9cc28b28ca1cb920ab213e70ae067d078f566a298b03a6007870498b46a4
Instruction Fuzzy Hash: FA218B73B041909FC306AB3CD86539A7BB6EF85304F0444EAD004CB752EE398846C792

Function 02B578F3 Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e819b6f6bdf212a6ced0a1c58097a6714036aaf82423b21217379842c7b7aac
Instruction ID: 57f4c9ca51b33c0e3272b3de8cab26c9bc440cc0e199ccd6896d3bc87b711097
Opcode Fuzzy Hash: 2e819b6f6bdf212a6ced0a1c58097a6714036aaf82423b21217379842c7b7aac
Instruction Fuzzy Hash: 29126F307102028BDB19AB28E994769B7A7FB85304F504E79E405CB394DFB5EC4BDBA1

Function 02B5934C Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64dc4f956bbde6423b041166f816e469c78700c11e495dd67c7ea018b11614a
Instruction ID: 295bdc0c49a9b60e7fddf0e323a547f3168d3a327fa05640f57bbdbf42e1bdbb
Opcode Fuzzy Hash: c64dc4f956bbde6423b041166f816e469c78700c11e495dd67c7ea018b11614a
Instruction Fuzzy Hash: 8DE18D35A00615CFDB14DFA4D984BADBBB2EF88310F1484A9E806DB3A5DB34DC46CB91

Function 02B596C8 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d1b7e720ea8d48a60508745adbaed3dd39b8d169ad418b63e20b7ac73bffde
Instruction ID: 8107ca0d05ebb65abe48de5cc3b9729cf665e4de15ab791b8c9c812de3a38963
Opcode Fuzzy Hash: 80d1b7e720ea8d48a60508745adbaed3dd39b8d169ad418b63e20b7ac73bffde
Instruction Fuzzy Hash: 98C1BD31A00615CFDB14CFA8D88479EBBB2EF88314F2085AAE909DF395DB70D845CB91

Function 02B54A7F Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da071bcc12164f59501e3e861b801eed6bd5df6dd1558e0f3380922df01ff08
Instruction ID: a13be2218686702451a0acb8ba0a3a40ee39f16e211cc56d2e8f3c3e31a67149
Opcode Fuzzy Hash: 7da071bcc12164f59501e3e861b801eed6bd5df6dd1558e0f3380922df01ff08
Instruction Fuzzy Hash: 0CA14D70E00629CFDF10CFA9C98579DBBF1EF88318F148169D819AB294EB749885CF91

Function 02B53E64 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5896872d35f71f44778ad8b4a946553ed29064e6fc4cc4e8687f4d675137a16b
Instruction ID: f810cd32735a10402f81993e0b9a092168d91bf2649d4188b1fb3db86d447ae9
Opcode Fuzzy Hash: 5896872d35f71f44778ad8b4a946553ed29064e6fc4cc4e8687f4d675137a16b
Instruction Fuzzy Hash: 5D915C70E00219DFDF10DFA8D98579DBBF2EF88318F148169E819AB254EB749885CB91

Function 02B54800 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2a5c6d150b1a0780c74a57affb24de1e3c4cb8392e23c171c2bcad636d6f5b
Instruction ID: 1eceee0ac8fb9ce7d0048b9b081366fbb9167887493e49ce85b1ff427c801d30
Opcode Fuzzy Hash: 2f2a5c6d150b1a0780c74a57affb24de1e3c4cb8392e23c171c2bcad636d6f5b
Instruction Fuzzy Hash: 38717EB0E002599FDB14DFA9C84579EBBF2FF88304F148169E815AB254EB749881CF95

Function 02B547F4 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec894b1ac69baadeccfc833e28c3993cc36d45d8dcf381b85bc51bea4ef23e8
Instruction ID: 317383a08e94f6821d7234a1a3e5f414c8c96600f46c0a090ecbdbe4062acfd0
Opcode Fuzzy Hash: 7ec894b1ac69baadeccfc833e28c3993cc36d45d8dcf381b85bc51bea4ef23e8
Instruction Fuzzy Hash: 57717AB0E002599FDB11DFA8C9857DEBBF1FF88304F148169E815AB254EB749882CF95

Function 02B56CC5 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9e1cb29cd5465b3d0a0ea12a4a9d3d16776d320722e016c2c7012c00019c2f
Instruction ID: 649b41256cc8f8b016221144c9ef0d2fafacea015ba06eddacadc0b09b5b3b39
Opcode Fuzzy Hash: cf9e1cb29cd5465b3d0a0ea12a4a9d3d16776d320722e016c2c7012c00019c2f
Instruction Fuzzy Hash: 175112B4D002288FDB18CFA9C885B9DBBB5FF48304F54855AE819BB394D778A844CF95

Function 02B56CD0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc4f253e73e678912f3473f20a6ee222bdf7b9ecade4bc9161f059618a7c48d
Instruction ID: 1e41d630fa0452ebcdb18ffedfccd54f1f438740b64963ba0a9103b0c955fac1
Opcode Fuzzy Hash: 1dc4f253e73e678912f3473f20a6ee222bdf7b9ecade4bc9161f059618a7c48d
Instruction Fuzzy Hash: 3F5122B4D002288FDB18CFA9C884B9DBBB5FF48304F54855AE819BB390DB74A844CF95

Function 02B5112B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5b85438458ba895758f6e0fbfd540f0d313237b4e34f34fe9065d99e9a60d6
Instruction ID: acc7f04a2223218109e0036a8d5896e0792c8d6a7cdaea2371796c8712dcbebe
Opcode Fuzzy Hash: 3a5b85438458ba895758f6e0fbfd540f0d313237b4e34f34fe9065d99e9a60d6
Instruction Fuzzy Hash: 0F51CC306421828FCB0AFF28F990B553F69FB95304B045A69D055DB23DFB74AD0ADBA0

Function 02B51138 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b8c504834fe49c867a3fc45c242596867f1121371d523094eeefc10a275aa5
Instruction ID: cbc0c82f8bec8a75446fbd926541ca28348fa34a0a733e8641cd936419b1dd2f
Opcode Fuzzy Hash: c5b8c504834fe49c867a3fc45c242596867f1121371d523094eeefc10a275aa5
Instruction Fuzzy Hash: 2451BB306521828FCB0AFF28F990B553F69FB95304B045A69D055DB23DFB74AD0ADBA0

Function 02B59139 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c760396e8c69bb149ec37b25e6f842bb7b216b6023416fe25a555b57c52a5a60
Instruction ID: 5b001411fc4f7edb54666e441fcd7fd74ff3d838a4fcb38aa54f799d05d7057f
Opcode Fuzzy Hash: c760396e8c69bb149ec37b25e6f842bb7b216b6023416fe25a555b57c52a5a60
Instruction Fuzzy Hash: 8131F531E00629DBDB15CFA5D98479EB7B6EF89300F10856AEC05EB340DB71D882CB91

Function 02B5F2A0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b080907dd34976ad82bb621fe85a0de61c647d4cdd815b0e506e1bd665ef83
Instruction ID: 990b94430d975ca740577372bd73f8d7ae0252573439efef22f68d6a2751faeb
Opcode Fuzzy Hash: a5b080907dd34976ad82bb621fe85a0de61c647d4cdd815b0e506e1bd665ef83
Instruction Fuzzy Hash: B6318135E102169BDB15DF65D8947AEF7B2EF89300F10C519E806EB750DB74AC42CB50

Function 02B526CC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56160d8aff1f4e882cf30a885186658974c1558687e64c711cd4347f7a8c847
Instruction ID: 13c328e032edf0167805b6b59b204a9be4e04a224b8ed2ba2c42bcf8a3112838
Opcode Fuzzy Hash: a56160d8aff1f4e882cf30a885186658974c1558687e64c711cd4347f7a8c847
Instruction Fuzzy Hash: 55410FB5D01348DFDB10CFA9C984ADEBFB5FF48310F24846AE809AB254DB75A945CB90

Function 02B5F2B0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d211f269270137cf27a7c78e15d47a4fa41d3de714dfa026b6816e44f705345e
Instruction ID: 96c77049df13c823610334448c9222b2904e1427ec9645d3e2b38fa88b6c6944
Opcode Fuzzy Hash: d211f269270137cf27a7c78e15d47a4fa41d3de714dfa026b6816e44f705345e
Instruction Fuzzy Hash: 10316D35E1021A9BDB19DF65D8947AEF7B2EF89310F10C529E806EB750DB74AC42CB50

Function 02B526D8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd272d0cbf5f9cc55088d219d284a8e7da35ee87ae83b5723c3857276312b46a
Instruction ID: 7de7e884e29e82f81012483f4519c24b3ba64fce217931d4ee0720989a33f2c3
Opcode Fuzzy Hash: cd272d0cbf5f9cc55088d219d284a8e7da35ee87ae83b5723c3857276312b46a
Instruction Fuzzy Hash: 1F410EB0D013489FDB10DFA9C584ADEBFF5FF48310F20802AE809AB254DB75A945CB90

Function 02B59237 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa455012d8b5565c7d591abe158c1c3a2cfa0a030d5367a26495a2f834bad7f
Instruction ID: 6b50f59e5aeed45436632872547fd2ecae93e7fa905800ba9a93ea3dc84a926f
Opcode Fuzzy Hash: 5aa455012d8b5565c7d591abe158c1c3a2cfa0a030d5367a26495a2f834bad7f
Instruction Fuzzy Hash: 9931C131E00619DBDB15CFA4D88479EFBB6EF89300F14C559E805EB340EB719882CB90

Function 02B51690 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89e4abaa4e7b4041baccbfbd074cf5d313434025f3e80c028920fa0b7e1e390
Instruction ID: 037520903415f8ca4cabebd1ba49db4d5b27034cd1f7494b2065bb8d73dafa25
Opcode Fuzzy Hash: f89e4abaa4e7b4041baccbfbd074cf5d313434025f3e80c028920fa0b7e1e390
Instruction Fuzzy Hash: 962180756201515BDF22FB6CE984B5A3759EB84304F104AA1E80ECF269FF38DD49CB91

Function 02B59248 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7992b648cd88bc56b748226ed45a472876c59047583b5c031b1e175cd86a4a75
Instruction ID: c5fe1555a4af0ad7b6ba9848ad7513dc8be098ddc74a1aaa21b6b98954ca9d86
Opcode Fuzzy Hash: 7992b648cd88bc56b748226ed45a472876c59047583b5c031b1e175cd86a4a75
Instruction Fuzzy Hash: 3D217E30E0061ADBDB15CFA4D98479EFBB6EF85300F10C559E845EB254DB719846CB90

Function 02A8D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265311471.0000000002A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a8d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3723a5b0df193fbffac5fe9b21504085531df0ea2d7c47e4253a046a4d8787
Instruction ID: b4c7e30a5feabcd88cbc8e93d215246883871deb6b27c50f8e4427d7ace68cb6
Opcode Fuzzy Hash: 3a3723a5b0df193fbffac5fe9b21504085531df0ea2d7c47e4253a046a4d8787
Instruction Fuzzy Hash: 3E21F271504604DFDB14EF24D9C0F26BFB5FB88318F24C669D90A4B296CB3AD846CA62

Function 02B54F7B Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e353c16a3c10da6bac68a438a188f3a5c36ef023c4c77de7f0bf156b9960463
Instruction ID: 4e90faec52444454e9b62744617cb8c0640607b48bb98ec32044921887900e07
Opcode Fuzzy Hash: 3e353c16a3c10da6bac68a438a188f3a5c36ef023c4c77de7f0bf156b9960463
Instruction Fuzzy Hash: 5D211530A00214CFDB54EF69D599B9D77F2EF48305B1404A8E90AEB3A0EB35DD01CBA0

Function 02B59148 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13e449aca7d2ecdcea0935d2eeded935abc109f4bc70b96b74985a5b9e2b923
Instruction ID: 6b6d326bc35ff38ec7f2abac4014e04a4267787144f2ebbcdfb8557a45c6e98f
Opcode Fuzzy Hash: b13e449aca7d2ecdcea0935d2eeded935abc109f4bc70b96b74985a5b9e2b923
Instruction Fuzzy Hash: 68218E30E00629DBDB19CFA5C85469EF7B2EF89300F10855AEC15BB340DBB1A842CB91

Function 02B51878 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551a912e7619da9704b0a5beae39b9eae9124d72ee63a1da591ed1a5e5cafde0
Instruction ID: 3b458819fa6f50cc41efbe0beca26fe533bdcbf6c12a330d949d57035b6976dd
Opcode Fuzzy Hash: 551a912e7619da9704b0a5beae39b9eae9124d72ee63a1da591ed1a5e5cafde0
Instruction Fuzzy Hash: 63212A30B10229CFDB64EB68C5557AE77F6EF49205F1004A8C90AEF290EB35EC01CBA1

Function 02B51373 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb309560a00e0c6c3fec8f5bdcc638f169936a42b1b1abbce29025a29017f28e
Instruction ID: 4a0f68d56dea7a232b21696275d683a3b42f7dac7aa8327f4a2b1b49efb2afc5
Opcode Fuzzy Hash: bb309560a00e0c6c3fec8f5bdcc638f169936a42b1b1abbce29025a29017f28e
Instruction Fuzzy Hash: 7321D0346601219BEF35662CE99532D3A65EB06315F4448A9E90ECF3C0DF29CCC6CB92

Function 02B516A0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c998fe6e69fe93b5105f9833b8d476e6fc9163935fc5e8648b93d354e5c91ef
Instruction ID: 145d8028fd3612a6e03f814b9c37208a153be3a06c8d6a0ff462519efca3eba4
Opcode Fuzzy Hash: 5c998fe6e69fe93b5105f9833b8d476e6fc9163935fc5e8648b93d354e5c91ef
Instruction Fuzzy Hash: 992193746201515FDF22FB6CF884B593759EB44304F104A61D40ACB268FB34DC89CB91

Function 02B51868 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35830c30227ccb598dc9e4dc56a0fbffae37ad2076290eb1ceaf0b7324a5c6b2
Instruction ID: 7cd0867997091c7c93530ce751900b1a85f7a4d96ff0d1c0813ea1553da01015
Opcode Fuzzy Hash: 35830c30227ccb598dc9e4dc56a0fbffae37ad2076290eb1ceaf0b7324a5c6b2
Instruction Fuzzy Hash: AE213D30B20265CFDB54EB78C5557AE77B6EF49245F1004A8D90AFF290EB359D01CB61

Function 02B54F88 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fc43b3fab390790725051dbca8c51fa6b19cb17f174b74498d91e788808bdc
Instruction ID: daee5eb742dc8b3dfc767374c4f3ee4b8a34d9e1a8fbfb2886565ece250690f1
Opcode Fuzzy Hash: 70fc43b3fab390790725051dbca8c51fa6b19cb17f174b74498d91e788808bdc
Instruction Fuzzy Hash: E021F330A40214CFDB54EB69D598B9D77F2EF88305B1044A8E90AEB3A0EB35DD01CB60

Function 02B50848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84dadfbf19388d6c79fde762f28baf32ac7e7bf4d385a23ea56d8e1f913499be
Instruction ID: 5aeb1f08eaeac92acf1931975461105227ade1b4e71c9961624fd075012ec5e8
Opcode Fuzzy Hash: 84dadfbf19388d6c79fde762f28baf32ac7e7bf4d385a23ea56d8e1f913499be
Instruction Fuzzy Hash: 2811A030B002248BEF64BA79D544B2E7695EF49314F104DB9E806CF295DB69EC868BD1

Function 02B50838 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a726a3cc315584ebd92638c8cdad8f940db0c48331c4514573ae4884c6c3e59
Instruction ID: 5c2c748d69a25342da7f7f22a85ec2404ff32ded249814d0362e708e9a866c72
Opcode Fuzzy Hash: 3a726a3cc315584ebd92638c8cdad8f940db0c48331c4514573ae4884c6c3e59
Instruction Fuzzy Hash: B6112530B0032487EF247A79D504B6E3695EB49314F104CB9DC02CF281EB68EC458BC1

Function 02B517B0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d84a480cf45e43c1ca85efbf51b895802410f08299b5684d62eee8565e0349
Instruction ID: 4b9ef36d20b4f36ff5cd729eb051e9ed9567f908918a7a5d780d5ae9a6063a8f
Opcode Fuzzy Hash: 33d84a480cf45e43c1ca85efbf51b895802410f08299b5684d62eee8565e0349
Instruction Fuzzy Hash: 59114876F10210ABDB10AB78984875E7FF9EB48250F10486AED4EC7384EF3489428791

Function 02B51478 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af2e71350931d74c169fe0276b74fb16d36e7187c39da74c9a4d0d013a301ff
Instruction ID: 4a34d853b01e7e7b944e509de22f2d674666982617361b72be25a95b0fe4fb72
Opcode Fuzzy Hash: 9af2e71350931d74c169fe0276b74fb16d36e7187c39da74c9a4d0d013a301ff
Instruction Fuzzy Hash: 7B117071E113249BCB21EFB984803AD7BE6EB4D320B2514F9DC09EB242E735D9418F91

Function 02A8D02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265311471.0000000002A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a8d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 692cff3ba3b505f8138f8050532f5f7ff12160033478125347e61ff4edd1480e
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: C711DD75504684CFCB12DF24D5C4B15FFB1FB88318F28C6AAD84A4B696C33AD44ACB62

Function 02B51488 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed70eb4956f2a06f827f90bb644ce6911e08ddf315d5b8824e3a5f56e10fe0e
Instruction ID: 1569f48d115838f33b9e6fa46f851f0f008a44b96d89adcb24d53f3f09f12e14
Opcode Fuzzy Hash: 4ed70eb4956f2a06f827f90bb644ce6911e08ddf315d5b8824e3a5f56e10fe0e
Instruction Fuzzy Hash: BB015B31A113248FCB21EFB984403AD7BE6EB48324B2518F9DC0AEB201E735D9418FA1

Function 02B540EF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c5d31ad26bca5a471fae13dd4f3f376a209b895063566c7c34e8a2860b022b
Instruction ID: a213ccb3c3ae0b69a7dc0d5406f2789c2766283ee17f8d67599aed708e675e04
Opcode Fuzzy Hash: 21c5d31ad26bca5a471fae13dd4f3f376a209b895063566c7c34e8a2860b022b
Instruction Fuzzy Hash: E211C530D00229DFDF24EE94D9987ECBB72EF65319F1424AAD811BA190DB3448C6CF16

Function 02B580D8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcd226278e58ca66dd1af0cedd370238ba99a0f73cff6c2ee3fe6c1972a95f3
Instruction ID: fcf9c7e48e3732ed12eed861e23b250f8fc84474bc2da9303ea1f0c379878c91
Opcode Fuzzy Hash: 1bcd226278e58ca66dd1af0cedd370238ba99a0f73cff6c2ee3fe6c1972a95f3
Instruction Fuzzy Hash: C2017C759501489FCB06FBB4F980A8C7BBAEF40300F0046B8C0049B2A5EF756E0EDBA1

Function 02B57078 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4baf989b5ff687c32483816e72eb634eca0c62e5cf52c3613960b0f6cbd0a977
Instruction ID: 9f4ece18927f1188fe8a302a8d70c2e60bcc244c8d7fe332403e8c72477e5d56
Opcode Fuzzy Hash: 4baf989b5ff687c32483816e72eb634eca0c62e5cf52c3613960b0f6cbd0a977
Instruction Fuzzy Hash: B0F0C439B402148FD714EB64D598B6C77B2EF88315F5440A8E50A9B3E0DF35AD82CB51

Function 02B580E8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a891850630dcc5d592dc570f5b6dfb3438fd3583c16a94907dbacb467f00d158
Instruction ID: aa96cca7bb60d91b9966bb8e4c848fb7a3d3b82f62fad215ec571e7fbfa20de0
Opcode Fuzzy Hash: a891850630dcc5d592dc570f5b6dfb3438fd3583c16a94907dbacb467f00d158
Instruction Fuzzy Hash: ADF0FB349401099FCB06FFA4FA40A9D7BBAEF40304F504678C0059B258EA356E0A8B91

Non-executed Functions

Function 060F5058 Relevance: 13.0, Strings: 10, Instructions: 477COMMON

Download Yara Rule

Strings

$]q, xrefs: 060F51BD
$]q, xrefs: 060F560E
$]q, xrefs: 060F5198
$]q, xrefs: 060F518C
$]q, xrefs: 060F55F8
$]q, xrefs: 060F5566
$]q, xrefs: 060F51C9
$]q, xrefs: 060F561A
$]q, xrefs: 060F5604
$]q, xrefs: 060F555A

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 4cbed454588682b3c213bd37eee254507f1148f7af6819e3e011e79919e74915
Instruction ID: 6885118a7f59bcb57b882d7b4b608bda1939f666a75e017bf296832990896ea6
Opcode Fuzzy Hash: 4cbed454588682b3c213bd37eee254507f1148f7af6819e3e011e79919e74915
Instruction Fuzzy Hash: 14126E30B502198FDB65DF68CC94A9EBBF2BF88304F1089A9D5099B754DB309D86CF81

Function 060F49D8 Relevance: 9.2, Strings: 7, Instructions: 442COMMON

Download Yara Rule

Strings

$]q, xrefs: 060F4F45
.5uq, xrefs: 060F4A33
$]q, xrefs: 060F4ED5
$]q, xrefs: 060F4F51
$]q, xrefs: 060F4D3E
$]q, xrefs: 060F4CBA
$]q, xrefs: 060F4D32

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 35bb53f8b95b1e25b063c8489aa80728445ec71050ef5dac9d65dbbfc9325278
Instruction ID: b75537fff3e999ee8ec6b8580b5715443eceeca32611ea33c3ea1882c5e2cb75
Opcode Fuzzy Hash: 35bb53f8b95b1e25b063c8489aa80728445ec71050ef5dac9d65dbbfc9325278
Instruction Fuzzy Hash: 18028E30A502098FDB99EFA4C594B6EBBF7BF84300F148469D8099B769DB35DC46CB81

Function 060F321F Relevance: 2.9, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

\Obq, xrefs: 060F333A
XPbq, xrefs: 060F34A6

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: XPbq$\Obq
API String ID: 0-409418754
Opcode ID: da1b98e9ee6c29d32f007622c4c1cd9ea5816f34f321f254760963b07d63eb59
Instruction ID: e7f2402f3771cabea3bda579aa8dbf579c4360623cf396537d94eaacb9013edd
Opcode Fuzzy Hash: da1b98e9ee6c29d32f007622c4c1cd9ea5816f34f321f254760963b07d63eb59
Instruction Fuzzy Hash: 6BD1D731B600148FDF98DB68D4947AEBBE2FF88720F258469E646DB751CA31EC458BD0

Function 060FBD88 Relevance: 1.8, Strings: 1, Instructions: 578COMMON

Download Yara Rule

Strings

PH]q, xrefs: 060FBFE8

Memory Dump Source

Source File: 00000002.00000002.3267374335.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_60f0000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: b9559bfdda073765bdae23bb27987956793d401defbb2a6bdef9013986846134
Instruction ID: 771a8aba522223b69c88dc878d108683ed081f612ba7d13aab3ec0d132fac279
Opcode Fuzzy Hash: b9559bfdda073765bdae23bb27987956793d401defbb2a6bdef9013986846134
Instruction Fuzzy Hash: CD22E130B501088FDB94DB68D984BAEBBF6EF89310F108469D506DB7A1DB35EC46CB91

Function 02B541B8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3265501459.0000000002B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2b50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6242c706244d72b94ed210e3102f5d32af4b84f43e10ee56bd9ba1f4f103c9b8
Instruction ID: c9bbb11f075ee4b61c8af91c90b6d4b2a015ea85349962603a173da6434a1843
Opcode Fuzzy Hash: 6242c706244d72b94ed210e3102f5d32af4b84f43e10ee56bd9ba1f4f103c9b8
Instruction Fuzzy Hash: C3B14E70E002298FDF14DFA9D9857DDBBF2EF88314F148169D819AB254EB749885CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report z1quote93039-pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Lymnaeidae

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
z1quote93039-pdf.exe

Function 060F5750 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Function 060FDD73 Relevance: 2.8, Strings: 2, Instructions: 344
COMMON

Function 02B56EC0 Relevance: 2.6, Strings: 2, Instructions: 142
COMMON

Function 060FE218 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Function 060FE300 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 02B5F3DD Relevance: 1.4, Strings: 1, Instructions: 112
COMMON

Function 02B56F60 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON