Edit tour

Windows Analysis Report
rwzBBMVxUb.exe

Overview

General Information

Sample name:	rwzBBMVxUb.exe renamed because original name is a hash value
Original sample name:	4f28687d01e29f37854b840c3f5f0fe2cd506c87d4f7b036bdddcd147dc2cbc3.exe
Analysis ID:	1559434
MD5:	5b65abb4776d7bae7624c3085a5a227a
SHA1:	7eedb005b4e3a79aa4482f8fe04c16ee4490bfb6
SHA256:	4f28687d01e29f37854b840c3f5f0fe2cd506c87d4f7b036bdddcd147dc2cbc3
Tags:	exeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rwzBBMVxUb.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\rwzBBMVxUb.exe" MD5: 5B65ABB4776D7BAE7624C3085A5A227A)

rwzBBMVxUb.exe (PID: 7080 cmdline: "C:\Users\user\Desktop\rwzBBMVxUb.exe" MD5: 5B65ABB4776D7BAE7624C3085A5A227A)

qXLPL.exe (PID: 5228 cmdline: "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe" MD5: 5B65ABB4776D7BAE7624C3085A5A227A)

qXLPL.exe (PID: 3052 cmdline: "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe" MD5: 5B65ABB4776D7BAE7624C3085A5A227A)

qXLPL.exe (PID: 2056 cmdline: "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe" MD5: 5B65ABB4776D7BAE7624C3085A5A227A)

qXLPL.exe (PID: 6548 cmdline: "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe" MD5: 5B65ABB4776D7BAE7624C3085A5A227A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "chimaobi@alruomigroup.com", "Password": "LtURz%y7", "Host": "smtp.alruomigroup.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4139303062.0000000000403000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x2d42:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000002.00000002.4139303062.0000000000433000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x71a:$a13: get_DnsResolver 0xcd9:$a18: get_advancedParameters 0xf1:$a19: get_disabledByRestriction 0xdf0:$a22: get_signaturePresets 0xdb6:$a29: set_IdnAddress 0x284:$a35: get_ShiftKeyDown 0x295:$a36: get_AltKeyDown 0xb51:$a39: get_DefaultCredentials
00000009.00000002.4139300989.0000000000432000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xfd7:$a3: MailAccountConfiguration 0xfb7:$a8: set_BindingAccountConfiguration 0x1d8:$a14: get_archivingScope 0x0:$a15: get_providerName 0x272:$a21: get_avatarType 0x896:$a23: get_enableLog 0x7d:$a26: set_accountName 0xd8:$a31: set_username 0xefd:$a32: set_version 0x8e7:$a38: get_PasswordHash
00000009.00000002.4156381468.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.4156381468.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x1d93:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x1eb4:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x31124:$s10: logins 0x30eb2c:$s11: credential 0x1d93:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x28be:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1eb4:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x4a94af:$a3: MailAccountConfiguration 0x4df2cf:$a3: MailAccountConfiguration 0x4a94c8:$a5: SmtpAccountConfiguration 0x4df2e8:$a5: SmtpAccountConfiguration 0x4a948f:$a8: set_BindingAccountConfiguration 0x4df2af:$a8: set_BindingAccountConfiguration 0x4a8400:$a11: get_securityProfile 0x4de220:$a11: get_securityProfile 0x4a82a1:$a12: get_useSeparateFolderTree 0x4de0c1:$a12: get_useSeparateFolderTree 0x4a9bf2:$a13: get_DnsResolver 0x4dfa12:$a13: get_DnsResolver 0x4a86b0:$a14: get_archivingScope 0x4de4d0:$a14: get_archivingScope 0x4a84d8:$a15: get_providerName 0x4de2f8:$a15: get_providerName 0x4aabf0:$a17: get_priority 0x4e0a10:$a17: get_priority 0x4aa1b1:$a18: get_advancedParameters 0x4dffd1:$a18: get_advancedParameters 0x4a95c9:$a19: get_disabledByRestriction
00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x47c21a:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x4b203a:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x312c8:$s10: logins 0x30dbb0:$s11: credential 0x1d8b:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x28b6:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1eac:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
00000006.00000002.2061546845.00000000028EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1f6827:$a3: MailAccountConfiguration 0x22c647:$a3: MailAccountConfiguration 0x1f6840:$a5: SmtpAccountConfiguration 0x22c660:$a5: SmtpAccountConfiguration 0x1f6807:$a8: set_BindingAccountConfiguration 0x22c627:$a8: set_BindingAccountConfiguration 0x1f5778:$a11: get_securityProfile 0x22b598:$a11: get_securityProfile 0x1f5619:$a12: get_useSeparateFolderTree 0x22b439:$a12: get_useSeparateFolderTree 0x1f6f6a:$a13: get_DnsResolver 0x22cd8a:$a13: get_DnsResolver 0x1f5a28:$a14: get_archivingScope 0x22b848:$a14: get_archivingScope 0x1f5850:$a15: get_providerName 0x22b670:$a15: get_providerName 0x1f7f68:$a17: get_priority 0x22dd88:$a17: get_priority 0x1f7529:$a18: get_advancedParameters 0x22d349:$a18: get_advancedParameters 0x1f6941:$a19: get_disabledByRestriction
00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x1c9592:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x1ff3b2:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1e731f:$a3: MailAccountConfiguration 0x3707d7:$a3: MailAccountConfiguration 0x1e7338:$a5: SmtpAccountConfiguration 0x3707f0:$a5: SmtpAccountConfiguration 0x1e72ff:$a8: set_BindingAccountConfiguration 0x3707b7:$a8: set_BindingAccountConfiguration 0x1e6270:$a11: get_securityProfile 0x36f728:$a11: get_securityProfile 0x1e6111:$a12: get_useSeparateFolderTree 0x36f5c9:$a12: get_useSeparateFolderTree 0x1e7a62:$a13: get_DnsResolver 0x370f1a:$a13: get_DnsResolver 0x1e6520:$a14: get_archivingScope 0x36f9d8:$a14: get_archivingScope 0x1e6348:$a15: get_providerName 0x36f800:$a15: get_providerName 0x1e8a60:$a17: get_priority 0x371f18:$a17: get_priority 0x1e8021:$a18: get_advancedParameters 0x3714d9:$a18: get_advancedParameters 0x1e7439:$a19: get_disabledByRestriction
00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x1ba08a:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x343542:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rwzBBMVxUb.exe PID: 6256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rwzBBMVxUb.exe PID: 6256	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rwzBBMVxUb.exe PID: 6256	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x831c6e:$a3: MailAccountConfiguration 0x831c87:$a5: SmtpAccountConfiguration 0x831c4e:$a8: set_BindingAccountConfiguration 0x830d4a:$a11: get_securityProfile 0x830bee:$a12: get_useSeparateFolderTree 0x83230c:$a13: get_DnsResolver 0x830ff6:$a14: get_archivingScope 0x830e22:$a15: get_providerName 0x8331ee:$a17: get_priority 0x83289b:$a18: get_advancedParameters 0x831d88:$a19: get_disabledByRestriction 0x8309f6:$a20: get_LastAccessed 0x831090:$a21: get_avatarType 0x8329b2:$a22: get_signaturePresets 0x831659:$a23: get_enableLog 0x830e9f:$a26: set_accountName 0x832ddc:$a27: set_InternalServerPort 0x8307e3:$a28: set_bindingConfigurationUID 0x832978:$a29: set_IdnAddress 0x8330ac:$a30: set_GuidMasterKey 0x830efa:$a31: set_username
Process Memory Space: rwzBBMVxUb.exe PID: 7080	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rwzBBMVxUb.exe PID: 7080	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rwzBBMVxUb.exe PID: 7080	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x28dc0:$a13: get_DnsResolver 0x2934f:$a18: get_advancedParameters 0x2883c:$a19: get_disabledByRestriction 0x29466:$a22: get_signaturePresets 0x2942c:$a29: set_IdnAddress 0x289cb:$a35: get_ShiftKeyDown 0x289dc:$a36: get_AltKeyDown 0x291cb:$a39: get_DefaultCredentials
Process Memory Space: rwzBBMVxUb.exe PID: 7080	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x28ae1:$s2: get_CHoo 0x289bb:$g4: get_CtrlKeyDown 0x289cb:$g5: get_ShiftKeyDown 0x289dc:$g6: get_AltKeyDown 0xf56a:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x11771:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x10095:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1229b:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0xf68b:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x11892:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: qXLPL.exe PID: 5228	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: qXLPL.exe PID: 5228	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: qXLPL.exe PID: 5228	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3e1f99:$a3: MailAccountConfiguration 0x3e1fb2:$a5: SmtpAccountConfiguration 0x3e1f79:$a8: set_BindingAccountConfiguration 0x3e1508:$a11: get_securityProfile 0x3e1443:$a12: get_useSeparateFolderTree 0x3e2490:$a13: get_DnsResolver 0x3e1718:$a14: get_archivingScope 0x3e159d:$a15: get_providerName 0x3e2f06:$a17: get_priority 0x3e280f:$a18: get_advancedParameters 0x3e2043:$a19: get_disabledByRestriction 0x3e12dc:$a20: get_LastAccessed 0x3e17a8:$a21: get_avatarType 0x3e2905:$a22: get_signaturePresets 0x3e1b2f:$a23: get_enableLog 0x3e160d:$a26: set_accountName 0x3e2c2a:$a27: set_InternalServerPort 0x3e116b:$a28: set_bindingConfigurationUID 0x3e28cb:$a29: set_IdnAddress 0x3e2e4c:$a30: set_GuidMasterKey 0x3e165b:$a31: set_username
Process Memory Space: qXLPL.exe PID: 3052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qXLPL.exe PID: 3052	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: qXLPL.exe PID: 3052	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x19b76:$a11: get_securityProfile 0x19a1a:$a12: get_useSeparateFolderTree 0x3e382:$a17: get_priority 0x19822:$a20: get_LastAccessed 0x3df70:$a27: set_InternalServerPort 0x1960f:$a28: set_bindingConfigurationUID 0x3e240:$a30: set_GuidMasterKey 0x198f9:$a33: get_Clipboard 0x19907:$a34: get_Keyboard 0x19914:$a37: get_Password
Process Memory Space: qXLPL.exe PID: 3052	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3dd5c:$s3: set_passwordIsSet 0x198f9:$g1: get_Clipboard 0x19907:$g2: get_Keyboard 0x19914:$g3: get_Password 0x1c45a:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x1e661:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x1cf85:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1f18b:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1c57b:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x1e782:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: qXLPL.exe PID: 2056	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: qXLPL.exe PID: 2056	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: qXLPL.exe PID: 2056	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x385a24:$a3: MailAccountConfiguration 0x385a3d:$a5: SmtpAccountConfiguration 0x385a04:$a8: set_BindingAccountConfiguration 0x384f93:$a11: get_securityProfile 0x384ece:$a12: get_useSeparateFolderTree 0x385f1b:$a13: get_DnsResolver 0x3851a3:$a14: get_archivingScope 0x385028:$a15: get_providerName 0x386991:$a17: get_priority 0x38629a:$a18: get_advancedParameters 0x385ace:$a19: get_disabledByRestriction 0x384d67:$a20: get_LastAccessed 0x385233:$a21: get_avatarType 0x386390:$a22: get_signaturePresets 0x3855ba:$a23: get_enableLog 0x385098:$a26: set_accountName 0x3866b5:$a27: set_InternalServerPort 0x384bf6:$a28: set_bindingConfigurationUID 0x386356:$a29: set_IdnAddress 0x3868d7:$a30: set_GuidMasterKey 0x3850e6:$a31: set_username
Process Memory Space: qXLPL.exe PID: 6548	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: qXLPL.exe PID: 6548	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: qXLPL.exe PID: 6548	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30831:$a3: MailAccountConfiguration 0x30811:$a8: set_BindingAccountConfiguration 0x2fbb9:$a14: get_archivingScope 0x2f9e5:$a15: get_providerName 0x2fc53:$a21: get_avatarType 0x3021c:$a23: get_enableLog 0x2fa62:$a26: set_accountName 0x2fabd:$a31: set_username 0x30757:$a32: set_version 0x30246:$a38: get_PasswordHash
Process Memory Space: qXLPL.exe PID: 6548	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30370:$s1: get_kbok 0x3021c:$s4: get_enableLog 0x4b937:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x4bdc9:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x4ba58:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x4beea:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Click to see the 42 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.qXLPL.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x311d7:$a3: MailAccountConfiguration 0x311b7:$a8: set_BindingAccountConfiguration 0x303d8:$a14: get_archivingScope 0x30200:$a15: get_providerName 0x30472:$a21: get_avatarType 0x30a96:$a23: get_enableLog 0x3027d:$a26: set_accountName 0x302d8:$a31: set_username 0x310fd:$a32: set_version 0x30ae7:$a38: get_PasswordHash
0.2.rwzBBMVxUb.exe.97f7148.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.rwzBBMVxUb.exe.97f7148.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rwzBBMVxUb.exe.97f7148.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2f3d7:$a3: MailAccountConfiguration 0x2f3f0:$a5: SmtpAccountConfiguration 0x2f3b7:$a8: set_BindingAccountConfiguration 0x2e328:$a11: get_securityProfile 0x2e1c9:$a12: get_useSeparateFolderTree 0x2fb1a:$a13: get_DnsResolver 0x2e5d8:$a14: get_archivingScope 0x2e400:$a15: get_providerName 0x30b18:$a17: get_priority 0x300d9:$a18: get_advancedParameters 0x2f4f1:$a19: get_disabledByRestriction 0x2dfa2:$a20: get_LastAccessed 0x2e672:$a21: get_avatarType 0x301f0:$a22: get_signaturePresets 0x2ec96:$a23: get_enableLog 0x2e47d:$a26: set_accountName 0x3063b:$a27: set_InternalServerPort 0x2d92d:$a28: set_bindingConfigurationUID 0x301b6:$a29: set_IdnAddress 0x309cc:$a30: set_GuidMasterKey 0x2e4d8:$a31: set_username
0.2.rwzBBMVxUb.exe.97f7148.6.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x2142:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
0.2.rwzBBMVxUb.exe.97f7148.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2ee92:$s1: get_kbok 0x2f7c6:$s2: get_CHoo 0x30421:$s3: set_passwordIsSet 0x2ec96:$s4: get_enableLog 0x33353:$s8: torbrowser 0x31d36:$s10: logins 0x316ae:$s11: credential 0x2e08d:$g1: get_Clipboard 0x2e09b:$g2: get_Keyboard 0x2e0a8:$g3: get_Password 0x2f674:$g4: get_CtrlKeyDown 0x2f684:$g5: get_ShiftKeyDown 0x2f695:$g6: get_AltKeyDown
8.2.qXLPL.exe.3f8a5b0.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.2.qXLPL.exe.3f8a5b0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.qXLPL.exe.3f8a5b0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.qXLPL.exe.3f8a5b0.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x155277:$a3: MailAccountConfiguration 0x18b097:$a3: MailAccountConfiguration 0x155290:$a5: SmtpAccountConfiguration 0x18b0b0:$a5: SmtpAccountConfiguration 0x155257:$a8: set_BindingAccountConfiguration 0x18b077:$a8: set_BindingAccountConfiguration 0x1541c8:$a11: get_securityProfile 0x189fe8:$a11: get_securityProfile 0x154069:$a12: get_useSeparateFolderTree 0x189e89:$a12: get_useSeparateFolderTree 0x1559ba:$a13: get_DnsResolver 0x18b7da:$a13: get_DnsResolver 0x154478:$a14: get_archivingScope 0x18a298:$a14: get_archivingScope 0x1542a0:$a15: get_providerName 0x18a0c0:$a15: get_providerName 0x1569b8:$a17: get_priority 0x18c7d8:$a17: get_priority 0x155f79:$a18: get_advancedParameters 0x18bd99:$a18: get_advancedParameters 0x155391:$a19: get_disabledByRestriction
8.2.qXLPL.exe.3f8a5b0.1.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x127fe2:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x15de02:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
8.2.qXLPL.exe.3f8a5b0.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x154d32:$s1: get_kbok 0x18ab52:$s1: get_kbok 0x155666:$s2: get_CHoo 0x18b486:$s2: get_CHoo 0x1562c1:$s3: set_passwordIsSet 0x18c0e1:$s3: set_passwordIsSet 0x154b36:$s4: get_enableLog 0x18a956:$s4: get_enableLog 0x1591f3:$s8: torbrowser 0x18f013:$s8: torbrowser 0x157bd6:$s10: logins 0x18d9f6:$s10: logins 0x15754e:$s11: credential 0x18d36e:$s11: credential 0x153f2d:$g1: get_Clipboard 0x189d4d:$g1: get_Clipboard 0x153f3b:$g2: get_Keyboard 0x189d5b:$g2: get_Keyboard 0x153f48:$g3: get_Password 0x189d68:$g3: get_Password 0x155514:$g4: get_CtrlKeyDown
8.2.qXLPL.exe.3fe65d0.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.2.qXLPL.exe.3fe65d0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.qXLPL.exe.3fe65d0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.qXLPL.exe.3fe65d0.2.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xf9257:$a3: MailAccountConfiguration 0x12f077:$a3: MailAccountConfiguration 0xf9270:$a5: SmtpAccountConfiguration 0x12f090:$a5: SmtpAccountConfiguration 0xf9237:$a8: set_BindingAccountConfiguration 0x12f057:$a8: set_BindingAccountConfiguration 0xf81a8:$a11: get_securityProfile 0x12dfc8:$a11: get_securityProfile 0xf8049:$a12: get_useSeparateFolderTree 0x12de69:$a12: get_useSeparateFolderTree 0xf999a:$a13: get_DnsResolver 0x12f7ba:$a13: get_DnsResolver 0xf8458:$a14: get_archivingScope 0x12e278:$a14: get_archivingScope 0xf8280:$a15: get_providerName 0x12e0a0:$a15: get_providerName 0xfa998:$a17: get_priority 0x1307b8:$a17: get_priority 0xf9f59:$a18: get_advancedParameters 0x12fd79:$a18: get_advancedParameters 0xf9371:$a19: get_disabledByRestriction
8.2.qXLPL.exe.3fe65d0.2.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0xcbfc2:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x101de2:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
8.2.qXLPL.exe.3fe65d0.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xf8d12:$s1: get_kbok 0x12eb32:$s1: get_kbok 0xf9646:$s2: get_CHoo 0x12f466:$s2: get_CHoo 0xfa2a1:$s3: set_passwordIsSet 0x1300c1:$s3: set_passwordIsSet 0xf8b16:$s4: get_enableLog 0x12e936:$s4: get_enableLog 0xfd1d3:$s8: torbrowser 0x132ff3:$s8: torbrowser 0xfbbb6:$s10: logins 0x1319d6:$s10: logins 0xfb52e:$s11: credential 0x13134e:$s11: credential 0xf7f0d:$g1: get_Clipboard 0x12dd2d:$g1: get_Clipboard 0xf7f1b:$g2: get_Keyboard 0x12dd3b:$g2: get_Keyboard 0xf7f28:$g3: get_Password 0x12dd48:$g3: get_Password 0xf94f4:$g4: get_CtrlKeyDown
6.2.qXLPL.exe.2a1a5a0.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
6.2.qXLPL.exe.2a1a5a0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2bd75e:$v1: SbieDll.dll 0x2bd778:$v2: USER 0x2c0e7e:$v2: USER 0x2c15e4:$v2: USER 0x2c1ccc:$v2: USER 0x2c260a:$v2: USER 0x2c2c4a:$v2: USER 0x2c2c64:$v2: USER 0x2c389c:$v2: USER 0x2c38b6:$v2: USER 0x2c3b8c:$v2: USER 0x2c3ba4:$v2: USER 0x2c3cb8:$v2: USER 0x2c3cc8:$v2: USER 0x2c3cdc:$v2: USER 0x2bd784:$v3: SANDBOX 0x2bd796:$v4: VIRUS 0x2bd7e6:$v4: VIRUS 0x2bd7a4:$v5: MALWARE 0x2bd7b6:$v6: SCHMIDTI 0x2bd7ca:$v7: CURRENTUSER
6.2.qXLPL.exe.a6af208.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.qXLPL.exe.a6af208.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.qXLPL.exe.a6af208.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.qXLPL.exe.a6af208.2.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x18b2a7:$a3: MailAccountConfiguration 0x1c10c7:$a3: MailAccountConfiguration 0x18b2c0:$a5: SmtpAccountConfiguration 0x1c10e0:$a5: SmtpAccountConfiguration 0x18b287:$a8: set_BindingAccountConfiguration 0x1c10a7:$a8: set_BindingAccountConfiguration 0x18a1f8:$a11: get_securityProfile 0x1c0018:$a11: get_securityProfile 0x18a099:$a12: get_useSeparateFolderTree 0x1bfeb9:$a12: get_useSeparateFolderTree 0x18b9ea:$a13: get_DnsResolver 0x1c180a:$a13: get_DnsResolver 0x18a4a8:$a14: get_archivingScope 0x1c02c8:$a14: get_archivingScope 0x18a2d0:$a15: get_providerName 0x1c00f0:$a15: get_providerName 0x18c9e8:$a17: get_priority 0x1c2808:$a17: get_priority 0x18bfa9:$a18: get_advancedParameters 0x1c1dc9:$a18: get_advancedParameters 0x18b3c1:$a19: get_disabledByRestriction
6.2.qXLPL.exe.a6af208.2.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x15e012:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x193e32:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
6.2.qXLPL.exe.a6af208.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x18ad62:$s1: get_kbok 0x1c0b82:$s1: get_kbok 0x18b696:$s2: get_CHoo 0x1c14b6:$s2: get_CHoo 0x18c2f1:$s3: set_passwordIsSet 0x1c2111:$s3: set_passwordIsSet 0x18ab66:$s4: get_enableLog 0x1c0986:$s4: get_enableLog 0x18f223:$s8: torbrowser 0x1c5043:$s8: torbrowser 0x18dc06:$s10: logins 0x1c3a26:$s10: logins 0x18d57e:$s11: credential 0x1c339e:$s11: credential 0x189f5d:$g1: get_Clipboard 0x1bfd7d:$g1: get_Clipboard 0x189f6b:$g2: get_Keyboard 0x1bfd8b:$g2: get_Keyboard 0x189f78:$g3: get_Password 0x1bfd98:$g3: get_Password 0x18b544:$g4: get_CtrlKeyDown
6.2.qXLPL.exe.a60e5c8.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.qXLPL.exe.a60e5c8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.qXLPL.exe.a60e5c8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.qXLPL.exe.a60e5c8.3.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x22bee7:$a3: MailAccountConfiguration 0x261d07:$a3: MailAccountConfiguration 0x22bf00:$a5: SmtpAccountConfiguration 0x261d20:$a5: SmtpAccountConfiguration 0x22bec7:$a8: set_BindingAccountConfiguration 0x261ce7:$a8: set_BindingAccountConfiguration 0x22ae38:$a11: get_securityProfile 0x260c58:$a11: get_securityProfile 0x22acd9:$a12: get_useSeparateFolderTree 0x260af9:$a12: get_useSeparateFolderTree 0x22c62a:$a13: get_DnsResolver 0x26244a:$a13: get_DnsResolver 0x22b0e8:$a14: get_archivingScope 0x260f08:$a14: get_archivingScope 0x22af10:$a15: get_providerName 0x260d30:$a15: get_providerName 0x22d628:$a17: get_priority 0x263448:$a17: get_priority 0x22cbe9:$a18: get_advancedParameters 0x262a09:$a18: get_advancedParameters 0x22c001:$a19: get_disabledByRestriction
6.2.qXLPL.exe.a60e5c8.3.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x1fec52:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x234a72:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
6.2.qXLPL.exe.a60e5c8.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x22b9a2:$s1: get_kbok 0x2617c2:$s1: get_kbok 0x22c2d6:$s2: get_CHoo 0x2620f6:$s2: get_CHoo 0x22cf31:$s3: set_passwordIsSet 0x262d51:$s3: set_passwordIsSet 0x22b7a6:$s4: get_enableLog 0x2615c6:$s4: get_enableLog 0x22fe63:$s8: torbrowser 0x265c83:$s8: torbrowser 0x22e846:$s10: logins 0x264666:$s10: logins 0x22e1be:$s11: credential 0x263fde:$s11: credential 0x22ab9d:$g1: get_Clipboard 0x2609bd:$g1: get_Clipboard 0x22abab:$g2: get_Keyboard 0x2609cb:$g2: get_Keyboard 0x22abb8:$g3: get_Password 0x2609d8:$g3: get_Password 0x22c184:$g4: get_CtrlKeyDown
8.2.qXLPL.exe.3ee9970.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.2.qXLPL.exe.3ee9970.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.qXLPL.exe.3ee9970.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.qXLPL.exe.3ee9970.3.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1f5eb7:$a3: MailAccountConfiguration 0x22bcd7:$a3: MailAccountConfiguration 0x1f5ed0:$a5: SmtpAccountConfiguration 0x22bcf0:$a5: SmtpAccountConfiguration 0x1f5e97:$a8: set_BindingAccountConfiguration 0x22bcb7:$a8: set_BindingAccountConfiguration 0x1f4e08:$a11: get_securityProfile 0x22ac28:$a11: get_securityProfile 0x1f4ca9:$a12: get_useSeparateFolderTree 0x22aac9:$a12: get_useSeparateFolderTree 0x1f65fa:$a13: get_DnsResolver 0x22c41a:$a13: get_DnsResolver 0x1f50b8:$a14: get_archivingScope 0x22aed8:$a14: get_archivingScope 0x1f4ee0:$a15: get_providerName 0x22ad00:$a15: get_providerName 0x1f75f8:$a17: get_priority 0x22d418:$a17: get_priority 0x1f6bb9:$a18: get_advancedParameters 0x22c9d9:$a18: get_advancedParameters 0x1f5fd1:$a19: get_disabledByRestriction
8.2.qXLPL.exe.3ee9970.3.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x1c8c22:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x1fea42:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
8.2.qXLPL.exe.3ee9970.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x1f5972:$s1: get_kbok 0x22b792:$s1: get_kbok 0x1f62a6:$s2: get_CHoo 0x22c0c6:$s2: get_CHoo 0x1f6f01:$s3: set_passwordIsSet 0x22cd21:$s3: set_passwordIsSet 0x1f5776:$s4: get_enableLog 0x22b596:$s4: get_enableLog 0x1f9e33:$s8: torbrowser 0x22fc53:$s8: torbrowser 0x1f8816:$s10: logins 0x22e636:$s10: logins 0x1f818e:$s11: credential 0x22dfae:$s11: credential 0x1f4b6d:$g1: get_Clipboard 0x22a98d:$g1: get_Clipboard 0x1f4b7b:$g2: get_Keyboard 0x22a99b:$g2: get_Keyboard 0x1f4b88:$g3: get_Password 0x22a9a8:$g3: get_Password 0x1f6154:$g4: get_CtrlKeyDown
6.2.qXLPL.exe.a56d9a8.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.2.qXLPL.exe.a56d9a8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.qXLPL.exe.a56d9a8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.qXLPL.exe.a56d9a8.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2ccb07:$a3: MailAccountConfiguration 0x302927:$a3: MailAccountConfiguration 0x2ccb20:$a5: SmtpAccountConfiguration 0x302940:$a5: SmtpAccountConfiguration 0x2ccae7:$a8: set_BindingAccountConfiguration 0x302907:$a8: set_BindingAccountConfiguration 0x2cba58:$a11: get_securityProfile 0x301878:$a11: get_securityProfile 0x2cb8f9:$a12: get_useSeparateFolderTree 0x301719:$a12: get_useSeparateFolderTree 0x2cd24a:$a13: get_DnsResolver 0x30306a:$a13: get_DnsResolver 0x2cbd08:$a14: get_archivingScope 0x301b28:$a14: get_archivingScope 0x2cbb30:$a15: get_providerName 0x301950:$a15: get_providerName 0x2ce248:$a17: get_priority 0x304068:$a17: get_priority 0x2cd809:$a18: get_advancedParameters 0x303629:$a18: get_advancedParameters 0x2ccc21:$a19: get_disabledByRestriction
6.2.qXLPL.exe.a56d9a8.1.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x29f872:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x2d5692:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
6.2.qXLPL.exe.a56d9a8.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2cc5c2:$s1: get_kbok 0x3023e2:$s1: get_kbok 0x2ccef6:$s2: get_CHoo 0x302d16:$s2: get_CHoo 0x2cdb51:$s3: set_passwordIsSet 0x303971:$s3: set_passwordIsSet 0x2cc3c6:$s4: get_enableLog 0x3021e6:$s4: get_enableLog 0x2d0a83:$s8: torbrowser 0x3068a3:$s8: torbrowser 0x2cf466:$s10: logins 0x305286:$s10: logins 0x2cedde:$s11: credential 0x304bfe:$s11: credential 0x2cb7bd:$g1: get_Clipboard 0x3015dd:$g1: get_Clipboard 0x2cb7cb:$g2: get_Keyboard 0x3015eb:$g2: get_Keyboard 0x2cb7d8:$g3: get_Password 0x3015f8:$g3: get_Password 0x2ccda4:$g4: get_CtrlKeyDown
0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x311d7:$a3: MailAccountConfiguration 0x1ba68f:$a3: MailAccountConfiguration 0x311f0:$a5: SmtpAccountConfiguration 0x1ba6a8:$a5: SmtpAccountConfiguration 0x311b7:$a8: set_BindingAccountConfiguration 0x1ba66f:$a8: set_BindingAccountConfiguration 0x30128:$a11: get_securityProfile 0x1b95e0:$a11: get_securityProfile 0x2ffc9:$a12: get_useSeparateFolderTree 0x1b9481:$a12: get_useSeparateFolderTree 0x3191a:$a13: get_DnsResolver 0x1badd2:$a13: get_DnsResolver 0x303d8:$a14: get_archivingScope 0x1b9890:$a14: get_archivingScope 0x30200:$a15: get_providerName 0x1b96b8:$a15: get_providerName 0x32918:$a17: get_priority 0x1bbdd0:$a17: get_priority 0x31ed9:$a18: get_advancedParameters 0x1bb391:$a18: get_advancedParameters 0x312f1:$a19: get_disabledByRestriction
0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x3f42:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x18d3fa:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30c92:$s1: get_kbok 0x1ba14a:$s1: get_kbok 0x315c6:$s2: get_CHoo 0x1baa7e:$s2: get_CHoo 0x32221:$s3: set_passwordIsSet 0x1bb6d9:$s3: set_passwordIsSet 0x30a96:$s4: get_enableLog 0x1b9f4e:$s4: get_enableLog 0x35153:$s8: torbrowser 0x1be60b:$s8: torbrowser 0x33b36:$s10: logins 0x1bcfee:$s10: logins 0x334ae:$s11: credential 0x1bc966:$s11: credential 0x2fe8d:$g1: get_Clipboard 0x1b9345:$g1: get_Clipboard 0x2fe9b:$g2: get_Keyboard 0x1b9353:$g2: get_Keyboard 0x2fea8:$g3: get_Password 0x1b9360:$g3: get_Password 0x31474:$g4: get_CtrlKeyDown
0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x12f287:$a3: MailAccountConfiguration 0x2b873f:$a3: MailAccountConfiguration 0x12f2a0:$a5: SmtpAccountConfiguration 0x2b8758:$a5: SmtpAccountConfiguration 0x12f267:$a8: set_BindingAccountConfiguration 0x2b871f:$a8: set_BindingAccountConfiguration 0x12e1d8:$a11: get_securityProfile 0x2b7690:$a11: get_securityProfile 0x12e079:$a12: get_useSeparateFolderTree 0x2b7531:$a12: get_useSeparateFolderTree 0x12f9ca:$a13: get_DnsResolver 0x2b8e82:$a13: get_DnsResolver 0x12e488:$a14: get_archivingScope 0x2b7940:$a14: get_archivingScope 0x12e2b0:$a15: get_providerName 0x2b7768:$a15: get_providerName 0x1309c8:$a17: get_priority 0x2b9e80:$a17: get_priority 0x12ff89:$a18: get_advancedParameters 0x2b9441:$a18: get_advancedParameters 0x12f3a1:$a19: get_disabledByRestriction
0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x101ff2:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x28b4aa:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x12ed42:$s1: get_kbok 0x2b81fa:$s1: get_kbok 0x12f676:$s2: get_CHoo 0x2b8b2e:$s2: get_CHoo 0x1302d1:$s3: set_passwordIsSet 0x2b9789:$s3: set_passwordIsSet 0x12eb46:$s4: get_enableLog 0x2b7ffe:$s4: get_enableLog 0x133203:$s8: torbrowser 0x2bc6bb:$s8: torbrowser 0x131be6:$s10: logins 0x2bb09e:$s10: logins 0x13155e:$s11: credential 0x2baa16:$s11: credential 0x12df3d:$g1: get_Clipboard 0x2b73f5:$g1: get_Clipboard 0x12df4b:$g2: get_Keyboard 0x2b7403:$g2: get_Keyboard 0x12df58:$g3: get_Password 0x2b7410:$g3: get_Password 0x12f524:$g4: get_CtrlKeyDown
0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x18b2a7:$a3: MailAccountConfiguration 0x31475f:$a3: MailAccountConfiguration 0x18b2c0:$a5: SmtpAccountConfiguration 0x314778:$a5: SmtpAccountConfiguration 0x18b287:$a8: set_BindingAccountConfiguration 0x31473f:$a8: set_BindingAccountConfiguration 0x18a1f8:$a11: get_securityProfile 0x3136b0:$a11: get_securityProfile 0x18a099:$a12: get_useSeparateFolderTree 0x313551:$a12: get_useSeparateFolderTree 0x18b9ea:$a13: get_DnsResolver 0x314ea2:$a13: get_DnsResolver 0x18a4a8:$a14: get_archivingScope 0x313960:$a14: get_archivingScope 0x18a2d0:$a15: get_providerName 0x313788:$a15: get_providerName 0x18c9e8:$a17: get_priority 0x315ea0:$a17: get_priority 0x18bfa9:$a18: get_advancedParameters 0x315461:$a18: get_advancedParameters 0x18b3c1:$a19: get_disabledByRestriction
0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack	Windows_Trojan_AgentTesla_f2a90d14	unknown	unknown	0x15e012:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01 0x2e74ca:$a: 0B FE 01 2C 0B 07 16 7E 08 00 00 04 A2 1F 0C 0C 00 08 1F 09 FE 01
0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x18ad62:$s1: get_kbok 0x31421a:$s1: get_kbok 0x18b696:$s2: get_CHoo 0x314b4e:$s2: get_CHoo 0x18c2f1:$s3: set_passwordIsSet 0x3157a9:$s3: set_passwordIsSet 0x18ab66:$s4: get_enableLog 0x31401e:$s4: get_enableLog 0x18f223:$s8: torbrowser 0x3186db:$s8: torbrowser 0x18dc06:$s10: logins 0x3170be:$s10: logins 0x18d57e:$s11: credential 0x316a36:$s11: credential 0x189f5d:$g1: get_Clipboard 0x313415:$g1: get_Clipboard 0x189f6b:$g2: get_Keyboard 0x313423:$g2: get_Keyboard 0x189f78:$g3: get_Password 0x313430:$g3: get_Password 0x18b544:$g4: get_CtrlKeyDown
Click to see the 57 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\rwzBBMVxUb.exe, ProcessId: 7080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qXLPL

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rwzBBMVxUb.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe

Avira: detection malicious, Label: HEUR/AGEN.1306098

Found malware configuration

Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "chimaobi@alruomigroup.com", "Password": "LtURz%y7", "Host": "smtp.alruomigroup.com"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe

ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: rwzBBMVxUb.exe

ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: rwzBBMVxUb.exe

Joe Sandbox ML: detected

Source: rwzBBMVxUb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rwzBBMVxUb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_086A9D28
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 4x nop then cmp dword ptr [04AFE44Ch], 04h	0_2_086A7FD0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_086AAB78
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_086AAB74
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_086AAC28
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_086AAC38
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_086A9D18
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 4x nop then cmp dword ptr [04AFE44Ch], 04h	0_2_086A7FC0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	6_2_08349D28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then cmp dword ptr [04E2E44Ch], 04h	6_2_08347FD0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	6_2_0834AB74
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	6_2_0834AB78
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	6_2_0834AC38
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	6_2_0834AC28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	6_2_08349D18
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then cmp dword ptr [04E2E44Ch], 04h	6_2_08347FC0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	8_2_09CD9D28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then cmp dword ptr [0596E44Ch], 04h	8_2_09CD7FD0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	8_2_09CDAB6D
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	8_2_09CDAB78
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	8_2_09CD9D18
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	8_2_09CDAC28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	8_2_09CDAC38
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 4x nop then cmp dword ptr [0596E44Ch], 04h	8_2_09CD7FCF

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE

Source: unknown

DNS traffic detected: query: smtp.alruomigroup.com replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: smtp.alruomigroup.com

Source: rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.00000000031E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: qXLPL.exe, 00000009.00000002.4156381468.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DhvEkZ.com
Source: qXLPL.exe, 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: rwzBBMVxUb.exe, 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000006.00000002.2061546845.0000000002611000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000008.00000002.2151775959.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: rwzBBMVxUb.exe, 00000000.00000002.1761494966.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: qXLPL.exe, 00000009.00000002.4156381468.0000000003567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://409Yv1c1gFV6m.com
Source: rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000003135000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://409Yv1c1gFV6m.comL:
Source: rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000003135000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.0000000003567000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://409Yv1c1gFV6m.comt-
Source: rwzBBMVxUb.exe, 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4139305912.0000000000434000.00000040.00000400.00020000.00000000.sdmp, qXLPL.exe, 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.00000000031E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.qXLPL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.qXLPL.exe.2a1a5a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000002.00000002.4139303062.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 00000002.00000002.4139303062.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000009.00000002.4139300989.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000009.00000002.4156381468.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 Author: unknown
Source: Process Memory Space: rwzBBMVxUb.exe PID: 6256, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: qXLPL.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: qXLPL.exe PID: 2056, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_02322838	0_2_02322838
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_02321AC0	0_2_02321AC0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_0236AF08	0_2_0236AF08
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_0236C1B8	0_2_0236C1B8
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_0236DBD0	0_2_0236DBD0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_086A9E98	0_2_086A9E98
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_086A0040	0_2_086A0040
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_086A6028	0_2_086A6028
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_086A003B	0_2_086A003B
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_086A601A	0_2_086A601A
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_086A56A9	0_2_086A56A9
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 0_2_086A6740	0_2_086A6740
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_0121A058	2_2_0121A058
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_01215F20	2_2_01215F20
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_0121CBE0	2_2_0121CBE0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_01217207	2_2_01217207
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_012144F8	2_2_012144F8
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_01213330	2_2_01213330
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_01220040	2_2_01220040
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_0122CF10	2_2_0122CF10
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_012283E0	2_2_012283E0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_01221670	2_2_01221670
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_0122D970	2_2_0122D970
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_0122D870	2_2_0122D870
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_01225A47	2_2_01225A47
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_01224AE3	2_2_01224AE3
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_01225AC0	2_2_01225AC0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_02C747B4	2_2_02C747B4
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_02C75D08	2_2_02C75D08
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_02C769F1	2_2_02C769F1
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_02C75CF8	2_2_02C75CF8
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_064F23B0	2_2_064F23B0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_064F0040	2_2_064F0040
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_064F1958	2_2_064F1958
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_064F0DA8	2_2_064F0DA8
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_065E2AF0	2_2_065E2AF0
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_065E3E04	2_2_065E3E04
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_065EA239	2_2_065EA239
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_0248AF08	6_2_0248AF08
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_0248C1B8	6_2_0248C1B8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_0248DE28	6_2_0248DE28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_02502070	6_2_02502070
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_02502838	6_2_02502838
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_02502061	6_2_02502061
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_02501AC0	6_2_02501AC0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_02501AAF	6_2_02501AAF
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_02502828	6_2_02502828
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_025068F0	6_2_025068F0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_025068EC	6_2_025068EC
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_08349E98	6_2_08349E98
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_08346028	6_2_08346028
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_0834601A	6_2_0834601A
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_08340006	6_2_08340006
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_08340040	6_2_08340040
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_08344B37	6_2_08344B37
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 6_2_083456A9	6_2_083456A9
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00EFAEE0	7_2_00EFAEE0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00EFF670	7_2_00EFF670
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00EFCA58	7_2_00EFCA58
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00EF4568	7_2_00EF4568
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00EF5560	7_2_00EF5560
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00EF7F11	7_2_00EF7F11
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00EF0040	7_2_00EF0040
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00EFD3B8	7_2_00EFD3B8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00F0A058	7_2_00F0A058
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00F06030	7_2_00F06030
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00F0CD91	7_2_00F0CD91
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00F0D14F	7_2_00F0D14F
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00F07207	7_2_00F07207
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00F03330	7_2_00F03330
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_010F47B4	7_2_010F47B4
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_010F5D08	7_2_010F5D08
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_010F69F1	7_2_010F69F1
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_010F5C20	7_2_010F5C20
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_0565BDC1	7_2_0565BDC1
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_0565C3F8	7_2_0565C3F8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_05653D50	7_2_05653D50
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_05654968	7_2_05654968
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_05654098	7_2_05654098
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_05F317D8	7_2_05F317D8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_05F30D80	7_2_05F30D80
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_05F30040	7_2_05F30040
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_0154C1B8	8_2_0154C1B8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_04F42070	8_2_04F42070
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_04F42838	8_2_04F42838
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_04F42061	8_2_04F42061
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_04F468F0	8_2_04F468F0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_04F468E0	8_2_04F468E0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_04F42828	8_2_04F42828
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_04F41AC0	8_2_04F41AC0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_04F41AAF	8_2_04F41AAF
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_09CD9E98	8_2_09CD9E98
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_09CD0040	8_2_09CD0040
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_09CD601B	8_2_09CD601B
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_09CD6028	8_2_09CD6028
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_09CD003F	8_2_09CD003F
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 8_2_09CD56A9	8_2_09CD56A9
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_014647B4	9_2_014647B4
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_01465D08	9_2_01465D08
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_014669F1	9_2_014669F1
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_01465CC1	9_2_01465CC1
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015B8011	9_2_015B8011
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015B4568	9_2_015B4568
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015BF670	9_2_015BF670
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015BCC6A	9_2_015BCC6A
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015B7F28	9_2_015B7F28
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015B0040	9_2_015B0040
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015BD3C8	9_2_015BD3C8
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015B5560	9_2_015B5560
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015B4666	9_2_015B4666
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015C6030	9_2_015C6030
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015C7207	9_2_015C7207
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015C9F78	9_2_015C9F78
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015CCEE0	9_2_015CCEE0
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015C3330	9_2_015C3330

Source: rwzBBMVxUb.exe	Binary or memory string: OriginalFilename vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1750084173.00000000029B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSpan.dll2 vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000000.1672709866.00000000000D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTokeniz.exeF vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1748666635.000000000076E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTimeSpan.dll2 vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1762903949.0000000007020000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSinkProvider.dllB vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCIBEOIBROQOECByykQuGv.exe4 vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCIBEOIBROQOECByykQuGv.exe4 vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSinkProvider.dllB vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000002.00000002.4140278542.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe, 00000002.00000002.4139303062.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCIBEOIBROQOECByykQuGv.exe4 vs rwzBBMVxUb.exe
Source: rwzBBMVxUb.exe	Binary or memory string: OriginalFilenameTokeniz.exeF vs rwzBBMVxUb.exe

Source: rwzBBMVxUb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.qXLPL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.qXLPL.exe.2a1a5a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000002.00000002.4139303062.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 00000002.00000002.4139303062.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000009.00000002.4139300989.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000009.00000002.4156381468.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_f2a90d14 reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 829c827069846ba1e1378aba8ee6cdc801631d769dc3dce15ccaacd4068a88a6, id = f2a90d14-7212-41a5-a2cd-a6a6dedce96e, last_modified = 2022-04-12
Source: Process Memory Space: rwzBBMVxUb.exe PID: 6256, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: qXLPL.exe PID: 5228, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: qXLPL.exe PID: 2056, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: rwzBBMVxUb.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: qXLPL.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, Q6j.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, Q6j.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, hU.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, hU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, hU.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, hU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, YF.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, YF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, YF.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, YF.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, YF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, YF.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, YF.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, YF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, YF.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, hU.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, hU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/7@3/0

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rwzBBMVxUb.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe

Mutant created: NULL

Source: rwzBBMVxUb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rwzBBMVxUb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rwzBBMVxUb.exe, 00000002.00000002.4151129136.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002EDB000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.000000000351B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rwzBBMVxUb.exe

ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

File read: C:\Users\user\Desktop\rwzBBMVxUb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rwzBBMVxUb.exe "C:\Users\user\Desktop\rwzBBMVxUb.exe"
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process created: C:\Users\user\Desktop\rwzBBMVxUb.exe "C:\Users\user\Desktop\rwzBBMVxUb.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process created: C:\Users\user\Desktop\rwzBBMVxUb.exe "C:\Users\user\Desktop\rwzBBMVxUb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: rwzBBMVxUb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rwzBBMVxUb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, Q6j.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, Q6j.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, Q6j.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.rwzBBMVxUb.exe.7020000.2.raw.unpack, YF.cs	.Net Code: M4V System.Reflection.Assembly.Load(byte[])
Source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, B.cs	.Net Code: A System.Reflection.Assembly.Load(byte[])
Source: 0.2.rwzBBMVxUb.exe.2310000.0.raw.unpack, EO.cs	.Net Code: hF System.AppDomain.Load(byte[])
Source: 0.2.rwzBBMVxUb.exe.29b1258.1.raw.unpack, EO.cs	.Net Code: hF System.AppDomain.Load(byte[])
Source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, YF.cs	.Net Code: M4V System.Reflection.Assembly.Load(byte[])
Source: 6.2.qXLPL.exe.2a1a5a0.0.raw.unpack, EO.cs	.Net Code: hF System.AppDomain.Load(byte[])
Source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, YF.cs	.Net Code: M4V System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_0121C14E push es; ret	2_2_0121C150
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_01213735 pushfd ; retf	2_2_01213741
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_012210C2 push esp; ret	2_2_01221111
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Code function: 2_2_064F4228 push esp; ret	2_2_064F4271
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00EFC8FA push eax; iretd	7_2_00EFC8FD
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00EF0C12 push esp; ret	7_2_00EF0C61
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00F02177 push edi; retn 0000h	7_2_00F02179
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_00F0373D pushfd ; retf	7_2_00F03741
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 7_2_05F3364A push esp; ret	7_2_05F33699
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015BC8FA push eax; iretd	9_2_015BC8FD
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015B0C12 push esp; ret	9_2_015B0C61
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Code function: 9_2_015C2177 push edi; retn 0000h	9_2_015C2179

Source: rwzBBMVxUb.exe	Static PE information: section name: .text entropy: 7.429122512994657
Source: qXLPL.exe.2.dr	Static PE information: section name: .text entropy: 7.429122512994657

Source: 0.2.rwzBBMVxUb.exe.2310000.0.raw.unpack, EO.cs	High entropy of concatenated method names: 'Dispose', 'R6', 'hF', 'op', 'cI', 'pW', 'oE', 'Sx', 'BM', 'kq'
Source: 0.2.rwzBBMVxUb.exe.29b1258.1.raw.unpack, EO.cs	High entropy of concatenated method names: 'Dispose', 'R6', 'hF', 'op', 'cI', 'pW', 'oE', 'Sx', 'BM', 'kq'
Source: 6.2.qXLPL.exe.2a1a5a0.0.raw.unpack, EO.cs	High entropy of concatenated method names: 'Dispose', 'R6', 'hF', 'op', 'cI', 'pW', 'oE', 'Sx', 'BM', 'kq'

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

File created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe

Jump to dropped file

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qXLPL			Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qXLPL			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (126).png

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

File opened: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 6.2.qXLPL.exe.2a1a5a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2061546845.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rwzBBMVxUb.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 2056, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rwzBBMVxUb.exe, 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000006.00000002.2061546845.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: rwzBBMVxUb.exe, 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000006.00000002.2061546845.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: 22C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: 22C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: 8640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: 6C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: 9640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: A640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: AA40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: BA40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory allocated: 4DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 7FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 6970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 8FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 9FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: A390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: B390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: A390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 12A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 4EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 8BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 7390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 9BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: ABF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: AFD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: BFD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 1420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Window / User API: threadDelayed 1517	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Window / User API: threadDelayed 8340	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Window / User API: threadDelayed 3178	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Window / User API: threadDelayed 6655	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Window / User API: threadDelayed 3088	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Window / User API: threadDelayed 6748	Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe TID: 6520	Thread sleep time: -48805s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe TID: 6456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe TID: 6652	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe TID: 6424	Thread sleep count: 1517 > 30	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe TID: 6424	Thread sleep count: 8340 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 2208	Thread sleep time: -59082s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6364	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6364	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6376	Thread sleep count: 3178 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6376	Thread sleep count: 6655 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 1880	Thread sleep time: -53376s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 3552	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6956	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6956	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6988	Thread sleep count: 3088 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe TID: 6988	Thread sleep count: 6748 > 30	Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Thread delayed: delay time: 48805	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Thread delayed: delay time: 59082	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Thread delayed: delay time: 53376	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: qXLPL.exe, 00000009.00000002.4198958338.00000000069C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: rwzBBMVxUb.exe, qXLPL.exe.2.dr	Binary or memory string: 385eGEzfv<pf385eG<IgogJD3Y6e8IJWo4Zg}YpXDTKhoU4[3Y5fDj[]n8ZVlIJYiU[]}ET]9o5XiU[]}Ez]xo5gkMKUx3Z]3Q[hWET]9o5XDXZek83[3Y5fDXJelI5fyE6fsUXVDL[]xoZ\385eGoHD}gpesUKgoQIDtYIDdsJD}gpesUKgoQ4[3Y5]DTKe4Ip]oUHD[UIDOMID}jIDnYphs85e\|k5\xo6XDX5fkM3fq8Zd3U[]WETU}EDgvY[\pYJUiU[]qET]m8Z\3QqeMUKe4Ip]oUJD]gKD}{Z\4I[UoQpeoM[]pYpXDXI]DnKel4Z]}Q[TDnKel4Z]}Q[TiU[]qEjeyoJgks[dvIp\y{5Ux3Z]3Q[hWEzep8ZVoM[g3{ZgGEzfoQpf4<5foMoOwYJg}o6XDL[]qIpek4X]mM[gyQ[]VEz\xEDdP<HD7{XgDXZgvIpYiU[]}ET]4{
Source: qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: rwzBBMVxUb.exe, 00000002.00000002.4196267618.00000000065F0000.00000004.00000020.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4140934304.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: qXLPL.exe, 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

Code function: 2_2_01227B30 LdrInitializeThunk,

2_2_01227B30

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Memory written: C:\Users\user\Desktop\rwzBBMVxUb.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory written: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Memory written: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Process created: C:\Users\user\Desktop\rwzBBMVxUb.exe "C:\Users\user\Desktop\rwzBBMVxUb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Process created: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe "C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Users\user\Desktop\rwzBBMVxUb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Users\user\Desktop\rwzBBMVxUb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rwzBBMVxUb.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\FTP Navigator\Ftplist.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\rwzBBMVxUb.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000009.00000002.4156381468.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.97f7148.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.qXLPL.exe.3f8a5b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.qXLPL.exe.3fe65d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qXLPL.exe.a6af208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qXLPL.exe.a60e5c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.qXLPL.exe.3ee9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qXLPL.exe.a56d9a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.97f7148.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.96f9098.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rwzBBMVxUb.exe.969d078.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rwzBBMVxUb.exe PID: 6256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rwzBBMVxUb.exe PID: 7080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qXLPL.exe PID: 6548, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	111 Process Injection	11 Masquerading	2 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Hidden Files and Directories	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
rwzBBMVxUb.exe	89%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
rwzBBMVxUb.exe	100%	Avira	HEUR/AGEN.1306098
rwzBBMVxUb.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	100%	Avira	HEUR/AGEN.1306098
C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe	89%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	Avira URL Cloud	safe
https://409Yv1c1gFV6m.comL:	0%	Avira URL Cloud	safe
http://DhvEkZ.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	Avira URL Cloud	safe
https://409Yv1c1gFV6m.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	Avira URL Cloud	safe
https://409Yv1c1gFV6m.comt-	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.alruomigroup.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.00000000031E5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://DynDns.comDynDNS	qXLPL.exe, 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://DhvEkZ.com	qXLPL.exe, 00000009.00000002.4156381468.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.00000000031E5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
https://409Yv1c1gFV6m.comt-	rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000003135000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4153154447.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000009.00000002.4156381468.0000000003567000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
https://409Yv1c1gFV6m.comL:	rwzBBMVxUb.exe, 00000002.00000002.4151129136.0000000003135000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://409Yv1c1gFV6m.com	qXLPL.exe, 00000009.00000002.4156381468.0000000003567000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rwzBBMVxUb.exe, 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000006.00000002.2061546845.0000000002611000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000008.00000002.2151775959.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	rwzBBMVxUb.exe, 00000000.00000002.1761494966.0000000004F80000.00000004.00000020.00020000.00000000.sdmp, rwzBBMVxUb.exe, 00000000.00000002.1761567154.0000000006722000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	rwzBBMVxUb.exe, 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, qXLPL.exe, 00000007.00000002.4139305912.0000000000434000.00000040.00000400.00020000.00000000.sdmp, qXLPL.exe, 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559434
Start date and time:	2024-11-20 14:46:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rwzBBMVxUb.exe renamed because original name is a hash value
Original Sample Name:	4f28687d01e29f37854b840c3f5f0fe2cd506c87d4f7b036bdddcd147dc2cbc3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/7@3/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 345 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: rwzBBMVxUb.exe

Simulations

Behavior and APIs

Time	Type	Description
08:47:05	API Interceptor	5338802x Sleep call for process: rwzBBMVxUb.exe modified
08:47:36	API Interceptor	6350514x Sleep call for process: qXLPL.exe modified
13:47:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run qXLPL C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe
13:47:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run qXLPL C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe

Process:	C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.3387892510515025
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4sAmE4Ks:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzeL
MD5:	8C61F9E2B19E0315722C135D70192939
SHA1:	BFC216104805B4183FD0A9153EE0B39076AECCBC
SHA-256:	AFA04F5408E6285A7B01334D40EA524ADB37116790061849F4D6B48D880D93A0
SHA-512:	55CC4879F5AC9C5BDB659D0DC915102B39BC2035CF1C3CADBF3BE6A4447B5613A9D665FC06AD3F461803D04495AAD5EAB0758C02B8F110090FF6F791B80B270D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rwzBBMVxUb.exe.log

Download File

Process:	C:\Users\user\Desktop\rwzBBMVxUb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.3387892510515025
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4sAmE4Ks:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzeL
MD5:	8C61F9E2B19E0315722C135D70192939
SHA1:	BFC216104805B4183FD0A9153EE0B39076AECCBC
SHA-256:	AFA04F5408E6285A7B01334D40EA524ADB37116790061849F4D6B48D880D93A0
SHA-512:	55CC4879F5AC9C5BDB659D0DC915102B39BC2035CF1C3CADBF3BE6A4447B5613A9D665FC06AD3F461803D04495AAD5EAB0758C02B8F110090FF6F791B80B270D
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\3cm3pfgj.nbc\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite

Download File

Process:	C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\le4u0yqd.oud\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite

Download File

Process:	C:\Users\user\Desktop\rwzBBMVxUb.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe

Download File

Process:	C:\Users\user\Desktop\rwzBBMVxUb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	944128
Entropy (8bit):	7.436151130326397
Encrypted:	false
SSDEEP:	12288:rXN5GnTOdU+CHpZgWWGTULgUGDc1B7YxdSI53JBQnKoWq1RAazOVKYe/+YfiLHks:ePUsVWZYQKoh1OKffi4nO8F8z
MD5:	5B65ABB4776D7BAE7624C3085A5A227A
SHA1:	7EEDB005B4E3A79AA4482F8FE04C16EE4490BFB6
SHA-256:	4F28687D01E29F37854B840C3F5F0FE2CD506C87D4F7B036BDDDCD147DC2CBC3
SHA-512:	0950B2D6597EDC91CA41F54C368DC2CEF78827A5BE23D056A90D2459639763929365CF926FF219A4884925E3AE79B360F55C98B8F909C34236890AC26F60FBA6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v.`..............P..\...........{... ........@.. ....................................@..................................z..O.................................................................................... ............... ..H............text....[... ...\.................. ..`.rsrc................^..............@..@.reloc...............f..............@..B.................z......H...........D2...........................................................0............(....(..........(.....o..........................( ......(!......("......(#......($....N..(....o....(%....&..(&.....s'........s(........s)........s........s+............0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+...0......

C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\rwzBBMVxUb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\tcyi2soj.5kk\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite

Download File

Process:	C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.436151130326397
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	rwzBBMVxUb.exe
File size:	944'128 bytes
MD5:	5b65abb4776d7bae7624c3085a5a227a
SHA1:	7eedb005b4e3a79aa4482f8fe04c16ee4490bfb6
SHA256:	4f28687d01e29f37854b840c3f5f0fe2cd506c87d4f7b036bdddcd147dc2cbc3
SHA512:	0950b2d6597edc91ca41f54c368dc2cef78827a5be23d056a90d2459639763929365cf926ff219a4884925e3ae79b360f55c98b8f909c34236890ac26f60fba6
SSDEEP:	12288:rXN5GnTOdU+CHpZgWWGTULgUGDc1B7YxdSI53JBQnKoWq1RAazOVKYe/+YfiLHks:ePUsVWZYQKoh1OKffi4nO8F8z
TLSH:	02159C6C23FEA109F237FE709FA1F3449E667A769225914D59C4120B5832D80FEB7932
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v.`..............P..\...........{... ........@.. ....................................@................................

File Icon


Icon Hash:	2567a3a3aeb7bdbf

Static PE Info

General

Entrypoint:	0x4d7b12
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60ED76D8 [Tue Jul 13 11:19:52 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd7ac0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd8000	0x107ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd5b18	0xd5c00	4da0b4d6facee6e668c52da1d101ea88	False	0.8046543768274854	data	7.429122512994657	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd8000	0x107ac	0x10800	6e3030b5a9ce7c6d06ec1a43cfc2db5e	False	0.7963275331439394	data	7.311313120676684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	56794fc9c25eb99063ac63bbded59953	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xd8268	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.30913978494623656
RT_ICON	0xd8550	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.5168918918918919
RT_ICON	0xd8678	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.542910447761194
RT_ICON	0xd9520	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.6728339350180506
RT_ICON	0xd9dc8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.4718208092485549
RT_ICON	0xda330	0xa5e1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9953608854350642
RT_ICON	0xe4914	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.3887966804979253
RT_ICON	0xe6ebc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.4575515947467167
RT_ICON	0xe7f64	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.6108156028368794
RT_GROUP_ICON	0xe83cc	0x84	data	0.6136363636363636
RT_VERSION	0xe8450	0x35c	data	0.436046511627907

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2024 14:48:30.759108067 CET	64890	53	192.168.2.4	1.1.1.1
Nov 20, 2024 14:48:30.990767956 CET	53	64890	1.1.1.1	192.168.2.4
Nov 20, 2024 14:49:03.152272940 CET	60883	53	192.168.2.4	1.1.1.1
Nov 20, 2024 14:49:03.297022104 CET	53	60883	1.1.1.1	192.168.2.4
Nov 20, 2024 14:49:11.266334057 CET	60703	53	192.168.2.4	1.1.1.1
Nov 20, 2024 14:49:11.408420086 CET	53	60703	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 20, 2024 14:48:30.759108067 CET	192.168.2.4	1.1.1.1	0xae46	Standard query (0)	smtp.alruomigroup.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 14:49:03.152272940 CET	192.168.2.4	1.1.1.1	0x4167	Standard query (0)	smtp.alruomigroup.com	A (IP address)	IN (0x0001)	false
Nov 20, 2024 14:49:11.266334057 CET	192.168.2.4	1.1.1.1	0xe84f	Standard query (0)	smtp.alruomigroup.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 20, 2024 14:48:30.990767956 CET	1.1.1.1	192.168.2.4	0xae46	Name error (3)	smtp.alruomigroup.com	none	none	A (IP address)	IN (0x0001)	false
Nov 20, 2024 14:49:03.297022104 CET	1.1.1.1	192.168.2.4	0x4167	Name error (3)	smtp.alruomigroup.com	none	none	A (IP address)	IN (0x0001)	false
Nov 20, 2024 14:49:11.408420086 CET	1.1.1.1	192.168.2.4	0xe84f	Name error (3)	smtp.alruomigroup.com	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:46:57
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\rwzBBMVxUb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rwzBBMVxUb.exe"
Imagebase:	0xd0000
File size:	944'128 bytes
MD5 hash:	5B65ABB4776D7BAE7624C3085A5A227A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_AgentTesla_f2a90d14, Description: unknown, Source: 00000000.00000002.1764563340.0000000009641000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.1750084173.0000000002581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:47:05
Start date:	20/11/2024
Path:	C:\Users\user\Desktop\rwzBBMVxUb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rwzBBMVxUb.exe"
Imagebase:	0xa30000
File size:	944'128 bytes
MD5 hash:	5B65ABB4776D7BAE7624C3085A5A227A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_AgentTesla_f2a90d14, Description: unknown, Source: 00000002.00000002.4139303062.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000002.4139303062.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000002.00000002.4151129136.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:47:31
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Imagebase:	0x130000
File size:	944'128 bytes
MD5 hash:	5B65ABB4776D7BAE7624C3085A5A227A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_AgentTesla_f2a90d14, Description: unknown, Source: 00000006.00000002.2083524321.000000000A391000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.2061546845.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:47:36
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Imagebase:	0x760000
File size:	944'128 bytes
MD5 hash:	5B65ABB4776D7BAE7624C3085A5A227A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000007.00000002.4153154447.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	08:47:39
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Imagebase:	0xbf0000
File size:	944'128 bytes
MD5 hash:	5B65ABB4776D7BAE7624C3085A5A227A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.2151775959.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_AgentTesla_f2a90d14, Description: unknown, Source: 00000008.00000002.2165298001.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:47:45
Start date:	20/11/2024
Path:	C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe"
Imagebase:	0xcc0000
File size:	944'128 bytes
MD5 hash:	5B65ABB4776D7BAE7624C3085A5A227A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000009.00000002.4139300989.0000000000432000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.4156381468.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000009.00000002.4156381468.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.6%
Total number of Nodes:	187
Total number of Limit Nodes:	12

Executed Functions

Function 0236AF08 Relevance: .7, Instructions: 653COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e167823e209c97225378b0540c245c1b0e1e0939c0bd1f38f19f89b2401ceda1
Instruction ID: f715a294c1fff004cb31ac0a5d3e4be2f1be929ab2de9fcfb83a22c805f4b407
Opcode Fuzzy Hash: e167823e209c97225378b0540c245c1b0e1e0939c0bd1f38f19f89b2401ceda1
Instruction Fuzzy Hash: CE526C31A006198FCB25CF64C884BAEB7BAFF44308F5584A9E915BB265D770ED85CF90

Function 086A9E98 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655cdc002a5d92abcc7a1e3cfa6cc62be18b02e285b5dc0c718d1e5b1503ff42
Instruction ID: 8a7f927547546e1365bd7717f5048692cf55e414614acd4bda8c7c4da3b9b602
Opcode Fuzzy Hash: 655cdc002a5d92abcc7a1e3cfa6cc62be18b02e285b5dc0c718d1e5b1503ff42
Instruction Fuzzy Hash: 49C199317006108FDB29DBB5C860B6AB7EBAF89706F14846ED146DB7A4DB35E802CF51

Function 086A7FC0 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8b710ba3e2e9f1d4c36e4948a46fd27d0b16b5fd54a820257be9eb9380acaa
Instruction ID: 7ab4c9ced5956d8dbe8d4f7806e6f42b216b5c7c60ee7fc48a599f9002567703
Opcode Fuzzy Hash: 6c8b710ba3e2e9f1d4c36e4948a46fd27d0b16b5fd54a820257be9eb9380acaa
Instruction Fuzzy Hash: 27D11574D05368CFDB14DFA4D5987AEBBB1FB0A306F1094A9D009A32A1DB394E89CF15

Function 086A7FD0 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361a0e52d2a9cd356f57a415811cfb4e7f85b83db301fd8aef2a7e30045339a1
Instruction ID: 705e8335b5547b21273c09226693b05637763f19753216016634683c941738b1
Opcode Fuzzy Hash: 361a0e52d2a9cd356f57a415811cfb4e7f85b83db301fd8aef2a7e30045339a1
Instruction Fuzzy Hash: 27D10474D01368CFDB14DFA5D5987AEBBB1FB0A306F1094A9D009A3291DB394E89CF15

Function 02322838 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749477744.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: true

Associated: 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2310000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f573cdfe3e996e2229e21d64f4a059010e6e836a044a5f75a209840c943294b8
Instruction ID: 39129c2b97b9b9e9891f126f66469718c89ed0dfd2bf5863afd64fd54f6b00f5
Opcode Fuzzy Hash: f573cdfe3e996e2229e21d64f4a059010e6e836a044a5f75a209840c943294b8
Instruction Fuzzy Hash: 57911670E012198BDB04DFA9D8547AEBBB2BF88300F14D129E814F7759DB74998ACF51

Function 086A9D28 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48ce6250be0e6036e30127812cd0a2695f8e5a464d361b749a6bfe43209019e
Instruction ID: 5c2f638789ddf97ac2e4e2013b2c8ed4782a7a09e1d71444072effdb02ef377f
Opcode Fuzzy Hash: f48ce6250be0e6036e30127812cd0a2695f8e5a464d361b749a6bfe43209019e
Instruction Fuzzy Hash: AF210670D05228DFDB049FA5D848BEDBEF1AB4A302F615029E425B7292CBB85D85CF54

Function 086A9D18 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61dea176ae78f8ceb592535fb28ff0bcc273db0e84621c3b976b417005e7dba
Instruction ID: 9c26ebca1ea18480ad8746ecd03c4a95db3d18f6d1f517c7f4b6a1fa1959b1e1
Opcode Fuzzy Hash: f61dea176ae78f8ceb592535fb28ff0bcc273db0e84621c3b976b417005e7dba
Instruction Fuzzy Hash: 47215A70909228DFDB149FA4D448BFDBFF1AB0A302F211069E426B7292CB785D86CF14

Function 02367507 Relevance: 6.2, APIs: 4, Instructions: 150
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 023675BE
GetCurrentThread.KERNEL32 ref: 023675FB
GetCurrentProcess.KERNEL32 ref: 02367638
GetCurrentThreadId.KERNEL32 ref: 02367691

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2d64ed5c08394ff95d9fe5c013f243d7ba85ffd00853047dfb79683278719956
Instruction ID: afb306eee78b457f964d66218be0f8844fafda28b60893c9aae74a7a642cf13e
Opcode Fuzzy Hash: 2d64ed5c08394ff95d9fe5c013f243d7ba85ffd00853047dfb79683278719956
Instruction Fuzzy Hash: DA5156B09002498FDB04CFA9D588BEEBFF1EF49318F248499D049A7265D7349949CF66

Function 02367540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 023675BE
GetCurrentThread.KERNEL32 ref: 023675FB
GetCurrentProcess.KERNEL32 ref: 02367638
GetCurrentThreadId.KERNEL32 ref: 02367691

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e2e1610616f0898c9df93e7dd7e03f146ba25f791be1105a7533b4b5ac9cf0fa
Instruction ID: 97746ad1cf3d33736397909fbb09a405b033ad310274fe0d02cd03567dcf727a
Opcode Fuzzy Hash: e2e1610616f0898c9df93e7dd7e03f146ba25f791be1105a7533b4b5ac9cf0fa
Instruction Fuzzy Hash: 485137B0A00249CFDB14DFA9D648BAEFBF5EB48318F20C459D059A7364D7349984CF66

Function 086A7C0D Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 086A7E4E

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f787084533ec3c7124bce4c866eba6054750d5b3b54cc85488c4bfc1071528d0
Instruction ID: 56f51d5edce3d2315b0f37aa05ae52ef8f1bca8d1ed2ec2cd6238e959d203ddf
Opcode Fuzzy Hash: f787084533ec3c7124bce4c866eba6054750d5b3b54cc85488c4bfc1071528d0
Instruction Fuzzy Hash: 22A17B71D00219CFDB24DFA8C840BEEBBB2BF48315F1585AAE849A7344DB749985CF91

Function 086A7C18 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 086A7E4E

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e89a78aaaa3e7cbef1e041509af2a872e2bf89b1a9663248510f4de3f709e0c7
Instruction ID: 3cce40d298872c82aa4f57113614e10930bbf628335df7319ab7a0179266e5f6
Opcode Fuzzy Hash: e89a78aaaa3e7cbef1e041509af2a872e2bf89b1a9663248510f4de3f709e0c7
Instruction Fuzzy Hash: 29917B71D00219CFDB20DFA8C840BEEBBB2BF48315F1585AAE849A7344DB749985CF91

Function 0236D4C8 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0236D72E

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 36904a1167fb5d69e75110102e59fcae7f53ec1c15fc76e40d8fecdfbd32bd90
Instruction ID: 55e5f28a8a3ee4b4363d8f526a855bb0bbc4da952f3c70e65fefec614bdc6892
Opcode Fuzzy Hash: 36904a1167fb5d69e75110102e59fcae7f53ec1c15fc76e40d8fecdfbd32bd90
Instruction Fuzzy Hash: EA813570A00B058FD724DF29C4497AABBF5FF88304F10892AD48AD7A54D775E849CF91

Function 0236FAD0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0236FBE2

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 60d7e71675b31d9a2ed650a0cba9f89f8ac8875990559f83b226aa500ab53d46
Instruction ID: 7daece694bcfa66f0a004a7f2ff5f9bc1510d16c4a8337b476e0c9d3e4aa7bf0
Opcode Fuzzy Hash: 60d7e71675b31d9a2ed650a0cba9f89f8ac8875990559f83b226aa500ab53d46
Instruction Fuzzy Hash: 6141CEB1D003499FDB14CFA9D984ADEBBB5FF48314F24852AE819AB214D7709885CF91

Function 02367848 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0236780F

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c91e0d89a92a1a5a885ef0d89b4fc1a8157f8c453e7567ce88ebab48c543279c
Instruction ID: 8869022eea4cee4f984db99e3fac5dffa41ec8bd4e9dbd5a984bdaea7cb07cca
Opcode Fuzzy Hash: c91e0d89a92a1a5a885ef0d89b4fc1a8157f8c453e7567ce88ebab48c543279c
Instruction Fuzzy Hash: D6419F78E803448FEB08DFA0E458BB97FBAF749304F108829E941AB399DB754816DF11

Function 04A34762 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04A35991

Memory Dump Source

Source File: 00000000.00000002.1760462005.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_rwzBBMVxUb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ba9cb6dfd78d21a7786a1f3637eb716abe7bc5e37e372ddd3032f31991374ad4
Instruction ID: 001bc2c1e8c86fb3e3207d34b636b6c27b022a3f7d4811fef55dd1f742a965ee
Opcode Fuzzy Hash: ba9cb6dfd78d21a7786a1f3637eb716abe7bc5e37e372ddd3032f31991374ad4
Instruction Fuzzy Hash: 9141E2B0C00619DFDB24CFA9C8847DEBBF5BF49305F24806AE408AB255EB756946CF91

Function 04A3476C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04A35991

Memory Dump Source

Source File: 00000000.00000002.1760462005.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_rwzBBMVxUb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 15130b88f065a0bc4194df80eb91c619beafd3655687eb124df49dea1ba6b68b
Instruction ID: 054cf9ad59a3588080abcb4432d3db2df074d909b3ea3c005d5f72e7389ca78d
Opcode Fuzzy Hash: 15130b88f065a0bc4194df80eb91c619beafd3655687eb124df49dea1ba6b68b
Instruction Fuzzy Hash: 8841DFB0C0061DDFDB24CFA9C844B9EBBF5BF48305F20806AE408AB255EB756949CF91

Function 04A358D7 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04A35991

Memory Dump Source

Source File: 00000000.00000002.1760462005.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_rwzBBMVxUb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 14174326546f325b89211e33870ead8923661322c8535c1521ac0fa9d0bdd9b0
Instruction ID: a6610093e2d817d07086d1d276e59b5df9a937d9ecda3783060e0db1bae1d3eb
Opcode Fuzzy Hash: 14174326546f325b89211e33870ead8923661322c8535c1521ac0fa9d0bdd9b0
Instruction Fuzzy Hash: 7141D2B0C00619DFDB24CFA9C9447CDBBF5BF49305F24806AE408AB255EB756949CF91

Function 04A32300 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04A323C1

Memory Dump Source

Source File: 00000000.00000002.1760462005.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a30000_rwzBBMVxUb.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: caa897f6fdfe9668f4ce046e444027156791285b32207866b5b3676e141d4a33
Instruction ID: 09b198f32afe42f6313926aca2b85ea284311ce0eeabf367d8648fd4ce2655fe
Opcode Fuzzy Hash: caa897f6fdfe9668f4ce046e444027156791285b32207866b5b3676e141d4a33
Instruction Fuzzy Hash: 8E4126B5A003098FDB14CF99C448BAAFBF5FB88314F25C499E519AB321D734A845CFA1

Function 086A78F8 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 086A7990

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cae6e9dd264e129578e87592926f463f39f8e8e399a1b90d615d0a5b562803c9
Instruction ID: f43b675549b89cbc6e913a49618039a69548d62d5ef47832dcf885f72880ce9b
Opcode Fuzzy Hash: cae6e9dd264e129578e87592926f463f39f8e8e399a1b90d615d0a5b562803c9
Instruction Fuzzy Hash: C72157B19003598FDB10CFA9C985BDEBBF1FF48310F10882AE559A7250C7789955CFA4

Function 086A7900 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 086A7990

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: af0c994b4a64226ae05d51c2ef6e2e474cb552154d91c505da8eef6529c5d96c
Instruction ID: 2f538e618767bb92e24dbecbae0b710799fb0aa0ae87eb6e1cbb12fee9cea567
Opcode Fuzzy Hash: af0c994b4a64226ae05d51c2ef6e2e474cb552154d91c505da8eef6529c5d96c
Instruction Fuzzy Hash: 9B2136B19003599FDB10CFA9C885BDEBBF5FF48310F10842AE958A7250D7789954CFA5

Function 02367780 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0236780F

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 47b6672b8b6da89989dfab6427d1a5b55e98a33576e1e61af0cab1a1adb84208
Instruction ID: b779b131244394c31dac810154086aa1ea583e590ebd0a315ba610e617020014
Opcode Fuzzy Hash: 47b6672b8b6da89989dfab6427d1a5b55e98a33576e1e61af0cab1a1adb84208
Instruction Fuzzy Hash: CF2103B59002089FDB10CFA9D985AEEFFF4FB48324F10841AE918A3310D374A944CFA4

Function 086A7A18 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 086A7AA0

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 68d89e74efdfde9d481835159d0ea7a08f09008e2f3396b8a65a21492044dcbf
Instruction ID: 07650477bf367f71b5dc71701d2bfe2006c4119c3d0cc36367135a04a325c62c
Opcode Fuzzy Hash: 68d89e74efdfde9d481835159d0ea7a08f09008e2f3396b8a65a21492044dcbf
Instruction Fuzzy Hash: 1E2148B1D002499FCB10DFA9C980ADEFBF5FF88310F10842AE959A7250C7389954CFA4

Function 086A7670 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 086A76F6

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d92d045179bdd2d7a8ee60ea3eec07e1ad5864dbc82cb2a38144f7200356d077
Instruction ID: 290e8af5849c39397f8ff6a3474089e76a7ca63ad2002c1ad61a08e4895395c2
Opcode Fuzzy Hash: d92d045179bdd2d7a8ee60ea3eec07e1ad5864dbc82cb2a38144f7200356d077
Instruction Fuzzy Hash: CF2138B2D002098FDB10DFAAC5857EEBBF5AF48324F14842ED559A7240C7789945CFA4

Function 086A7678 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 086A76F6

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 06ced9518264b09a5042c99af66dde1504eb564abbf497dd7b22eab463fd79fc
Instruction ID: d933c7735e94f45b94ace755f0db2a9b24453820176da7620ea2e3744ef75666
Opcode Fuzzy Hash: 06ced9518264b09a5042c99af66dde1504eb564abbf497dd7b22eab463fd79fc
Instruction Fuzzy Hash: CB2138B19002098FDB10DFAAC485BEEBBF4EF48324F14842AD459A7241C7789944CFA5

Function 086A7A20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 086A7AA0

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8622722e7ce6662df222e63d1bab31394ebc5412f2b82c9f7211acf7259233eb
Instruction ID: c4dbe10b108b36dccc374d4160af2f7bd560caa1dfff9173ca3013c4af8bdb50
Opcode Fuzzy Hash: 8622722e7ce6662df222e63d1bab31394ebc5412f2b82c9f7211acf7259233eb
Instruction Fuzzy Hash: 702128B19002599FCB10DFAAC840ADEFBF5FF88310F10842AE559A7250D7349954CFA5

Function 02367788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0236780F

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 71257a62aaa298c8b8dff12e25072392822b59308a35d6bb1d31328c2d90aba6
Instruction ID: 18bb3b70676987fcfd119a69e3a95a0260e6e90ed3e509ce279767127ddbda61
Opcode Fuzzy Hash: 71257a62aaa298c8b8dff12e25072392822b59308a35d6bb1d31328c2d90aba6
Instruction Fuzzy Hash: 9921E3B59002489FDB10CFAAD984AEEFBF8EB48324F14841AE914A3210D374A940CFA5

Function 086A7808 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 086A787E

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 42d44b3ee8c19257e9851bf7004b1526ad460714bac64e52d00769b1835771b1
Instruction ID: d234be5a3220fec56bbf350fc615c23466758d87f08275132cf43e4fcb53ba15
Opcode Fuzzy Hash: 42d44b3ee8c19257e9851bf7004b1526ad460714bac64e52d00769b1835771b1
Instruction Fuzzy Hash: 881156B19002489FCB10DFA9C844ADFBFF5EF88324F20842AE559A7250CB759944CFA4

Function 086A7810 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 086A787E

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 152e07726db3c4b3f0ccec09daad577e714155940e250fa94b87994621bfa879
Instruction ID: 1732d482d9ceb6464513b096ed6fb1a9c5a5d1cbf500cb785e903509ee9d38ca
Opcode Fuzzy Hash: 152e07726db3c4b3f0ccec09daad577e714155940e250fa94b87994621bfa879
Instruction Fuzzy Hash: BA1137719002499FCB10DFAAC844BDFBFF5EF88324F108429E559A7250C775A954CFA5

Function 086A7590 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 086A75FA

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 81fd944aacc6365887c44c872c31f20794e4c1090be48c877fce78d98f9f70ab
Instruction ID: 201819378e039960d3d0c65311e66d9696e3a62c1a8c5cd15808dd8fe8e0ce7e
Opcode Fuzzy Hash: 81fd944aacc6365887c44c872c31f20794e4c1090be48c877fce78d98f9f70ab
Instruction Fuzzy Hash: AE116DB19002488FDB20DFA9C5457DFFBF5AF88324F10882AD059A7250CB759944CF98

Function 086A7598 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 086A75FA

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8168fcf6bbc846966d4fbdaceb956afaefee0fd6fa7c15b004cfcfa63341e29e
Instruction ID: 9df1a615a0e2bf6ac124627573f5d390e8da658db968ff8bbbdec139c8a91a19
Opcode Fuzzy Hash: 8168fcf6bbc846966d4fbdaceb956afaefee0fd6fa7c15b004cfcfa63341e29e
Instruction Fuzzy Hash: 52113AB19002488FDB10DFAAC4457DEFBF4EF88324F208829D459A7250CB75A944CFA5

Function 0236D6C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0236D72E

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d5e4d6d62a624e996edc6355a925fa7a8575aafbd5378666beb9887ac16f8d6d
Instruction ID: e37e592c8a337487f8cc2c6f443f7d3d2baf9257edf0b3f0b14194115bd6dec6
Opcode Fuzzy Hash: d5e4d6d62a624e996edc6355a925fa7a8575aafbd5378666beb9887ac16f8d6d
Instruction Fuzzy Hash: 9F1110B5D002498FCB10CF9AC448ADEFBF8AB88324F10C42AD458A7610C375A545CFA5

Function 086A9700 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 086A9765

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3484d035c43e4f32c343aa12b59c079f5b473bb3e1c7350f14839db9ae60bdc0
Instruction ID: f42288cda4f5e808a9f833adef54450e96ea50c987baffa26b088c5f1a662416
Opcode Fuzzy Hash: 3484d035c43e4f32c343aa12b59c079f5b473bb3e1c7350f14839db9ae60bdc0
Instruction Fuzzy Hash: 4C11F2B58007489FDB10CF99C585BDEBBF8EB48324F20841AE558A7650C375A944CFA5

Function 086A9708 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 086A9765

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2e515b3312216564b00ec658aaf99b11ec81911a88a7ad012693f89f2accd6a9
Instruction ID: 290582edc0f0408b908cc88981a3fe70a54a02f344d83d6867456cb01f1f3ad9
Opcode Fuzzy Hash: 2e515b3312216564b00ec658aaf99b11ec81911a88a7ad012693f89f2accd6a9
Instruction Fuzzy Hash: 7511D0B58003499FDB10DF9AC985BDEBFF8EB48324F20845AE558A7610C375A984CFA5

Function 02320260 Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

8bq, xrefs: 023202E5

Memory Dump Source

Source File: 00000000.00000002.1749477744.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: true

Associated: 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2310000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: bffc61c584996e5c0b5f0349bdd2c47e96487510044369037e79b528cf04ff84
Instruction ID: 62db55ae2edd2909df95889b1af3585893fc127eaf84b541e3a0d48a7085a405
Opcode Fuzzy Hash: bffc61c584996e5c0b5f0349bdd2c47e96487510044369037e79b528cf04ff84
Instruction Fuzzy Hash: C5B1B274E04228CFDB58DFA9D844B9DBBB6FF59300F20816AD409AB351DB34A989CF51

Function 02320A50 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02320ABB

Memory Dump Source

Source File: 00000000.00000002.1749477744.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: true

Associated: 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2310000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 68f1406533d36ec3397085ed2652a40be609b8751e6d4a303c9b25cdd4ecd381
Instruction ID: b371fc910e23af96558a20fa096752675f9fe6637d1094ec8f7aafeb3ec0d9c6
Opcode Fuzzy Hash: 68f1406533d36ec3397085ed2652a40be609b8751e6d4a303c9b25cdd4ecd381
Instruction Fuzzy Hash: 7A112171F002198BCB58EBB999506EFB6F7ABD4314B50406AC505E7244EB35DD09CBA1

Function 02321700 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749477744.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: true

Associated: 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2310000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5ff781e15cdbc412497f6c64d0b2ba8c93c0b237c63c17bae2561a9afee634
Instruction ID: 7ac6c74e4eb8f055dfb65aa94713dddf69e16aca64b3a1213805ccfa65d63470
Opcode Fuzzy Hash: 1c5ff781e15cdbc412497f6c64d0b2ba8c93c0b237c63c17bae2561a9afee634
Instruction Fuzzy Hash: 16614A31A00619DFDB14DFA9C584A9DBBF2FF88314F208159E909AB361DB71ED85CB80

Function 02320F38 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749477744.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: true

Associated: 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2310000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c7665b901291c5fc970a838e694db46c8dbd7028560a354bd73704eda57c70
Instruction ID: 500e8fe4b401c5dfaad67a5edcc60ebbaf16bda18ed29929e798f6e14354f49e
Opcode Fuzzy Hash: 57c7665b901291c5fc970a838e694db46c8dbd7028560a354bd73704eda57c70
Instruction Fuzzy Hash: 5C21DC71A003154FCB29EFB9885857FBBB7EFD82203154829E806DB281EF349C0A8760

Function 0096D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749071604.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b889be084854251c91ecbec40627c01838e90fc75741779df3227425dfc9973c
Instruction ID: ba51977a8c13b3d79e70e8864972fff25647a5346342e3ecb992538158c4954e
Opcode Fuzzy Hash: b889be084854251c91ecbec40627c01838e90fc75741779df3227425dfc9973c
Instruction Fuzzy Hash: EA213A71A00244DFDB05DF14D9C0F17BF65FB98318F24C569E90A4B65AC33AD856C7A2

Function 0096D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749071604.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9453f1e4f9a10c59e693c5abe20218ea7a10644cac3b8878cb8c61489b30fe
Instruction ID: bb9cc45d2e88ce9bfd4c17b0491e0cd141d3e9074f66c1011d5fd66e9a1b784b
Opcode Fuzzy Hash: dc9453f1e4f9a10c59e693c5abe20218ea7a10644cac3b8878cb8c61489b30fe
Instruction Fuzzy Hash: 9E213771A05200DFDB05DF14D9C0B27BF66FB98324F24C569E9094B2A6C73AEC56C7A1

Function 0097D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749136033.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d7a5e11201edb2478f8e9487874a90f232ba2bda39689c567bae6de586e6f2
Instruction ID: 14364d5e1f4d44e3c81f5eafdd67e15d66d5769a37ffbb4759639097fc24fe84
Opcode Fuzzy Hash: 93d7a5e11201edb2478f8e9487874a90f232ba2bda39689c567bae6de586e6f2
Instruction Fuzzy Hash: 5F21D072604200EFDB05DF14D980B26BBB5FF84314F24CAA9E94D4B296C33AD846CA61

Function 0097D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749136033.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42171a2efb3e049ce3313e3e1c35e7da89d88561b03eaeb2c9928226d860c9ae
Instruction ID: 9a1b9d3bf3cf337cda72bcd1dc12bfc386be7a7f015601f8a430254f19a462f9
Opcode Fuzzy Hash: 42171a2efb3e049ce3313e3e1c35e7da89d88561b03eaeb2c9928226d860c9ae
Instruction Fuzzy Hash: AF21FF76604200DFDB14DF24D984B26BBB9FF88314F24C96DE80E4B296C33AD847CA61

Function 02320BF0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749477744.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: true

Associated: 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2310000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d537619f45840592d9b3de2c5017a1b5e01749fc89da80dbe5f8d83d8a920a
Instruction ID: f636cddb112bf0e48a97cddb892cd10b9ef542fc01e2dbe2268de50f30ca02bd
Opcode Fuzzy Hash: a0d537619f45840592d9b3de2c5017a1b5e01749fc89da80dbe5f8d83d8a920a
Instruction Fuzzy Hash: 4331F5B0D00228DFEB20CF99CA48B8EBFF4AB48314F14805AE448BB255C7B56949CF94

Function 0097D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749136033.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54e55c25a7c7661bce2c3eddae9e85dadeb86d27ef8b72457f84c4df04ee5e1
Instruction ID: d5d832f248483e62033791b520cc62f2fe62e3ce6f2e8e02e3236ea6404464c9
Opcode Fuzzy Hash: b54e55c25a7c7661bce2c3eddae9e85dadeb86d27ef8b72457f84c4df04ee5e1
Instruction Fuzzy Hash: 88215E765093808FDB12CF24D994715BF71EF46314F29C5EAD8498F6A7C33A980ACB62

Function 0096D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749071604.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 046c70062615fe4c4a2aac34a520bc8a731979bd972d6559ac2f499e52a18f86
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3211D676904240CFDB15CF14D5C4B16BF71FB94314F24C5A9E90A4B65AC336D856CB91

Function 0096D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749071604.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: b4a23ea6a573994bea35210db5758322daf7fd86a7ac57b60e8ce02215487c82
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: F0110376905280CFCB02CF00D5C4B16BF72FB94324F24C5A9D8090B666C33AE85ACBA1

Function 0097D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749136033.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_97d000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: e48895c9595ec40132838d2eedde596afaab760d95634e57064f5d4673ff7a58
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 12117976504280DFDB16CF14D5C4B15BBB1FB84314F28C6AAD8494B696C33AD84ACB61

Function 023201D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749477744.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: true

Associated: 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2310000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f37a8d4dd677edf47fc411bc36e36c165c9f1aec2abd54ed75f7b16371c8616
Instruction ID: 704b95c1e214acad99b9dcd610234b45276087a556ac517db37e2d9ab9c7046f
Opcode Fuzzy Hash: 1f37a8d4dd677edf47fc411bc36e36c165c9f1aec2abd54ed75f7b16371c8616
Instruction Fuzzy Hash: E1E04834945218DBC708DFA4E4446BDBB79FB6A311F109154E84513791CB307F5ADB94

Function 023258F8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749477744.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: true

Associated: 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2310000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6078cc2390ba3394401e68bd8020b41ada4ce309411ac392aee3c4f3c07a28
Instruction ID: 982ad5245065604e18f701c6010eacb57d05ad5d656148cf1d89d4d64e8651ee
Opcode Fuzzy Hash: cb6078cc2390ba3394401e68bd8020b41ada4ce309411ac392aee3c4f3c07a28
Instruction Fuzzy Hash: 27E0AE74D05218EFCB54DFA8E84469CBBB9AB48310F10C1A9A808A2210D7355B55DF91

Function 02320660 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749477744.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: true

Associated: 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2310000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055b14a93b52c6ed9c66873ff7a8bb17495f45a01c873848adf0453d023ab8f6
Instruction ID: f366a60ca4b5f94e1fc6c61bd824c3c092cdf37b0b98554f6cbbac42df1e4a24
Opcode Fuzzy Hash: 055b14a93b52c6ed9c66873ff7a8bb17495f45a01c873848adf0453d023ab8f6
Instruction Fuzzy Hash: 64D0223048F12CEBC748CAE4D400AB973FCD782208F001098940813632CF742E08C695

Non-executed Functions

Function 0236DBD0 Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

U, xrefs: 0236DE21

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: e54bf8c329219c6a4fb348aec84ec277c86c456c9a7ef3a6cb56d9fdbb7f3889
Instruction ID: e3a0b009c8543ccdbbc9cc2d8c904bf74883a4eee65dab88edf5de0c960efeb1
Opcode Fuzzy Hash: e54bf8c329219c6a4fb348aec84ec277c86c456c9a7ef3a6cb56d9fdbb7f3889
Instruction Fuzzy Hash: 075249F8940B068FDB18CF18E88C2997BF1FF61318FD08A19D1619B2A5D7B4656ACF44

Function 086A56A9 Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

, xrefs: 086A57DD

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 32ee8c1ecc0a013acb99380afc84fe4e065a274381571653823ffd819cf64a1f
Instruction ID: 71e0420993f6d3bce842f25ac160e67e23b274f2cbdbc808456ee790d42db56d
Opcode Fuzzy Hash: 32ee8c1ecc0a013acb99380afc84fe4e065a274381571653823ffd819cf64a1f
Instruction Fuzzy Hash: 4412BDB4E01218CFDB14CFA9D984ADDBBB2BF88305F1581AAE50AA7355D7349D82CF50

Function 086A6740 Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

4'^q, xrefs: 086A6C48

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 07a731c407df72c01f2902f763f51d7df358ca443e47fa96b49adb75f31406ac
Instruction ID: 4f71c831de09a2684e7038fb16e22bf2c8527f3f0a95635d67e929c5b1bec2f6
Opcode Fuzzy Hash: 07a731c407df72c01f2902f763f51d7df358ca443e47fa96b49adb75f31406ac
Instruction Fuzzy Hash: 78E13D34A00209DFDB05DFA8C594AAEBBB6FB88300F158469D805B7364DB35ED8ACF51

Function 0236C1B8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749666567.0000000002360000.00000040.00000800.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4166e04d567f5d72ce118de8d123e109430ad1ddba050bf5d85d022fb0926385
Instruction ID: a9e1bb822dc9ed81af9f1e789219524d499f50e28ff31ed4bd638fc47d272904
Opcode Fuzzy Hash: 4166e04d567f5d72ce118de8d123e109430ad1ddba050bf5d85d022fb0926385
Instruction Fuzzy Hash: 19A17F32E102158FCF15DFB4C8885AEB7B6FF85704B15896BE845AB229DB31D916CF80

Function 02321AC0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1749477744.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: true

Associated: 00000000.00000002.1749447768.0000000002310000.00000004.08000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2310000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af280484c245ba87445d4f3ff972537ce3163d455e53a7aa326240dcb41199e0
Instruction ID: e3867063a1403802a67a20f510726e01ee0a2d0d265ff6f83b0dfa5ad04e8f65
Opcode Fuzzy Hash: af280484c245ba87445d4f3ff972537ce3163d455e53a7aa326240dcb41199e0
Instruction Fuzzy Hash: A9D1F63192065ACADB11EFA4D950A9DF771FF95300F11C79AE50A37221EB70AAC9CF81

Function 086A6028 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8ba3b84be096d49a58806b80b3501fce6133265f83af5c507987445a5963d8
Instruction ID: 69933a726b20782de5b55ac544d638d14a4cfd3818e0aea60d87dd8956a24bf9
Opcode Fuzzy Hash: 4e8ba3b84be096d49a58806b80b3501fce6133265f83af5c507987445a5963d8
Instruction Fuzzy Hash: 658103B4E012098FCB04DFE9D5806AEBBF2AF98301F19D069E418AB355DB349D86CF50

Function 086A601A Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79773e96e3b49b002cb88ea0b944db66f073d6b23a82e1c4c053beb7de8fc303
Instruction ID: f2173c3920018a1d964e3f089a4cbe5821186318f0940ea5569600bcd0068216
Opcode Fuzzy Hash: 79773e96e3b49b002cb88ea0b944db66f073d6b23a82e1c4c053beb7de8fc303
Instruction Fuzzy Hash: 43610374E012488FCB04DFE9D5846AEBBF2AF99301F19D069E409AB355DB349E86CF50

Function 086A0040 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d6323d96155f92553c8ab1af1260c4b91504976efd698d5a30a5462ed86803
Instruction ID: ec869463051e5a2a2d0d766255af48a1fcd96bafce783e01e59c7c3d21959e24
Opcode Fuzzy Hash: 75d6323d96155f92553c8ab1af1260c4b91504976efd698d5a30a5462ed86803
Instruction Fuzzy Hash: 45411D71E056188BEB1DCF6B8D5069EFAF7BFC8200F14C1BAD90CAA254DB701A428F15

Function 086A003B Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16889cf9ce60bb99b3af381463c6e5498245400af1aa139ba729b634141d3ed2
Instruction ID: b9aea5819e224bdcebd31087e3f937197c67b56fdccd31278cb232c9afdbdc4e
Opcode Fuzzy Hash: 16889cf9ce60bb99b3af381463c6e5498245400af1aa139ba729b634141d3ed2
Instruction Fuzzy Hash: B7312371E056588BEB1DCF6B9D4069EFAF7BFC8200F14D1B9D90CAA265DB7006428F11

Function 086AAC28 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6927c5e409d72e2234e6db86ad939ec56e92cf5a73e9cc3683737f9bbf76c46d
Instruction ID: e6feb0e56ebe843507bdfabdc6acdbe2331e966948747cf1b55d260b10ccd096
Opcode Fuzzy Hash: 6927c5e409d72e2234e6db86ad939ec56e92cf5a73e9cc3683737f9bbf76c46d
Instruction Fuzzy Hash: CC115E71D052298FDB049FA4D445BFEBBF0AB09312F15A07AD01277391D7748985DFA8

Function 086AAC38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7d5c3452fb296261637feaeacf0892da63650a169da9ed22222212ba8277da
Instruction ID: e63a1244198f15997b974051e47e75fc7e652f00ea8ff79f537e52f81090a00b
Opcode Fuzzy Hash: 2a7d5c3452fb296261637feaeacf0892da63650a169da9ed22222212ba8277da
Instruction Fuzzy Hash: EF111830D052698FDB148FA5C408BEEBBF1AB49312F15906AD016B3291CB788984DF68

Function 086AAB78 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f38826ecc5d319ad6f08a49cf158ba6cb92fc376601afb5d583254c03be373f
Instruction ID: 303ece10f10f54254b361f1e572bbfc0c1b86ecb9dcef83f0ebb4ff0fdcb9f40
Opcode Fuzzy Hash: 6f38826ecc5d319ad6f08a49cf158ba6cb92fc376601afb5d583254c03be373f
Instruction Fuzzy Hash: 09112A71D052698FDB14CFA5C418BEDBAF2AB4E312F15906AD015B3291CB784944DF68

Function 086AAB74 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1764289973.00000000086A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 086A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_86a0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5335c3e38bc15cfdc4e182858d626f5cb3fecb1014d9b63b93e4611b3fd94a9f
Instruction ID: a5031d81f375cf5206337d95d59ce0eb9bac0601f36e0215792ca716efd11409
Opcode Fuzzy Hash: 5335c3e38bc15cfdc4e182858d626f5cb3fecb1014d9b63b93e4611b3fd94a9f
Instruction Fuzzy Hash: 18117930D052298FDB108FA4C408BFDBBF2AB0A302F15906AD016B7291CB788944DF68

Analysis Process: rwzBBMVxUb.exePID: 7080, Parent PID: 6256COMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.7%
Total number of Nodes:	222
Total number of Limit Nodes:	23

Executed Functions

Function 01215F20 Relevance: 8.4, Strings: 6, Instructions: 864
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 01215F3F
\, xrefs: 0121615E
PH^q, xrefs: 012165B0
\, xrefs: 01215F99
\, xrefs: 01216069
\, xrefs: 01216123

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: LR^q$PH^q$\$\$\$\
API String ID: 0-413451394
Opcode ID: a5f162fbe79f650dcf69f94452ed8edf722720040d93430cd66195707e3781ea
Instruction ID: 690dbc86413724310ffc3a2ab12d64a53a3967482d153996feab9de844393d02
Opcode Fuzzy Hash: a5f162fbe79f650dcf69f94452ed8edf722720040d93430cd66195707e3781ea
Instruction Fuzzy Hash: 3B62AD31B102059FDB24DB78D8487AEBBF2AF84310F148569E50ADB399EF75DC428B91

Function 01227B30 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 310
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01227D67

Strings

LR^q, xrefs: 01227D9E
LR^q, xrefs: 01227E02

Memory Dump Source

Source File: 00000002.00000002.4147782857.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_rwzBBMVxUb.jbxd

Similarity

API ID: InitializeThunk
String ID: LR^q$LR^q
API String ID: 2994545307-4089051495
Opcode ID: 20689004c8ae1d8e6e95538e1a0b6a35ea7134c3a315943e6bb701c4a803dc1a
Instruction ID: ddb89604eb00bfa0068aa08f6a1149d6253eb2ae59a1b33379e12adffafdc577
Opcode Fuzzy Hash: 20689004c8ae1d8e6e95538e1a0b6a35ea7134c3a315943e6bb701c4a803dc1a
Instruction Fuzzy Hash: 00B1F431B183459FC706DB78D854A6E7BF2AF96300F1885AAE145CB393EA74DC05CB61

Function 0121A058 Relevance: 5.3, Strings: 4, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 0121A3BE
Xbq, xrefs: 0121A4C4
Xbq, xrefs: 0121A3F8
Xbq, xrefs: 0121A477

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 120135265153f77c9ff7c50b51f9dc733dffcccbcbc7601b9e5e1b39eb492f52
Instruction ID: 8aa51db8cf704be399321c52de4ec7ca86bc02568ff0615322af39eabab64a60
Opcode Fuzzy Hash: 120135265153f77c9ff7c50b51f9dc733dffcccbcbc7601b9e5e1b39eb492f52
Instruction Fuzzy Hash: DAB1D430E113558FDB28DB78C89876EBAE2BF94300F248469D1169B398DF75DC41CB92

Function 0121CBE0 Relevance: 2.3, Strings: 1, Instructions: 1046COMMON

Download Yara Rule

Strings

Xbq, xrefs: 0121D7F7

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: Xbq
API String ID: 0-63242295
Opcode ID: 16d63f71049e8bc05f21d0d86e0b65bd6a824dac535c7dde3ef4ed7b48708a87
Instruction ID: a4b6c17e65503c36710bac6412e9ffad0b05a2472b6489fa0c20aed0004437c9
Opcode Fuzzy Hash: 16d63f71049e8bc05f21d0d86e0b65bd6a824dac535c7dde3ef4ed7b48708a87
Instruction Fuzzy Hash: 12721731F102099FDB25DBBCD8987AEBBF2AF95310F148869E205DB399CA31DC418791

Function 01217207 Relevance: .7, Instructions: 662COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4077127d141199d7a03c15d35ea7bb11f26f45b3ba55426d8f68f63dfab25dff
Instruction ID: d1860fb40dcfe98deddc5c189c46146dd83776651a26ecbe8f6ab0953260521a
Opcode Fuzzy Hash: 4077127d141199d7a03c15d35ea7bb11f26f45b3ba55426d8f68f63dfab25dff
Instruction Fuzzy Hash: 76428F30E102498FEB24DB78C89476DBBF2BF95300F248469D509AF29ADB75DC85CB52

Function 0121C168 Relevance: 6.6, Strings: 5, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 0121C2E4
XPcq, xrefs: 0121C3DE
PH^q, xrefs: 0121C537
PH^q, xrefs: 0121C474
\Ocq, xrefs: 0121C4A2

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: fcq$PH^q$PH^q$XPcq$\Ocq
API String ID: 0-2308457832
Opcode ID: 453d0b7aa0a8f5d1c3127f76c2d6789925831dba0b458578faee58e4faf85b08
Instruction ID: fd5e3b4d52c7a88e5a63629cefba1d36e384ec5fe83b81b3f602d109930ef1ba
Opcode Fuzzy Hash: 453d0b7aa0a8f5d1c3127f76c2d6789925831dba0b458578faee58e4faf85b08
Instruction Fuzzy Hash: 9CC10474A502098FDB25DFB8D4447AEBBE6FF94310F20886AD51ADB398DB309C15CB51

Function 012186A0 Relevance: 4.2, Strings: 3, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;^q, xrefs: 01218AD4
4'^q, xrefs: 012186B9
4'^q, xrefs: 012186DF

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$;^q
API String ID: 0-799016360
Opcode ID: 89e86fc82650e9c91d3a5a5211e5ed3a477348e727ef9430af31e20426f38650
Instruction ID: 089260ec2024365cfb05c92f04d07008bc888ed70cd6eebb1c9aa72875fba807
Opcode Fuzzy Hash: 89e86fc82650e9c91d3a5a5211e5ed3a477348e727ef9430af31e20426f38650
Instruction Fuzzy Hash: 75F1C2353241028FEB29DA3DC8D57397BD6AF94714F1944A6E602CF3AAEA75CC42C742

Function 01216ED0 Relevance: 4.0, Strings: 3, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 012171A5
fcq, xrefs: 0121713D
fcq, xrefs: 01217131

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: fcq$ fcq$PH^q
API String ID: 0-4172635152
Opcode ID: 2121a4784eaea32baff2a9893938b1a6ce0b75b48678d47779182521d9c693a8
Instruction ID: 4fa1e6e0f2a7d3c0b64c4d7703451915a2df208ce560a81926d06fd82fe2ac47
Opcode Fuzzy Hash: 2121a4784eaea32baff2a9893938b1a6ce0b75b48678d47779182521d9c693a8
Instruction Fuzzy Hash: C9715035B102098FDB58DBB9D45876E76F7AFC8750F144428E50ADB388EF749C428B92

Function 01216AF8 Relevance: 3.0, Strings: 2, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 012171A5
fcq, xrefs: 01217131

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: fcq$PH^q
API String ID: 0-2325994563
Opcode ID: 943c7a280ce2b2339d1dd70cf9f8460125d8e31c5ee021156d7916bcc59569e0
Instruction ID: 778c0008692266137b84d163d491526d1cdfb7e7c9bff547e39bf4d453ee2d79
Opcode Fuzzy Hash: 943c7a280ce2b2339d1dd70cf9f8460125d8e31c5ee021156d7916bcc59569e0
Instruction Fuzzy Hash: 7D026C31B1020A8FCB15DB78D45876E7BF7AF88300F148569E50AEB399EF759C428B91

Function 0121BAE0 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 0121BE44
4'^q, xrefs: 0121BE2D

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: b4377a49970b6202699154d575aeb3199d5d19fdbfdc7501c5eea75bb552e50b
Instruction ID: 468e72433ba084f19741c2d6736f6551bfb745d6f1803861bbb243fe4ef3d2b2
Opcode Fuzzy Hash: b4377a49970b6202699154d575aeb3199d5d19fdbfdc7501c5eea75bb552e50b
Instruction Fuzzy Hash: 9BC10970A102058FC715CF2CC88466ABBF6FF98310F588566E918DB35AEB31ED52C7A1

Function 012194E8 Relevance: 2.7, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

Hbq, xrefs: 012196FA
Hbq, xrefs: 0121972D

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: ecc73030501d629b3984a9e2a2efdb3b08673f4fe91de8627948303dc50405aa
Instruction ID: 8e59281891b3acb7599d692acae0c873621e6d8436d6365d74de7bcf3882abdb
Opcode Fuzzy Hash: ecc73030501d629b3984a9e2a2efdb3b08673f4fe91de8627948303dc50405aa
Instruction Fuzzy Hash: D7919E70B101099FDF19EE68D865B6E7BE6BB98744F148828E605DB384DF70DC41CB91

Function 01215E70 Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01215F3F
\, xrefs: 01215F99

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: LR^q$\
API String ID: 0-1717531024
Opcode ID: 206dfffcb15c602b1477fe272c4ad6e93f089d4bd5bab871e8a81f22fe3ed613
Instruction ID: b97a068228fc22ed25e6779150e31e7cf59d6249cad42f18a193752f9807ed06
Opcode Fuzzy Hash: 206dfffcb15c602b1477fe272c4ad6e93f089d4bd5bab871e8a81f22fe3ed613
Instruction Fuzzy Hash: 4541F671F142419FD706DB78C840BBF7BFAABE2340F1481AAE108DB295EB74D8058791

Function 012171BF Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

PH^q, xrefs: 012171A5
fcq, xrefs: 01217131

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: fcq$PH^q
API String ID: 0-2325994563
Opcode ID: fc8de4ada8817f1da4518f1f24fa4a124cbb43f818d86a931885a50c95d4f540
Instruction ID: b80e0bb9b71b63611f276c8018b953cf9fbb3d5b02bf339e6ac351b956806620
Opcode Fuzzy Hash: fc8de4ada8817f1da4518f1f24fa4a124cbb43f818d86a931885a50c95d4f540
Instruction Fuzzy Hash: 23415135B102058FDB68DB78E55C76E7AE7AFC8650F244428E506DB398EF748C428B91

Function 012246E8 Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01224729

Memory Dump Source

Source File: 00000002.00000002.4147782857.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_rwzBBMVxUb.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0c2b5d1f893327af9c52c21e70ae6ff345afdfe4e7a02900146faf45a0a7abdc
Instruction ID: ea52e787f577ef3d16b73adae848361734070c260cf88451a9216d8d3cfd640f
Opcode Fuzzy Hash: 0c2b5d1f893327af9c52c21e70ae6ff345afdfe4e7a02900146faf45a0a7abdc
Instruction Fuzzy Hash: 5A615F31B20255DFDB24EFB8D858BAEBBF2AF45300F108528E506AB394DF759845CB91

Function 064F9038 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4195325898.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28928f0670a4521aa4175ea93cdbbdcdc716c10c59c7ff8515f519bcd0297bc2
Instruction ID: 670981ba2aea191ba9de5b1df9398bece2db954fc031e4a6af97c18572a544bc
Opcode Fuzzy Hash: 28928f0670a4521aa4175ea93cdbbdcdc716c10c59c7ff8515f519bcd0297bc2
Instruction Fuzzy Hash: 28415F72E143998FCB05CFB9D8002AEBFF0EF8A210F1486AFD444AB251DB749845CB91

Function 02C766ED Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C7680A

Memory Dump Source

Source File: 00000002.00000002.4150582836.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c70000_rwzBBMVxUb.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3452738daf3eafb2a311ead058b4f791e225cafc90e15a85b7a51ae9bae68ff0
Instruction ID: acc6ffc003bbe2598529ce034eb84ba68ae47fb33dcdce681d3a8e7e89144150
Opcode Fuzzy Hash: 3452738daf3eafb2a311ead058b4f791e225cafc90e15a85b7a51ae9bae68ff0
Instruction Fuzzy Hash: C451C2B1D00309DFDB14CFAAC984ADEBBB5FF88314F24812AE419AB210D775A945CF91

Function 02C74764 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C7680A

Memory Dump Source

Source File: 00000002.00000002.4150582836.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c70000_rwzBBMVxUb.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 25e928b1a1f1a276ebee0203bf23f8246146a22813e99627138d9b3ef0fc00f0
Instruction ID: 968152f99364bed13582e02b3dcfd82539ae95a06bf4a99b4c62b8a67d872f86
Opcode Fuzzy Hash: 25e928b1a1f1a276ebee0203bf23f8246146a22813e99627138d9b3ef0fc00f0
Instruction Fuzzy Hash: B351C1B1D00309DFDB14CF9AC984ADEBBB5FF88314F64812AE419AB210D775A985CF91

Function 02C7A164 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02C7B579

Memory Dump Source

Source File: 00000002.00000002.4150582836.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c70000_rwzBBMVxUb.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7a658107387946b253385bf67f3556a11b3a3c50023357ea30be517010ed6337
Instruction ID: cb0c67d9f9033e028f3809e1262fdfdacbb8705fe5be7a872c2cc60908ced201
Opcode Fuzzy Hash: 7a658107387946b253385bf67f3556a11b3a3c50023357ea30be517010ed6337
Instruction Fuzzy Hash: C341E8B9900745CFCB54CF99C488AAABBF5FF88318F24C459E519AB321D774A941CFA0

Function 064F6F74 Relevance: 1.6, APIs: 1, Instructions: 91registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 064F7039

Memory Dump Source

Source File: 00000002.00000002.4195325898.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_rwzBBMVxUb.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 61a2ee2bfeae6e4b55901dfb7e3bd92ad896fd0e7d4b4639a4772389574129e5
Instruction ID: d2c2ddd9f123ae7a19addfe68bc7f39075fa8ee9c25dce1c9c6f9978ba198422
Opcode Fuzzy Hash: 61a2ee2bfeae6e4b55901dfb7e3bd92ad896fd0e7d4b4639a4772389574129e5
Instruction Fuzzy Hash: 8C41FFB1D102589FCB60CFAAD984ADEBBF5BF49314F14802AE918AB320C7759945CF90

Function 064F38E0 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 064F7039

Memory Dump Source

Source File: 00000002.00000002.4195325898.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_rwzBBMVxUb.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6e442db3847cafbe9c78a6236c03ae6bc4ce7b83b3edf0850d89ee82977a66dd
Instruction ID: 4ea737ca3573fad3f0165671947f26c5f0cd6cec0d7d66533b1344e974ad3422
Opcode Fuzzy Hash: 6e442db3847cafbe9c78a6236c03ae6bc4ce7b83b3edf0850d89ee82977a66dd
Instruction Fuzzy Hash: 1031F0B1D102589FCB60CF9AD984A9EFBF5BF48314F14802AE918AB310D775A945CFA4

Function 064F6D0C Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 064F6DCC

Memory Dump Source

Source File: 00000002.00000002.4195325898.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_rwzBBMVxUb.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c02eab9de6dab0607ccf7af9f4e16e721190b2c144f5e5ba1be1466d9adec599
Instruction ID: ece4f88bcff17cd8dce238d6471d89f0122ba86800811efd00d6fe2e1ebe80d0
Opcode Fuzzy Hash: c02eab9de6dab0607ccf7af9f4e16e721190b2c144f5e5ba1be1466d9adec599
Instruction Fuzzy Hash: 1331FFB1C002498FDB14CF99C584A9EFFF5BF48304F25856AE808AB255C7759885CFA4

Function 064F38D4 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 064F6DCC

Memory Dump Source

Source File: 00000002.00000002.4195325898.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_rwzBBMVxUb.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: af1a84636e7209a03e406e60e3f052f8986d8e9e6da59b2b24853e0ecbf0c017
Instruction ID: fef4e5b62d2fa609d7e28168425b2d5b74baf1de24505bdf6de07d0bdfeeb894
Opcode Fuzzy Hash: af1a84636e7209a03e406e60e3f052f8986d8e9e6da59b2b24853e0ecbf0c017
Instruction Fuzzy Hash: C1310DB1D002898FDB10CF99C584A8EFFF5BB08304F29816AE908AB355C7759885CFA4

Function 01224688 Relevance: 1.6, APIs: 1, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01224729

Memory Dump Source

Source File: 00000002.00000002.4147782857.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_rwzBBMVxUb.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ea723a52244767a7bd3ca764d6ceb43b7e44262a4d6d243b3e8ee38228a3c52
Instruction ID: 99a7ce1dbc63d4aedbfc379b6b4b62c4ee3dfa78fd62506effbb04711a73d6fe
Opcode Fuzzy Hash: 5ea723a52244767a7bd3ca764d6ceb43b7e44262a4d6d243b3e8ee38228a3c52
Instruction Fuzzy Hash: 5E31A970A10344EFCB15EFB8E458AADBBB2BF45301F148569D001AB291EB399849CF50

Function 02C7A5F0 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C7A5BE,?,?,?,?,?), ref: 02C7A67F

Memory Dump Source

Source File: 00000002.00000002.4150582836.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c70000_rwzBBMVxUb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 387bf5236c9564fc96d46fcd132363f7f9a9a638c1c599335164b2daa8515bee
Instruction ID: 4d87febf1b736757eb4b94891985fac30d015d2f628b975081172d08f63f41ec
Opcode Fuzzy Hash: 387bf5236c9564fc96d46fcd132363f7f9a9a638c1c599335164b2daa8515bee
Instruction Fuzzy Hash: AB3126B5900248AFCB00CFAAC884AEEBFF4EB19310F14845AE958A7351D334A944CFA5

Function 02C79F8C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02C7A5BE,?,?,?,?,?), ref: 02C7A67F

Memory Dump Source

Source File: 00000002.00000002.4150582836.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c70000_rwzBBMVxUb.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 40eaee70e5bde246d37d89b66719959bbfd6a10ad2efeceb856ea95fcf6f855e
Instruction ID: 2b34b0e3388447425293a06195d3bd4ff9bbc0ebd5be26181907b37315f6e024
Opcode Fuzzy Hash: 40eaee70e5bde246d37d89b66719959bbfd6a10ad2efeceb856ea95fcf6f855e
Instruction Fuzzy Hash: D721E4B5900258DFDB10CFAAD584ADEBFF9EB48314F14801AE918A7310D378A954CFA5

Function 064F9108 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,064F908A), ref: 064F9177

Memory Dump Source

Source File: 00000002.00000002.4195325898.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_rwzBBMVxUb.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 83131e11b77bff55f7df7fcebf47f5117368d7b65a2b03b34b60e298a432c40c
Instruction ID: f31fe7b0fdf611427624b5ee0c784993531a4a051c05c189b828f7642a1a950c
Opcode Fuzzy Hash: 83131e11b77bff55f7df7fcebf47f5117368d7b65a2b03b34b60e298a432c40c
Instruction Fuzzy Hash: 701144B1C0026A9FCB10CFAAC544BDEFBF4EF48324F10816AD418A7250D378AA44CFA5

Function 064F6ADC Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,064F908A), ref: 064F9177

Memory Dump Source

Source File: 00000002.00000002.4195325898.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_64f0000_rwzBBMVxUb.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d095304465e0bc045717e315117dd303b86ebcc81a49ab9a2565aa05b54bee32
Instruction ID: 9bf7842a7b292326dd4d7f73abed90f6b72b6fcd1c1233c68a9d3e39f0e38c85
Opcode Fuzzy Hash: d095304465e0bc045717e315117dd303b86ebcc81a49ab9a2565aa05b54bee32
Instruction Fuzzy Hash: 661114B1C006699FDB10DF9AC544BDEFBF8EB48324F10816AE918A7251D378A944CFE5

Function 02C736BC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02C756B6

Memory Dump Source

Source File: 00000002.00000002.4150582836.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c70000_rwzBBMVxUb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f414ad17f78101ff9313345e5651f0eedadbdc003e2de31a8bb16e885de2b487
Instruction ID: 72324b1ccdaeb997fd26fc4a31600660cd481f22e3d1e0d77209fd8c3a867d0e
Opcode Fuzzy Hash: f414ad17f78101ff9313345e5651f0eedadbdc003e2de31a8bb16e885de2b487
Instruction Fuzzy Hash: 0011FDB5D007498FDB10DF9AC444ADEFBF4AB88224F50846AD829B7310D379A545CFA5

Function 02C75649 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02C756B6

Memory Dump Source

Source File: 00000002.00000002.4150582836.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2c70000_rwzBBMVxUb.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 790d94991965fe35ae665ce1b66df28ba2511c2834440e4f461db0a9c6b28c13
Instruction ID: cd89870b5c4e6030592c0703bed18b7ee332e7ad5ef18da663c2548b8b64d2ed
Opcode Fuzzy Hash: 790d94991965fe35ae665ce1b66df28ba2511c2834440e4f461db0a9c6b28c13
Instruction Fuzzy Hash: 8611F0B5C002498FDB10DF9AC444BDEFBF5AF89214F14846AD858A7310C375A545CFA5

Function 065E8FF0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 065E9EE5

Memory Dump Source

Source File: 00000002.00000002.4195891915.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_rwzBBMVxUb.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 052105a7499674be39f3cd79826a13a3d1cfc5de49f3d22ebe253674e6ef5fd1
Instruction ID: f75a00e60bcdda797ef7b4d417d0c49c6bc84a474dbef3bf62c28dba6d6ae749
Opcode Fuzzy Hash: 052105a7499674be39f3cd79826a13a3d1cfc5de49f3d22ebe253674e6ef5fd1
Instruction Fuzzy Hash: 351145B0900749CFCB20DF9AC448BDEBBF4FB48324F108459E618A7210C375A940CFA5

Function 065E9E88 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 065E9EE5

Memory Dump Source

Source File: 00000002.00000002.4195891915.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_65e0000_rwzBBMVxUb.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e8f0659e608f37e280db995bb05c39f7610e36ac570fd8560a98e37dfb4c1899
Instruction ID: 95dc14787f7d73ee3b9e31dfff2dbf4968d37b02e5beb5dc50b7c2529725cd1e
Opcode Fuzzy Hash: e8f0659e608f37e280db995bb05c39f7610e36ac570fd8560a98e37dfb4c1899
Instruction Fuzzy Hash: 2B1133B190069A8FCB20CFA9D448BCEFFF4AB48324F24845AD198A7650C335A584CFA5

Function 01215D20 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01215D6D

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 488c765003667a843cc42ae51ba55cf8b73a1ec5d3808b306746ea019e5a6e14
Instruction ID: 88adacb254a710b57a981fbc164d9696241d7763c6c3cb00d494f40985cc4c2b
Opcode Fuzzy Hash: 488c765003667a843cc42ae51ba55cf8b73a1ec5d3808b306746ea019e5a6e14
Instruction Fuzzy Hash: 5A31B234E20105CBDB28EBBCD45437E7AE5EBD5B00F508969D11ADB788DB349D828782

Function 01215CC0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

Hbq, xrefs: 01215D6D

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: f7fe9f528949ba254f138aeb394c2fe4e925d94639fd8b7b60dc925ec30f3178
Instruction ID: a47c166bbd9524cf48421bb20765c9b032f7689d6a9f1ffa791db0b0e8cfed95
Opcode Fuzzy Hash: f7fe9f528949ba254f138aeb394c2fe4e925d94639fd8b7b60dc925ec30f3178
Instruction Fuzzy Hash: BB31D175E142059FCB55DBBCC8087AA7BF1EFA1300F5485FAD408DB296EB368946CB81

Function 01214EB0 Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 448fc784d4810695cbbbe324fdc46a3d4a4c86a31cb59670610979a086d4872a
Instruction ID: 0c7a044c4492be4fef9037326694d607ec421f19a3af1dfa4e81a2a5cf9258f2
Opcode Fuzzy Hash: 448fc784d4810695cbbbe324fdc46a3d4a4c86a31cb59670610979a086d4872a
Instruction Fuzzy Hash: F8129031B102058FCB15DBB8E9586AE7BF2EF99300F1484A9E505DB359EB35DC42CB91

Function 0121EE58 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c164e1b8cf7f91a352ee5195ca5a86933d675710262acc9f0326a912e00ef02d
Instruction ID: 133ff5301b3c2df9c5184e357632822de294d11e259794cfac087a70cb0cec47
Opcode Fuzzy Hash: c164e1b8cf7f91a352ee5195ca5a86933d675710262acc9f0326a912e00ef02d
Instruction Fuzzy Hash: 53F14430F102458FDB05EBB8D9582AE7BF2EF91304F24846AD555EB399DE309C4AC752

Function 012182F0 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d627737dc472caa1568aff3ef96d0a7ec655f4cb62a2c67543404cc1a89ac68
Instruction ID: 28445a534c1ca1b21acc759dc3a5ec97adecff5745fbe7fab10bcfa24cf2012e
Opcode Fuzzy Hash: 8d627737dc472caa1568aff3ef96d0a7ec655f4cb62a2c67543404cc1a89ac68
Instruction Fuzzy Hash: 66A1AB71A10249DFCF15CFA8C884ADEBFF2FF59300F14855AE905AB269DB70A845CB50

Function 01217B40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b4ccde1c71b04b27a775360239f31a357f10710d1e2a68c0b25709e21693428
Instruction ID: 851a18f2e9dfd0e6a4ffe66964495a702f557d53f12513386a637e925fefd33d
Opcode Fuzzy Hash: 8b4ccde1c71b04b27a775360239f31a357f10710d1e2a68c0b25709e21693428
Instruction Fuzzy Hash: 00816C3172024A8FDB25DF2CC894A797BF5AF99700F1940AAEA05CB3A5DB70DC41CB91

Function 01218C60 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52da0fef636c5a61066b2d1cf56f6d79a702f3872d1ed4a86572faacef594088
Instruction ID: c4a5f8eee1923460684dd1c4b066b1505ec910d9031a2bf88d308f1426afed5c
Opcode Fuzzy Hash: 52da0fef636c5a61066b2d1cf56f6d79a702f3872d1ed4a86572faacef594088
Instruction Fuzzy Hash: 8C618170E1075A8FDF22CFA9C5806DEFBF2AF59300F648619E915AB246D770A945CF40

Function 01215A18 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ff019a073322f849fcc739203579a19b030cd4b6cf1d1ef73a491e0d3c5fbb
Instruction ID: 467f143e9633d8be558af1c976dc1980bb5b08660f08db7c347b88791ef980ed
Opcode Fuzzy Hash: 64ff019a073322f849fcc739203579a19b030cd4b6cf1d1ef73a491e0d3c5fbb
Instruction Fuzzy Hash: 6261A375D10218CFCB24EFB4E89869DBBB5FF89301F108569E80AAB354DB349842CF51

Function 01218C50 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81c90729c54cec75204b9b5d4aee61ec30a9ea84d18be78a4f85380b278dc77
Instruction ID: eb5aee7b804f6ed3fc895c3638590aa7cc3a3cd717b05419afd6c5972c9a25f1
Opcode Fuzzy Hash: c81c90729c54cec75204b9b5d4aee61ec30a9ea84d18be78a4f85380b278dc77
Instruction Fuzzy Hash: EA518F75E107499FDF22CFA9C1806DDBBF2AF9A300F644619E908AB246D770AD85CB40

Function 01218443 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd371502c9d07fa2a09bcb0435f876f74a007051c250820a43f7f62cd70e46b
Instruction ID: c2bf86af13e1a8a94c437120ee6770cfaefe785c6d059615d52ed529dcabadeb
Opcode Fuzzy Hash: dfd371502c9d07fa2a09bcb0435f876f74a007051c250820a43f7f62cd70e46b
Instruction Fuzzy Hash: F541AF31A1024ADFCF12CFA8C884A9DBFF2FF59310F058555E955AB29AD774E910CBA0

Function 01214E50 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54e22b7ccab0519f625d229932d156e4d922dcb3de320ca84bf7d45fa0da975
Instruction ID: c835c012ceeaba17f47a9a9692df02c6332a2683f5a630d5697e12573393d9fa
Opcode Fuzzy Hash: d54e22b7ccab0519f625d229932d156e4d922dcb3de320ca84bf7d45fa0da975
Instruction Fuzzy Hash: CD31E4B5E102498FCB05DFA8E544AAEBBF2EF95314F24817AD108D7345E735E842CB51

Function 01215450 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860ce2654021f6378cc7fb8c4cfabdad286c6f010f1ec2c1febcbcd344459721
Instruction ID: d72ed229823faa2b7e36076982d91de72663b030adf125adbbbee9929920271d
Opcode Fuzzy Hash: 860ce2654021f6378cc7fb8c4cfabdad286c6f010f1ec2c1febcbcd344459721
Instruction Fuzzy Hash: 89218071F102159FDB10EFB9A8086AE7BF6EF99650F004065D909EB348EB30DD018BD5

Function 012ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4148961137.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12ed000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b31c710467beadb89a182b2020523ec124d592f3611a27e7ceed1a9b2a5273
Instruction ID: 62d1fc9ec67c14eb6e2d633798b2f41fb131d5f0c2902100a8154501533e04f7
Opcode Fuzzy Hash: 09b31c710467beadb89a182b2020523ec124d592f3611a27e7ceed1a9b2a5273
Instruction Fuzzy Hash: A1216470214208DFCB11DF68D9C8B26BFA1FB84314F68C56DD90A4B256C37BD407CA61

Function 0121B728 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba623ab40a0d0b3a1fd5799b30457c5449fbd6dc9656edd797c1a4e0fe0cc481
Instruction ID: a48c37b386627e2f91495552336c5d83dbfc3cf1021d01eb0eaf202488d1cd38
Opcode Fuzzy Hash: ba623ab40a0d0b3a1fd5799b30457c5449fbd6dc9656edd797c1a4e0fe0cc481
Instruction Fuzzy Hash: 4A218D70E20249DFDB24DFA5D855BAEBFF5BF44300F144429E501A7388DB759901CBA0

Function 0121B821 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f910c8d0f96cbaeea3858e0c899907f0a7ad1a9e19125d203e91a354d363c722
Instruction ID: fd9b743ad3ba1a393624134d5fdd263d80adbc77e7d8b149d856c852895b7b22
Opcode Fuzzy Hash: f910c8d0f96cbaeea3858e0c899907f0a7ad1a9e19125d203e91a354d363c722
Instruction Fuzzy Hash: DE218974E10289DFDB15DFA5D550AEEBFFAAF88301F24806AE911E6358DB309901DF60

Function 012159FA Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1251a017939091b18e76f0016846ccccb3a6c8c1bf95caf678e2e4a3f21f19f
Instruction ID: 91e9b469d67b5bb0d25c02a10a80289d09cb6a35345d718da38a356ae9b698a5
Opcode Fuzzy Hash: f1251a017939091b18e76f0016846ccccb3a6c8c1bf95caf678e2e4a3f21f19f
Instruction Fuzzy Hash: B52119B5D102099BCF24EFB4E85969DBBB1FF88300F108569D55AEB344DB345846CF41

Function 01218528 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e9cb30b7758b74b6ca1116cfad2f824515a0ba7927ef28bcdbc1d177293160
Instruction ID: f9aae9f2509f7ed55a9712d9028288aaa9be9ee867736d155a214c5c91fc07d3
Opcode Fuzzy Hash: 77e9cb30b7758b74b6ca1116cfad2f824515a0ba7927ef28bcdbc1d177293160
Instruction Fuzzy Hash: 4811B431A00245AFDB10CF58C8C4B5EBFE6EF95314F058555D6186B29AD371E810CB95

Function 012ED017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4148961137.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_12ed000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 40d65b2d6505f8c138cab06617c4e934032fa005cb4b460ea41412ed1fcff82e
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 2F11DD75504284CFDB12CF58D5C8B16FFA2FB84314F28C6AAD9094B656C33BD40ACBA2

Function 0121B71A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6c743b8643207b555cd9c9db9726eda3fa9c27547c4323d6b525055dc5a991
Instruction ID: 0296eb356635ebe23cb5dceaecd4e20881011f1fc768bfb3aaed999ab38156a1
Opcode Fuzzy Hash: 6f6c743b8643207b555cd9c9db9726eda3fa9c27547c4323d6b525055dc5a991
Instruction Fuzzy Hash: F311C1B1E20259DFEB28DF64D955BAEBBB5BF44301F144829E501E7398EB349802CB60

Function 012182E0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27df2029ea434cf30fd0c6ce9781ddb24c4f131acd4c7f549cdd05c21a45427
Instruction ID: c4e4b37b408954787392ef86e89a19ff5eb7d2fa65dd3e8422d485feebdc2afd
Opcode Fuzzy Hash: d27df2029ea434cf30fd0c6ce9781ddb24c4f131acd4c7f549cdd05c21a45427
Instruction Fuzzy Hash: 90011372E002189FCF09CFD8CA419DDBBF9FF88310F00812AE905AB254EB3199158B90

Function 01214DD8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c930a2dcaedcd83366c0265e43cfd6ce9cc96ccb35afc27b50ba705a87503eea
Instruction ID: 8bc8a4f36dcd8fd43771dd2f0d9fbbc403a43cf6f8a054fa736c271b40f44b81
Opcode Fuzzy Hash: c930a2dcaedcd83366c0265e43cfd6ce9cc96ccb35afc27b50ba705a87503eea
Instruction Fuzzy Hash: 52E02BF6E141148F8740DFBC69052FE7BF8EA4C221B054526D64DE3304F77086028BD1

Function 01214DE8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5751aacd636dba01e053c09e3d546faacaffc8ea442633beb6ed7af2a0d85865
Instruction ID: 34c6e44a87f280f1ecb4bfdc7b28e79a8108fec7a855d46a30f9739528855da4
Opcode Fuzzy Hash: 5751aacd636dba01e053c09e3d546faacaffc8ea442633beb6ed7af2a0d85865
Instruction Fuzzy Hash: BFE01271E141199F4B50EBADA8055AFBBF8EA8C211B04447AE60DD3304EA704A018BD1

Function 012161C4 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b82398b7072d7c85c533225932b32192aa27d3b11d653d7974cc22958cfc04
Instruction ID: 2255addc790d71faa29cd4ceda2e3cd9687d11e9e541c6abb85ac897cc13bba2
Opcode Fuzzy Hash: 05b82398b7072d7c85c533225932b32192aa27d3b11d653d7974cc22958cfc04
Instruction Fuzzy Hash: BFD01201B612669ECF856ABF151523E04C72AD42D2B608C7A6603CA3EEFC6DCA841255

Non-executed Functions

Function 0121A398 Relevance: 5.3, Strings: 4, Instructions: 306COMMON

Download Yara Rule

Strings

Xbq, xrefs: 0121A3BE
Xbq, xrefs: 0121A4C4
Xbq, xrefs: 0121A3F8
Xbq, xrefs: 0121A477

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 4f85eecb886aa8e5a3c424cdb3d97c17cf9f185a8b7844caf82f379879ec6e6a
Instruction ID: 5fe6432aad43d0f3c2cd32db6abfa22b65e92b65a9298fd7561ac147a333e4bb
Opcode Fuzzy Hash: 4f85eecb886aa8e5a3c424cdb3d97c17cf9f185a8b7844caf82f379879ec6e6a
Instruction Fuzzy Hash: 63D13932672786CFD742DB38C0152A5F7F4FF1536AB3801A9E014DA229E7714A628F59

Function 0121A375 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

Xbq, xrefs: 0121A3BE
Xbq, xrefs: 0121A4C4
Xbq, xrefs: 0121A3F8
Xbq, xrefs: 0121A477

Memory Dump Source

Source File: 00000002.00000002.4147473235.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1210000_rwzBBMVxUb.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 274b32644749462484a33bcde8cb8afe82209653f8477824390581f43425ce71
Instruction ID: c3ec967f8433f7f30cce33b7272c1442d7a726d6f2150ee361792aa6c84bbda5
Opcode Fuzzy Hash: 274b32644749462484a33bcde8cb8afe82209653f8477824390581f43425ce71
Instruction Fuzzy Hash: F831B470E5129A8BDF75CFAC854436EBAF2EBA4310F1440B5C619A7299DB71C981CBC2

Analysis Process: qXLPL.exePID: 5228, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	216
Total number of Limit Nodes:	14

Executed Functions

Function 02502838 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9eadb3f322e38bf089089a9e88f20610718c545dd9f8b6c76c46b3c191caf2
Instruction ID: 3acc9ef013d17adc3e7ba8a1885b920826591705ab8bffd1eb0d85589946d7b8
Opcode Fuzzy Hash: 0e9eadb3f322e38bf089089a9e88f20610718c545dd9f8b6c76c46b3c191caf2
Instruction Fuzzy Hash: C9912D74D012098BDB04DFAAD89879EBBF2BF48310F14D529E804E7399DB749982CF59

Function 02502070 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0331a28a23feee5357de3d98a4124c9b4b106f75f85d4a3619770c5f7084ce6
Instruction ID: af7cf9a39d4f3ed79b30e20cd94b4866d78d83d721a861d239fe3f8da99b6d58
Opcode Fuzzy Hash: d0331a28a23feee5357de3d98a4124c9b4b106f75f85d4a3619770c5f7084ce6
Instruction Fuzzy Hash: CBA1F370E00219CBDB54DFA9D8887EEBBB2BF89300F10D469D908B7295EB705986CF54

Function 02502061 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b1a4d448457dbab38e352c76eaf3c19b6c7a7a4eed75932c250d269087afbd
Instruction ID: 3c0d2d8718484f0f8b5fccbe2959aebc9c8701bcb55c5849cb533fdae68af8f5
Opcode Fuzzy Hash: b4b1a4d448457dbab38e352c76eaf3c19b6c7a7a4eed75932c250d269087afbd
Instruction Fuzzy Hash: 7A811671E042198FDB14CFA9D8947EEBBB2BF89300F14D4A9D908E7295EB304986CF55

Function 02502828 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9967065ec376710d32784fc309618d5653f917a6efa727bbef4b38fb6a61c16
Instruction ID: b1eed5b4c69eb76c09c72d3d37b303bfeba6a36d64ed954893e731f296da0b19
Opcode Fuzzy Hash: e9967065ec376710d32784fc309618d5653f917a6efa727bbef4b38fb6a61c16
Instruction Fuzzy Hash: 7F712F74D052098FDB04DFAAD99879EBBF2BF88310F14D429D804E7399EB744982CB59

Function 02505940 Relevance: 5.1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8O}, xrefs: 025059EC
8O}, xrefs: 02505A11
d8cq, xrefs: 02505AB8
Hbq, xrefs: 02505A00

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID: 8O}$8O}$Hbq$d8cq
API String ID: 0-2193686777
Opcode ID: 67788095540c8e9ac67c5faf589c8710d3757b9af7702ed49fcfc4be24b313be
Instruction ID: 4dacbb290a4c603e4c781501d8fd2d1123ee8d313f39ccccd90b8907965ced7f
Opcode Fuzzy Hash: 67788095540c8e9ac67c5faf589c8710d3757b9af7702ed49fcfc4be24b313be
Instruction Fuzzy Hash: B021C4307442046FE7286A3A5C95FBF2A6BFBC1761F288829F5469B3C5DD389C06C758

Function 08347C0D Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08347E4E

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 14c6d46be6c0da70359ce660556c39d03531d7674dffbfc84a2fa0f6c83d2b84
Instruction ID: f07337b573db103d3e4258a4eb359ae063ea1f29e5be9453e27cfd86113b893a
Opcode Fuzzy Hash: 14c6d46be6c0da70359ce660556c39d03531d7674dffbfc84a2fa0f6c83d2b84
Instruction Fuzzy Hash: 8BA14871D1061DCFDB20CF68C840BADBBF2BF89315F1485A9E809A7250DB75A986CF91

Function 08347C18 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08347E4E

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6165cf6062551d19afd18179916fc4617728db6f1777cd4e36fee83403520179
Instruction ID: 45902a6761ed8863c7becf1ee91385584ab35292ad3bdac3a388216628744068
Opcode Fuzzy Hash: 6165cf6062551d19afd18179916fc4617728db6f1777cd4e36fee83403520179
Instruction Fuzzy Hash: 8F913971D1061DCFDB20DF68C840BADBBF2BF84315F1485A9E809A7250DB75A986CF91

Function 0248D4D8 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2060165846.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2480000_qXLPL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6a37e3bc42c47a7a532c5f395b388c80a669b51ed4e8288160aa8f03746bddbd
Instruction ID: 4b6002489386461361774c369ef291cce3ce3d12dc9fefe49d41687f5ad49f66
Opcode Fuzzy Hash: 6a37e3bc42c47a7a532c5f395b388c80a669b51ed4e8288160aa8f03746bddbd
Instruction Fuzzy Hash: 71710370A10B05CFDB24EF29D45479ABBF2BB88304F10892ED48A97B50D775E949CB94

Function 0248C53C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0248FBE2

Memory Dump Source

Source File: 00000006.00000002.2060165846.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2480000_qXLPL.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: becd1c413493de7dd650070e4685ca82a84eae161f5135409855f4b535e966e3
Instruction ID: 51d3ce01198072d1451ce7c5798c8ab90c55bd4b93bb65302d3e3d64fe55ef19
Opcode Fuzzy Hash: becd1c413493de7dd650070e4685ca82a84eae161f5135409855f4b535e966e3
Instruction Fuzzy Hash: 2D51CDB1D103099FDB14DFA9C984ADEBBB5FF48314F64812AE819AB210D770A885CF91

Function 02487712 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0248774E,?,?,?,?,?), ref: 0248780F

Memory Dump Source

Source File: 00000006.00000002.2060165846.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2480000_qXLPL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fedbcd206621dab04ac1cd716e6c8a9498e0578cd413ad4996d7bc51088e65d1
Instruction ID: 790dc6c9478b129094a8f6776e0a3f840c09618d204fec062652d42f43cad3ce
Opcode Fuzzy Hash: fedbcd206621dab04ac1cd716e6c8a9498e0578cd413ad4996d7bc51088e65d1
Instruction Fuzzy Hash: C44159759042889FCB01CFA9D844AEEBFF5EF49314F18809AE944A7262C3359955DF60

Function 02486AC1 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0248774E,?,?,?,?,?), ref: 0248780F

Memory Dump Source

Source File: 00000006.00000002.2060165846.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2480000_qXLPL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c2b2f951ac1ce68055b57ffb62c1d192b8a2e8eebfe8c4ff59ec3f09bde42260
Instruction ID: c49b188b0ce0bf0c552c1e4a586bea74986042a2cc806b52215b57cacaa581a9
Opcode Fuzzy Hash: c2b2f951ac1ce68055b57ffb62c1d192b8a2e8eebfe8c4ff59ec3f09bde42260
Instruction Fuzzy Hash: 5A318AB5D043489FDB10DFA9D484AEEBFF4FF49320F24805AE554A7211D334A985CBA4

Function 083478F8 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08347990

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 27395d310c24c067e74d96d8c63f961ff17a19eeb3350bdb4ebbaa23657f50e7
Instruction ID: a2eaecb744d4d5d8da5464e252c3f9d0ff3188a8eb17e765a4233c2afc492468
Opcode Fuzzy Hash: 27395d310c24c067e74d96d8c63f961ff17a19eeb3350bdb4ebbaa23657f50e7
Instruction Fuzzy Hash: C02137B19002599FDB10CFA9C885BEEBBF1FF88310F108429E959A7251C7799945CF64

Function 08347900 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08347990

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 88b0b081c165e88005ce5920c22af431e070a8c45773f85a455db259adc47c50
Instruction ID: 9a62248ea60643a9fa84cc29a130f48cd1369b26b030cd35743cf0db224ebc71
Opcode Fuzzy Hash: 88b0b081c165e88005ce5920c22af431e070a8c45773f85a455db259adc47c50
Instruction Fuzzy Hash: B72166B19003599FDB10CFA9C880BDEBBF4FF88310F10842AE958A7250C778A944CFA4

Function 08347A18 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08347AA0

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f33b2a75e4aac53863e3ae128ae1a591c3d363bc03ea1b4b3bab8e405f2f4851
Instruction ID: 6d2cd7d59e65bba49b927b67b05c316a369ad617ea9242be7ac806c82e29f211
Opcode Fuzzy Hash: f33b2a75e4aac53863e3ae128ae1a591c3d363bc03ea1b4b3bab8e405f2f4851
Instruction Fuzzy Hash: B42139B1C002499FCB10DFA9C885AEEFBF5FF88320F10842DE959A7251C7789555DBA1

Function 08347670 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 083476F6

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6039067cdba53bead931bb23d6891bf69ed6eacb67ab80353ba2f527aa63d2f3
Instruction ID: c362d8e10503eac23326827c665a4fc94c9b0b7a9953b55ed907d8e11d081256
Opcode Fuzzy Hash: 6039067cdba53bead931bb23d6891bf69ed6eacb67ab80353ba2f527aa63d2f3
Instruction Fuzzy Hash: C82157B19002098FDB10DFAAC4857EEBBF5EF88320F108429D459A7241C778A945CFA4

Function 02486AE4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0248774E,?,?,?,?,?), ref: 0248780F

Memory Dump Source

Source File: 00000006.00000002.2060165846.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2480000_qXLPL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9147058fb1b6f2c0cee89f66f0dedfc8e2a98a87c0540492a7eaae5886093996
Instruction ID: f004e123e644e2fcb3e0a910076b7506a85f23d77fa02bc3db28abcd8331dd20
Opcode Fuzzy Hash: 9147058fb1b6f2c0cee89f66f0dedfc8e2a98a87c0540492a7eaae5886093996
Instruction Fuzzy Hash: 3621E3B59102089FDB10DFAAD984AEEFBF4FB48320F14845AE958A7311D374A940CFA5

Function 08347A20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08347AA0

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 11394a708b96cdd6856669c54e45e1649e916fff97bed8e82c09865649aa6adb
Instruction ID: 17d4988b0e2766812a9ceda37c1aad5a34c718a1b63ac12cf1035bebfe788c40
Opcode Fuzzy Hash: 11394a708b96cdd6856669c54e45e1649e916fff97bed8e82c09865649aa6adb
Instruction Fuzzy Hash: E72159B1C003499FCB10DFAAC880ADEFBF4FF88310F108429E558A7250C774A540CBA4

Function 08347678 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 083476F6

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a1c1ed8fef07f3b5d87c0117c5792a51bc2fb0e83647ff68d3fa0d61df3808f6
Instruction ID: cf70f27c4cbaf96bdc509e6fceba5d33902246168bc338bc231b0c8510e9231a
Opcode Fuzzy Hash: a1c1ed8fef07f3b5d87c0117c5792a51bc2fb0e83647ff68d3fa0d61df3808f6
Instruction Fuzzy Hash: 542138B19002098FDB10DFAEC4857EEBBF5EF88324F108429D459A7241C778A945CFA5

Function 08347808 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0834787E

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de987edd63024a9d12c019fa38d96ce8a8b5ddb781a60611cf5d42ed6fb5eea0
Instruction ID: beb7cf8dc69629c356337d3d18a8532f89bf6b8a3d299034bd2338f4383b06a1
Opcode Fuzzy Hash: de987edd63024a9d12c019fa38d96ce8a8b5ddb781a60611cf5d42ed6fb5eea0
Instruction Fuzzy Hash: FE1179B18002489FCB10DFA9C845BDFBFF5EF88324F208429E559A7260C779A545CFA4

Function 08347810 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0834787E

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6e5b526941d3be09dd07b5ad1522077078ec3ba6f08941c3ead97b57c264e12f
Instruction ID: cb21b4ed52898d840e73e4867c612d1ea40f15fb9c7d790318bcc62a2a8cbf79
Opcode Fuzzy Hash: 6e5b526941d3be09dd07b5ad1522077078ec3ba6f08941c3ead97b57c264e12f
Instruction Fuzzy Hash: 6E1167B18002488FCB10DFAAC845BDFBFF5EF88320F108419E519A7250C735A540CFA0

Function 08347590 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 083475FA

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ca2dd2f42c096b3f65a2511ce782d0c8c02757030cafe901bbeb967de71f3feb
Instruction ID: 1c8900cb037ccae9442fc570960e5ce2e9bbd93e545f6e7fdf9a8c6fa9c64424
Opcode Fuzzy Hash: ca2dd2f42c096b3f65a2511ce782d0c8c02757030cafe901bbeb967de71f3feb
Instruction Fuzzy Hash: 5B115BB19002488FDB20DFA9C4457EEFFF5EF88324F248429D459A7250CB39A946CFA4

Function 0248C374 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0248D4F4), ref: 0248D72E

Memory Dump Source

Source File: 00000006.00000002.2060165846.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2480000_qXLPL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 654d32c2968249c9246ff8a18eda9b9957cb79868d5fff31a9ed3af3cfcba92d
Instruction ID: 5af854551f552a605b49a9cae2f85acc661b31d7dc9d7511a4d6cf4aa3cbbb27
Opcode Fuzzy Hash: 654d32c2968249c9246ff8a18eda9b9957cb79868d5fff31a9ed3af3cfcba92d
Instruction Fuzzy Hash: 80113FB6C00608CFCB20DFAAC444ADEFBF4EB88224F10842AD819A7250C379A545CFA5

Function 08347598 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 083475FA

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 02d846a2f4535dd23bceb6ca10d03ebfb96bbadd0af1678e7a018a66eae89303
Instruction ID: 5541960757682f283cb0bb929e74ee949d3071cfbac5eac316639ff519c5370d
Opcode Fuzzy Hash: 02d846a2f4535dd23bceb6ca10d03ebfb96bbadd0af1678e7a018a66eae89303
Instruction Fuzzy Hash: 94113AB19002488FDB10DFAAC4457DEFBF5EB88324F208829D559A7250C779A545CFA5

Function 08349700 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08349765

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b0927b642a35aaaa0dba6e6d6e16a817907451e16259d72bfbe242a01ecca101
Instruction ID: b67cc68d220fac6a7e058c1318ec8ffbdfb8c06eabca69568cf076208555ddf6
Opcode Fuzzy Hash: b0927b642a35aaaa0dba6e6d6e16a817907451e16259d72bfbe242a01ecca101
Instruction Fuzzy Hash: 261122B58003489FDB10DF9AC884BDEBFF8EB88360F208459E918A7610C375A945CFA5

Function 08349708 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08349765

Memory Dump Source

Source File: 00000006.00000002.2083135066.0000000008340000.00000040.00000800.00020000.00000000.sdmp, Offset: 08340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8340000_qXLPL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3e32adb5da549b479ef24ed31bacc4d3d32a5b18f522ddb980de1f3630c7a2bc
Instruction ID: 9491691a3e1a9d1c842c452d0662c37806c74f4a3b56bdb0ef7fab4a41927770
Opcode Fuzzy Hash: 3e32adb5da549b479ef24ed31bacc4d3d32a5b18f522ddb980de1f3630c7a2bc
Instruction Fuzzy Hash: D41103B58003489FDB10DF9AC884BDEBFF8EB48320F208459D958A7210C375A944CFA1

Function 02500260 Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

8bq, xrefs: 025002E5

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 0a82ed06c77736f654eb5555542f482644d76f6433481454ca492f95aae78d3c
Instruction ID: c913f10e15359341a8697afb81ebb00698958582d3fe48de41d2a50ac8017e95
Opcode Fuzzy Hash: 0a82ed06c77736f654eb5555542f482644d76f6433481454ca492f95aae78d3c
Instruction Fuzzy Hash: 4EB1BD74E00218CFDB54DFA9D984BADBBB2BF49301F10846AD409AB394EB34AD85CF05

Function 0250024F Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

8bq, xrefs: 025002E5

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: b4d2788c2bc073840ee414c4be95e0ba3d609d4f2f7fb44c0ddc3af1e25c5665
Instruction ID: f51e875a879defbb92006c6d9a403d7066000bdc69c70a5d5e6f7deb927f2126
Opcode Fuzzy Hash: b4d2788c2bc073840ee414c4be95e0ba3d609d4f2f7fb44c0ddc3af1e25c5665
Instruction Fuzzy Hash: FDA1AE74E00218CFDB54DFA9D984B9DBBB2BF49301F1084AAD409AB295DB34AD85CF05

Function 02500A50 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02500ABB

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 066168f076befaf2d02dce935f4a87e53183069e32c19f2c6456bdfa8b963441
Instruction ID: 1ebfb6111499ea6c978147e2480d87a4b53ded719764514595750ad932219759
Opcode Fuzzy Hash: 066168f076befaf2d02dce935f4a87e53183069e32c19f2c6456bdfa8b963441
Instruction Fuzzy Hash: 90112171F0020A8BCB54EBB999506EFB6F6BFC4314B50446AC509E7384EB359D06CBA1

Function 02501700 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16beeb5a284f0f651ec1278bd271650e053c925a85313e4778fe6b2323266198
Instruction ID: 311f5e378cfc4e7e642de5425e2ab18ec7b7acccbfab39341079f1639a77992c
Opcode Fuzzy Hash: 16beeb5a284f0f651ec1278bd271650e053c925a85313e4778fe6b2323266198
Instruction Fuzzy Hash: FA613C31A00619DFDB14DFA9C984A9DBBF2FF88314F108159E909AB3A0DB71ED41CB40

Function 025016F1 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdb31cbd1ee4f4e95527a03d861812ed99baf39874e86b869e15ab831d7aaab
Instruction ID: f78980284a51f79448e3fbf7f1711854ca9143dd2e7d9dc1f2a08eb3fec16f92
Opcode Fuzzy Hash: 3fdb31cbd1ee4f4e95527a03d861812ed99baf39874e86b869e15ab831d7aaab
Instruction Fuzzy Hash: 3D615F31A00619CFDB14DFA9C994A9DBBF2FF88314F108159E509AB3A0DB71ED45CB40

Function 02505FC7 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471838a163f1ee436205e86cf267d305fb43cf7f1b8f93cdf5c4f1297f0f9ff0
Instruction ID: ace92cbc9e26ca9165f8054702e0378522c92ed93fed840be6359d409f64d7ad
Opcode Fuzzy Hash: 471838a163f1ee436205e86cf267d305fb43cf7f1b8f93cdf5c4f1297f0f9ff0
Instruction Fuzzy Hash: C471D974A02214CFD750EF68E998A4EBFF5FB08311F04A1A6E409973A9DB30AD84CF55

Function 02505BFC Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f3c35d9281affa8e4a165b208a5c84a710dcc6c29e4cc8ba9aff7a15e3d1e1
Instruction ID: 1d438eda8f0fac2c5d90ffb8b3b0b74a3b2844bcb50a692b9206e2bbd089e6ff
Opcode Fuzzy Hash: b4f3c35d9281affa8e4a165b208a5c84a710dcc6c29e4cc8ba9aff7a15e3d1e1
Instruction Fuzzy Hash: 5B711974D41209CFDB50DFA8E988AADBBB1FF48301F10956AE41AA7355DB309D84CF54

Function 025057AF Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7032405e1f4f072987b884034eafcf89ab5ae5529b8b0b0846d8c67a8425b6f6
Instruction ID: 904ea3c1a0197413fb71641ad5bb74a9371e42ad3f133a6649e23fa2ba070c18
Opcode Fuzzy Hash: 7032405e1f4f072987b884034eafcf89ab5ae5529b8b0b0846d8c67a8425b6f6
Instruction Fuzzy Hash: A431907180E3D4AFC7039B7888A55D97FB0EF07210B1A84D7D8D4CB1A3E128854EDB6A

Function 02500F38 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d411a52d3f5be80291b39406aa859b20bd5941115decde3ebf698690eae3539
Instruction ID: f7fe64ec36fa2aa0a91b8f6aa3580e9581780eba9ccfc95fdcf0f9cc0db988c2
Opcode Fuzzy Hash: 1d411a52d3f5be80291b39406aa859b20bd5941115decde3ebf698690eae3539
Instruction Fuzzy Hash: 79219C71A003454FCB15EB798C9867FBBB7FBC42603254829E415D7381DE34DD068B61

Function 007CD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2058567485.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7cd000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8050b5ba2029750706e8b5eec63e194adaa5c92ea9fcb972084128c5dc914fa7
Instruction ID: eeb77be2e58cc6879eb0d1a4e99f4913e35b2f516128d7e77ce8c8aa945b4c98
Opcode Fuzzy Hash: 8050b5ba2029750706e8b5eec63e194adaa5c92ea9fcb972084128c5dc914fa7
Instruction Fuzzy Hash: 9021E0B1500280EFCB199F14D9C0F26BF66FB94324F20C57DEE090A256C33AE956C6A1

Function 007CD4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2058567485.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7cd000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12eb91d2e252309b7834dbc3b1f7da59317f3812d27c1e2f017b2af404b31bb4
Instruction ID: 316ecbabea82cb8614ec7f6dd959b33d67511691c9f4871d7e27462330b4dc97
Opcode Fuzzy Hash: 12eb91d2e252309b7834dbc3b1f7da59317f3812d27c1e2f017b2af404b31bb4
Instruction Fuzzy Hash: DA2103B1500200DFCB25DF14E9C0F26BFA5FB98318F20817DE9094B256C33ADC66CAA2

Function 007DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2058629034.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c078df74af853de01458e678431adf45557e0e8742ac5dc76257c08803a1bdde
Instruction ID: 9692795ed759b208a7df4a98591378dca6d5a7c057339bc66fb1ab5ba7042386
Opcode Fuzzy Hash: c078df74af853de01458e678431adf45557e0e8742ac5dc76257c08803a1bdde
Instruction Fuzzy Hash: A421D071604204DFCB24DF24D984B26BBB5EB88314F24C56AD80A4B396C33ADC46CA61

Function 007DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2058629034.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72867be3d9535e7041523f05c1913aab5c8a1a64530dd3915a88d79bc3c76bf0
Instruction ID: 12b5efc767ba4ef2e893678f90fae755010e86d2a7347a36307fbc1f1956d900
Opcode Fuzzy Hash: 72867be3d9535e7041523f05c1913aab5c8a1a64530dd3915a88d79bc3c76bf0
Instruction Fuzzy Hash: C6212671544204EFDB25DF54DAC0B26BBB5FB88314F20C66EE8494B396C33AEC46CA61

Function 025010DC Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5aa5a5bd36106b449b3ef3b80898e28873c0c3942e9dbce07bfd5e1d53f7d19
Instruction ID: 66d12e52630e49f31739ae727f5b00b6fc16f6c1f8cec16558ff7373d0391e6e
Opcode Fuzzy Hash: c5aa5a5bd36106b449b3ef3b80898e28873c0c3942e9dbce07bfd5e1d53f7d19
Instruction Fuzzy Hash: B931E2B0D016189FEB24DF99C9847CDBFF5BB48354F248169D408BB290C7795846CF95

Function 0250CDF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c58ad2bab69fcae82b4859d25be6ded287af089707e6261d1bfcae6b11c2a23
Instruction ID: bb7027ad2b53a44137b183a061e833d8b151655122f11eecce0dfd2996fe446f
Opcode Fuzzy Hash: 2c58ad2bab69fcae82b4859d25be6ded287af089707e6261d1bfcae6b11c2a23
Instruction Fuzzy Hash: 69214C70E04209DFCB15DFA9C9846AEFBB2FB89301F14D66AD405A7384D7349981CF84

Function 02500BF0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee78e3be5eacdd2df99beb51f86d56256f2c9cf2b3df38bfe13e5bcf356b9107
Instruction ID: 989ac8898c9db81755f162024848b8fbbd972a2169f022e2231b1d6deb0195ee
Opcode Fuzzy Hash: ee78e3be5eacdd2df99beb51f86d56256f2c9cf2b3df38bfe13e5bcf356b9107
Instruction Fuzzy Hash: E631C0B0D016189FEB24DF9AC984B9EBFF5BB48314F24805AE409BB390C7B55845CF95

Function 02505E7A Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3732b52b51d7b272cf87b3a4798265a7518db86b5b1e334336b45d7014e0ea
Instruction ID: 3a9f7c4e2a121f41aadf8f6b9331f7612f2057bf898018a3c4067a95f89b8203
Opcode Fuzzy Hash: 0c3732b52b51d7b272cf87b3a4798265a7518db86b5b1e334336b45d7014e0ea
Instruction Fuzzy Hash: C931F734D8121A8FDB64DFA4E848BADB771FB48301F0099A6E41AA3354DB705E989F54

Function 007DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2058629034.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2f4cfe5428bcf52b5d729dbe7d2886253438cd4ff79ef5367a045a9d0d1245
Instruction ID: 4442dbfdf3d154ca9c08a1fa89b70d6557f5ea2b8d8a2e6287821a3ab38772cf
Opcode Fuzzy Hash: fa2f4cfe5428bcf52b5d729dbe7d2886253438cd4ff79ef5367a045a9d0d1245
Instruction Fuzzy Hash: AF217F755083849FCB12CF24D994711BF71EB86314F28C5EAD8498F2A7C33A9C0ACB62

Function 02500F2A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a5d7dc009f11763ce00e31640a00d6c2123e4f752f14b531daf81e096c2ae2
Instruction ID: 344cec7043b47252c017b7106e93b1a12b1829e69e56a6a9e88d3dac9b27b8b3
Opcode Fuzzy Hash: 11a5d7dc009f11763ce00e31640a00d6c2123e4f752f14b531daf81e096c2ae2
Instruction Fuzzy Hash: C111E371A002064FCB10EF799C84ABFBBB7FBC42607148529E819D7381EF349A0687A1

Function 007CD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2058567485.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7cd000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 58c15a9d1f9b053a8a16cdf97f339ba73ae55a5b369555aac3bbd013ade5c397
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3011AC76504280DFCB16CF10D9C4B16BF62FB94324F24C6ADDD090B656C33AE95ACBA2

Function 007CD4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2058567485.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7cd000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e85e1e09e2a7b9a050a46cd7ea45ab0f6e7f9121654abf5d55836c01300dee65
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 6811B176504240DFCB16CF14D9C4B16BF72FB94318F24C6ADD9090B256C33AD86ACBA1

Function 007DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2058629034.00000000007DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ceed770d34df05d8143bc5e1a9c41cac5e7cd7c620e2425764b9e0a40b528a5f
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 24118B75504280DFDB16CF14D6C4B15BBB1FB84324F24C6AAD8494B796C33AE84ACB61

Function 007CD75D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2058567485.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7cd000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e99aa3c9d67a4df51b7b43dacd5fce080837be9259a41283d236fc8bc58d1299
Instruction ID: 68516e6275faa47cd0ce841a5044c96b3dd6a693549fdb11f8f39b7298e1d0b7
Opcode Fuzzy Hash: e99aa3c9d67a4df51b7b43dacd5fce080837be9259a41283d236fc8bc58d1299
Instruction Fuzzy Hash: 0901A2711093449AE7209A29CE84F67BFE8EF55724F18C83EED094A286C37DDC40C6B2

Function 0250149D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845c92f02dc74a4881db410aa82a7f3458eb6fa9b5fad23b98390b931a6cc58b
Instruction ID: 346af02c7f4bd82bd11f8592d318033d81b235d1ba90f2542f7fcfc46346366a
Opcode Fuzzy Hash: 845c92f02dc74a4881db410aa82a7f3458eb6fa9b5fad23b98390b931a6cc58b
Instruction Fuzzy Hash: 63010C71800619DFDB11CFA5C8843EE7BB1FB44354F10C665D429AA2A0D7744A45CF95

Function 02501539 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6edcf97a504c258051315f11ead9a6aca0c84ccc6bf354d7fc0208f78596be7
Instruction ID: 7c79872a170ea5d3e3322625b77483aabbb99e590b301789ab63c88e843d41be
Opcode Fuzzy Hash: c6edcf97a504c258051315f11ead9a6aca0c84ccc6bf354d7fc0208f78596be7
Instruction Fuzzy Hash: 9CF0E2B6B041141FD3048B6E98C5CA7BBEDFBC9660311807AE418CB311D9318D0AC7B0

Function 007CD75C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2058567485.00000000007CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7cd000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019d8e83cb05db897d693f0d092e8fa75056c1f297b181c89b743c6824a461c0
Instruction ID: 2ed9cc7def6fcd94a77930dd663261f023c8abc2677a25d4289ea01b04350f9d
Opcode Fuzzy Hash: 019d8e83cb05db897d693f0d092e8fa75056c1f297b181c89b743c6824a461c0
Instruction Fuzzy Hash: BFF06271404344AEE7208A16C984B62FFA8EF95734F18C45EED484A286C3799C44CAB1

Function 025058E8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e314fd1b67acfdbca99d6e5a06096b5e9ffabe2cc1eb4ebc8fe07b19ff14225a
Instruction ID: 353b25ca804f8f0e97896c7b82670c872eb098206bbbe65239717afe699d844c
Opcode Fuzzy Hash: e314fd1b67acfdbca99d6e5a06096b5e9ffabe2cc1eb4ebc8fe07b19ff14225a
Instruction Fuzzy Hash: BBF0AF70C09248AFCB51DFA899404DDBFB0BF06220F1481EAE854972A2D7351B12EF44

Function 025014A8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02374e2fe7433bf51431937cf830717633443ad0f0043ddeb5311f982c4ad3ac
Instruction ID: a38d36232a2a4add6c95632124485bf1ce2ef51014533c526a19ea353a4de5d9
Opcode Fuzzy Hash: 02374e2fe7433bf51431937cf830717633443ad0f0043ddeb5311f982c4ad3ac
Instruction Fuzzy Hash: E101EC70800619DFDB15CFA6C8443AE7BF1FF45355F10C665E419AA2A0D7744A40CF95

Function 025001C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7977b973275658773d7cd273bb45a93dab094ed259248ddd76e33867d5395c
Instruction ID: e5a0d31fbfb18dc79f25c7a22f9f5667665d8af3b6b43a1660fbe7bfb4462827
Opcode Fuzzy Hash: 6b7977b973275658773d7cd273bb45a93dab094ed259248ddd76e33867d5395c
Instruction Fuzzy Hash: 1AF08C3084A248DFCB119FA8ED856EC7F31FB0B312F209695E80567292C7351E42DB55

Function 02501548 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e98b1eabdfdda60e75f596e050568a43c9f4c79139c77f4b323b4922557f04
Instruction ID: 6f3636f2d3fb89ec7cd57698f0cf71b7937dd011cca06a7f38045650d88e4aaa
Opcode Fuzzy Hash: 14e98b1eabdfdda60e75f596e050568a43c9f4c79139c77f4b323b4922557f04
Instruction Fuzzy Hash: F2E039727041286F93049A6ED888D6BBBEEFBCC660311807AF508C7310DA319C0086A0

Function 025001D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350ba47a8474ace5041caad3295c19c6fd7564164a43700030a0ccff1968368d
Instruction ID: 8e44bb30638342a6311c868169a31428b01b0f8f75e2efb541687b3f995b63db
Opcode Fuzzy Hash: 350ba47a8474ace5041caad3295c19c6fd7564164a43700030a0ccff1968368d
Instruction Fuzzy Hash: 5EE01A30949208EFC714EFA5ED85BBDBB79FB4A312F109154E809232D5CB316E50DB99

Function 025058F8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37157f37d5a6ff7bf7636f0e40b77bd92036279374e2e4f3058c12be7530681b
Instruction ID: 8c5d297a76ad2f97e4c7c1523449dc65e7e9f041ee69055992f946d800764079
Opcode Fuzzy Hash: 37157f37d5a6ff7bf7636f0e40b77bd92036279374e2e4f3058c12be7530681b
Instruction Fuzzy Hash: D6E0C274D06208EFCB54DFA8E8446ACBBF5FB48310F0085A9E80892350E7355A55EF84

Function 02505BBC Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678c24a8abbda79e8b1998fd56a27d5684725ba48765890f56f9c6f49a101e1e
Instruction ID: e023fbbf64b461be0afa6593ec79e998be714de6c481b752f8e1cc5b1199c178
Opcode Fuzzy Hash: 678c24a8abbda79e8b1998fd56a27d5684725ba48765890f56f9c6f49a101e1e
Instruction Fuzzy Hash: BDE0927044828A8FE7428F54DCD4AA97F79FF1A304F041AC2D09997292C7345D5DCF19

Function 02500650 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ede2d269d5063ab99eadf655316801f52304be60d5acd8e92fc780a98733f22
Instruction ID: 47a115c522924d7659d78e861849047ee5f30d552408bed5c6ba8a048ef8c7b5
Opcode Fuzzy Hash: 0ede2d269d5063ab99eadf655316801f52304be60d5acd8e92fc780a98733f22
Instruction Fuzzy Hash: 12E0C2A008F31CDEC344DBE49A40B69B7BDEB82218F0019AC9108131E1CF351F00D68E

Function 02500660 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d731b7396231a5d7f4ab3e78d995eef4f9a4b380767d8234c2d69f797d1944
Instruction ID: c6743c3c1be9e0f8e901ff5880f7cb8bb676adad134ccd81b1533a78c05340fa
Opcode Fuzzy Hash: c1d731b7396231a5d7f4ab3e78d995eef4f9a4b380767d8234c2d69f797d1944
Instruction Fuzzy Hash: BCD0227048F11CEFC740CAE4DA44BB977EDE782208F001098D40D132E1CF752E00D689

Function 02500A27 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2060363900.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2500000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddde4b083fd6d1da17aefd9447b2ec0f9d530e3c2b6a4e37b40c03e2bef10cb7
Instruction ID: 3dccbbc8a4ead0f306634803e4cb341bc66c33440272523ce5baaa22cfb73b5c
Opcode Fuzzy Hash: ddde4b083fd6d1da17aefd9447b2ec0f9d530e3c2b6a4e37b40c03e2bef10cb7
Instruction Fuzzy Hash: 9FB012760000005DE7092B40C806C947B52FB152083109050D085060304525A027D706

Analysis Process: qXLPL.exePID: 3052, Parent PID: 5228COMMON

Execution Graph

Execution Coverage:	21.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	20

Executed Functions

Function 00F06030 Relevance: 5.8, Strings: 4, Instructions: 782
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 00F06069
PH^q, xrefs: 00F065B0
\, xrefs: 00F06123
\, xrefs: 00F0615E

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: PH^q$\$\$\
API String ID: 0-2373583716
Opcode ID: f93a89b26bb9f0851e70a9ebc3c5362bfd3faf786120565b03b32b913116d915
Instruction ID: 23b4a6cec90ba82d554758316eaec8f2eea0f69330948f33784757e1953e9b5a
Opcode Fuzzy Hash: f93a89b26bb9f0851e70a9ebc3c5362bfd3faf786120565b03b32b913116d915
Instruction Fuzzy Hash: 67529F30B002158FDB259F74D8587AEBBF2AF84314F148569E40ADB399EF39DC829B51

Function 00F0A058 Relevance: 5.3, Strings: 4, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 00F0A3BE
Xbq, xrefs: 00F0A3F8
Xbq, xrefs: 00F0A4C4
Xbq, xrefs: 00F0A477

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: e80ac8b8c01b75b8a3ab14fcd39d927d958eba6a0ab1daaef19a0ecb639ecd71
Instruction ID: 3752dd2763ac60c7524295fe432fa0cdc6edcc7bb4a313eea190052aa636bda5
Opcode Fuzzy Hash: e80ac8b8c01b75b8a3ab14fcd39d927d958eba6a0ab1daaef19a0ecb639ecd71
Instruction Fuzzy Hash: B7B1B334E003058FDB25DB78C99876EBAE2BF84310F148469D0569B3E5DF759C41EB92

Function 00F0D14F Relevance: 2.0, Strings: 1, Instructions: 751COMMON

Download Yara Rule

Strings

Xbq, xrefs: 00F0D7F7

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: Xbq
API String ID: 0-63242295
Opcode ID: 6ec3076d7f320c26a248c0c7ff0bf89fbb03fb404f97e1a9d99e0c87ddb109b2
Instruction ID: 0800f8072eb98aa7eba918411362db7ae9c34ceb3fb2fdf2d21bad4c4c16e481
Opcode Fuzzy Hash: 6ec3076d7f320c26a248c0c7ff0bf89fbb03fb404f97e1a9d99e0c87ddb109b2
Instruction Fuzzy Hash: 6A42B830F002049FEB199BB8D9947AEBBE3AB85320F148469E445EF3D5CE75DC42A791

Function 00F07207 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e12eb9536dc75905a6fce5a9cecafcad0472464930d10d94c948b9649fff8af
Instruction ID: c2fedba8830bd41656b6cba7d334f5499af46e1d7cea4b185388fd38058754e8
Opcode Fuzzy Hash: 5e12eb9536dc75905a6fce5a9cecafcad0472464930d10d94c948b9649fff8af
Instruction Fuzzy Hash: B542B330E043088FEB25EB78C8547ADBBF2AF85310F24C4A9D4499F2D5DA75AC45DB51

Function 00F0CD91 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c888fabc05a0fa39a098a0cd44f5f3eb22bdfbd8a76ebf92d6fa8847bbd26eeb
Instruction ID: f7149f55ac502cd5db1df77dd258bafa078858386db2956b460ecaeef2c4fd28
Opcode Fuzzy Hash: c888fabc05a0fa39a098a0cd44f5f3eb22bdfbd8a76ebf92d6fa8847bbd26eeb
Instruction Fuzzy Hash: 21029270F002058FDB24DBA8C984BAEBBF2AF95320F248565E545DB3D5CA35DC42AB91

Function 00F0C220 Relevance: 6.5, Strings: 5, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 00F0C3DE
\Ocq, xrefs: 00F0C4A2
PH^q, xrefs: 00F0C537
fcq, xrefs: 00F0C2E4
PH^q, xrefs: 00F0C474

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: fcq$PH^q$PH^q$XPcq$\Ocq
API String ID: 0-2308457832
Opcode ID: 93c4617586731fc9b1539217452182e97eb5c6e97ec0d8fe31e78c76696cb850
Instruction ID: e1efaed5d89fedfa82cd5982f950700e036ee441748febe924f9633cbe2e9937
Opcode Fuzzy Hash: 93c4617586731fc9b1539217452182e97eb5c6e97ec0d8fe31e78c76696cb850
Instruction Fuzzy Hash: 6791C670F002098FDB159FB9D8547AEBBA6FBC8310F208529E54ADB3D4DE358C41AB91

Function 010FA3A0 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010FA42E
GetCurrentThread.KERNEL32 ref: 010FA46B
GetCurrentProcess.KERNEL32 ref: 010FA4A8
GetCurrentThreadId.KERNEL32 ref: 010FA501

Memory Dump Source

Source File: 00000007.00000002.4151291955.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10f0000_qXLPL.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 18592f7ad948168bf2702099aa984326054ad99f9b18d0ba1f8652e05d69cc42
Instruction ID: ef63fac615abe48fbfb2dfadd9883b18cd5e077d7a949e196c5285155ed29776
Opcode Fuzzy Hash: 18592f7ad948168bf2702099aa984326054ad99f9b18d0ba1f8652e05d69cc42
Instruction Fuzzy Hash: 755155B0901309CFDB04DFA9D549BDEBBF5AF88304F24C459E158A72A0DB34A984CF66

Function 010FA3B0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 010FA42E
GetCurrentThread.KERNEL32 ref: 010FA46B
GetCurrentProcess.KERNEL32 ref: 010FA4A8
GetCurrentThreadId.KERNEL32 ref: 010FA501

Memory Dump Source

Source File: 00000007.00000002.4151291955.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10f0000_qXLPL.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ea3d750e28c96e06bca0fb00407b803a3b597104ef162c927a3684afd010d07e
Instruction ID: 4aa1379f70d9d7c07bc285359787c12fc4a54332bc59da19782f62c72dc1def3
Opcode Fuzzy Hash: ea3d750e28c96e06bca0fb00407b803a3b597104ef162c927a3684afd010d07e
Instruction Fuzzy Hash: 075155B0901309CFDB04DFA9D549BDEBBF5AF88304F20C459E558A7260DB34A984CF66

Function 00EF7678 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 312
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00EF78AF

Strings

LR^q, xrefs: 00EF794A
LR^q, xrefs: 00EF78E6

Memory Dump Source

Source File: 00000007.00000002.4148156501.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ef0000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID: LR^q$LR^q
API String ID: 2994545307-4089051495
Opcode ID: 4588da79e92c420ad40f8901448f008663d35a7438d1ce6a86dddb111ba74866
Instruction ID: 64313dfbde84f5a344f01ac913ecf15bdfd9fa989a5654dd443287d9cabf4e02
Opcode Fuzzy Hash: 4588da79e92c420ad40f8901448f008663d35a7438d1ce6a86dddb111ba74866
Instruction Fuzzy Hash: 7FB12430B083459FD706AB78D815BAA7BF6AF86304F1484BAE185DF392EA74DC09C751

Function 05F32CFC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 05F361F4

Strings

|9, xrefs: 05F36198
t8, xrefs: 05F32CFC

Memory Dump Source

Source File: 00000007.00000002.4197652305.0000000005F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5f30000_qXLPL.jbxd

Similarity

API ID: Open
String ID: t8$|9
API String ID: 71445658-2897010974
Opcode ID: 25ac85e04cc9ba2533659b4fa588278cb892748e39496cf6c78a9c96deb080ec
Instruction ID: b9cc73ee5c31b9bf48200a66a7866d4ee4b7231d8b87b3c2aa4a444aeeb162fc
Opcode Fuzzy Hash: 25ac85e04cc9ba2533659b4fa588278cb892748e39496cf6c78a9c96deb080ec
Instruction Fuzzy Hash: D83113B0D052899FDB10CF99C585A8EFFF5BF48304F24816AE809AB355C7799984CF94

Function 00F086A0 Relevance: 4.2, Strings: 3, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 00F086DF
;^q, xrefs: 00F08AD4
4'^q, xrefs: 00F086B9

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$;^q
API String ID: 0-799016360
Opcode ID: b7189009124b813dee90029d7f7ce9b52c52dd8480cb2b45bd0f88b0e95f6ce9
Instruction ID: 76757487c2d1a65241cb02db350ff64fe7983ca6c20992cc88956d7649290cf3
Opcode Fuzzy Hash: b7189009124b813dee90029d7f7ce9b52c52dd8480cb2b45bd0f88b0e95f6ce9
Instruction Fuzzy Hash: BFF183317041018FDB259A29C9547397AA6BF847A4F1844AAE486CF3E6EF39CC43F751

Function 00F05E70 Relevance: 4.0, Strings: 3, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 00F05F99
\, xrefs: 00F06069
LR^q, xrefs: 00F05F3F

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: LR^q$\$\
API String ID: 0-2226078569
Opcode ID: e094dd8c96dc19a556b57d95ceca4d5a6708881454703664e465ce0e796600ec
Instruction ID: 6a426466a94512686272dba2498b2017d14f81c41771a9568919323e50f65beb
Opcode Fuzzy Hash: e094dd8c96dc19a556b57d95ceca4d5a6708881454703664e465ce0e796600ec
Instruction Fuzzy Hash: 5A712530B046419FDB05DB788C546AF7BB6AB86310F1485BAE508DB6D6DB78CC02DBA1

Function 05656D08 Relevance: 4.0, APIs: 2, Instructions: 979libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 84fd043ddc2b2c8aac23f290a4cb1b7cbf76bf3355e42b5db4d12a7ac3d5cccb
Instruction ID: 8ec3b0529f5a81a96e39196256b4b4c94184c887983716a7be5824f91f222093
Opcode Fuzzy Hash: 84fd043ddc2b2c8aac23f290a4cb1b7cbf76bf3355e42b5db4d12a7ac3d5cccb
Instruction Fuzzy Hash: 04A21774A50229CFCB65DF20D84869DB7B6BF88305F5084E9D94AA3348DF399E82CF45

Function 00F06ED0 Relevance: 4.0, Strings: 3, Instructions: 224COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F071A5
fcq, xrefs: 00F0713D
fcq, xrefs: 00F07131

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: fcq$ fcq$PH^q
API String ID: 0-4172635152
Opcode ID: 78c87238ebda5030c829a5f1d820c3836c19df831b604aa22e1ed5b804eb6c03
Instruction ID: e2baf43d014970780e262cc4789b0b3c67e6c2d23fa7bd5813d0078e7b73a572
Opcode Fuzzy Hash: 78c87238ebda5030c829a5f1d820c3836c19df831b604aa22e1ed5b804eb6c03
Instruction Fuzzy Hash: 50714E31F002098FDB54AB74D55876E76E7AFC8710F104428E44ADB3C4EF799C429B92

Function 05F38868 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

0?, xrefs: 05F3890B

Memory Dump Source

Source File: 00000007.00000002.4197652305.0000000005F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5f30000_qXLPL.jbxd

Similarity

API ID:
String ID: 0?
API String ID: 0-3145223607
Opcode ID: 693f9aa8633396794b15231061c1213dd5a304ce97161dbf1908ef3b834157a7
Instruction ID: d5e6f22a4fa0453311d5fe259e6715a2a2275f2676f86c74b55daffc41f00183
Opcode Fuzzy Hash: 693f9aa8633396794b15231061c1213dd5a304ce97161dbf1908ef3b834157a7
Instruction Fuzzy Hash: 4E414531E083898FCB15CFB9C81429EBFF1AFC9310F1885ABD444A7691DB389845CB91

Function 05656D29 Relevance: 3.6, APIs: 2, Instructions: 632libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78b55a3b89402c42256b732c615a9f3d0dd8a3a2e1f79a579e94a479ec72a011
Instruction ID: 24da25248984e47acf45866dbc87a928828738ae44dfcff6a9642678d7c4ca1b
Opcode Fuzzy Hash: 78b55a3b89402c42256b732c615a9f3d0dd8a3a2e1f79a579e94a479ec72a011
Instruction Fuzzy Hash: 3B6229B4A50219CFCB25DF70D84869DB7B6BF88205F5084E9D909A3348DF399E82CF45

Function 05656D6E Relevance: 3.6, APIs: 2, Instructions: 625libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b33902ff1d5da70d9b1c98de8565770249846117b508326e833660c1e08de12
Instruction ID: e92465df360415116458b4951f979269e359a722df55d2b0b0f842feeb00099d
Opcode Fuzzy Hash: 6b33902ff1d5da70d9b1c98de8565770249846117b508326e833660c1e08de12
Instruction Fuzzy Hash: 945229B4A50229CFCB25DF70D94869DB7B6BF88205F5084E9D909A3348DF399E82CF45

Function 05656DB3 Relevance: 3.6, APIs: 2, Instructions: 618libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28cd06807b41dac41acf9a5366cc65e7840bdc5f51146a233e7b767b031f5986
Instruction ID: 1efd262a2ab1e0ba4d7009d56b430d9d9dd2e42666ea3a9dd8b800a5e8cc9bcc
Opcode Fuzzy Hash: 28cd06807b41dac41acf9a5366cc65e7840bdc5f51146a233e7b767b031f5986
Instruction Fuzzy Hash: A75219B4A50219CFCB25DF70D94869DBBB6BF88205F5084E9D909A3348DF399E82CF45

Function 05656DF8 Relevance: 3.6, APIs: 2, Instructions: 611libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c48db9f30a8943e3c9ecaf1ac44d0dc26da84d8141fc6cfcf33996aa2c6db539
Instruction ID: 91f6c39a6d5ce2f3c6728ab416b8846c28432a2e2aa66b752435ee0cfb48912a
Opcode Fuzzy Hash: c48db9f30a8943e3c9ecaf1ac44d0dc26da84d8141fc6cfcf33996aa2c6db539
Instruction Fuzzy Hash: 8B5219B4A50219CFCB25DF70D94869DBBB6BF88205F5084E9D909A3348DF399E82CF45

Function 05656E3D Relevance: 3.6, APIs: 2, Instructions: 602libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d64be3faee347deef6f799c2e4d9a69bf45d1e253f95fee3c11531f4898eb7c4
Instruction ID: 26ea158db182fa67de988a3190d58a8799b7f6fa6be07fd227de7ef68bd6ac23
Opcode Fuzzy Hash: d64be3faee347deef6f799c2e4d9a69bf45d1e253f95fee3c11531f4898eb7c4
Instruction Fuzzy Hash: 635228B4A50219CFCB25DF70D94869DBBB6BF88205F5084E9D909A3348DF399E82CF45

Function 05656E79 Relevance: 3.6, APIs: 2, Instructions: 597libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03e5aaeef394cc01e6d997fe1f707ba73b268c0cb4ed860a55a4ba96308d9b64
Instruction ID: da9176cc6533df9395a34daf2a0f60d91284dcca07e1af4e8e92f4cb79c347d7
Opcode Fuzzy Hash: 03e5aaeef394cc01e6d997fe1f707ba73b268c0cb4ed860a55a4ba96308d9b64
Instruction Fuzzy Hash: D05218B4A40219CFCB25DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF45

Function 05656EBE Relevance: 3.6, APIs: 2, Instructions: 588libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d2837fc59aa21bed2681cc1ddf866b2026bc00740a275f29cc2813e3b5481f3
Instruction ID: 4ccb2d88c9e1c79ff0777140f74ba81c4231f70210f28e3224dc4932442c7b4f
Opcode Fuzzy Hash: 4d2837fc59aa21bed2681cc1ddf866b2026bc00740a275f29cc2813e3b5481f3
Instruction Fuzzy Hash: AF5218B4A40219CFCB25DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF45

Function 05656EFA Relevance: 3.6, APIs: 2, Instructions: 583libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07f62b6dd2a9c3430bcabd9ca1c9c181ff1e00aca0712b27eb17c8aee8d50b3e
Instruction ID: e82d8b8c32788b9f641464499c8cc9ab6d6b3c7a99a01c3c9234374e6dfb8110
Opcode Fuzzy Hash: 07f62b6dd2a9c3430bcabd9ca1c9c181ff1e00aca0712b27eb17c8aee8d50b3e
Instruction Fuzzy Hash: 4C5218B4A40219CFCB25DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF45

Function 05656F3F Relevance: 3.6, APIs: 2, Instructions: 576libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5af37cfacaf4fcd1099a7f672acc9d1b1ae9c39dbfcfb81534806e9cadd198a3
Instruction ID: 8ce63b86bbb23807f01471ccb0958bf640b71d5c5518488f9e74fca7ccdaf34e
Opcode Fuzzy Hash: 5af37cfacaf4fcd1099a7f672acc9d1b1ae9c39dbfcfb81534806e9cadd198a3
Instruction Fuzzy Hash: C75218B4A40219CFCB25DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF45

Function 05656F84 Relevance: 3.6, APIs: 2, Instructions: 569libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 95fc457639bc88dd54ebf1491ea1a09ebc095a0cebf6aaa9ab481d72f0e820fa
Instruction ID: c915d42b27611e2e75f9cafe3529eff0bd29a1c80842c79cc9cc967166062aad
Opcode Fuzzy Hash: 95fc457639bc88dd54ebf1491ea1a09ebc095a0cebf6aaa9ab481d72f0e820fa
Instruction Fuzzy Hash: 934218B4A40219CFCB25DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF45

Function 05656FC9 Relevance: 3.6, APIs: 2, Instructions: 562libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca5e7f88f2d9e4ac9f8847a7776cf6df8e018dbfa438c83a2983e5858a0ff9b7
Instruction ID: de8fba9df0da654d14af2e6b2b633f6f13356a3ac9dddb67f616508710181a09
Opcode Fuzzy Hash: ca5e7f88f2d9e4ac9f8847a7776cf6df8e018dbfa438c83a2983e5858a0ff9b7
Instruction Fuzzy Hash: AB4227B4A40219CFCB25DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF45

Function 0565700E Relevance: 3.6, APIs: 2, Instructions: 555libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 29874e373e008b74df704f3957149791a2f3fd82d010e1b0c86ce80352db64e7
Instruction ID: b057de4514d0f0b86274360162ccd2888c287d707fff20c34cd20fc79f83d060
Opcode Fuzzy Hash: 29874e373e008b74df704f3957149791a2f3fd82d010e1b0c86ce80352db64e7
Instruction Fuzzy Hash: 464228B4A40219CFCB25DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF45

Function 05657053 Relevance: 3.5, APIs: 2, Instructions: 548libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a4af2d02c008adb14c7648a5a5b304faa312c13159171ad8f0426653eaf18456
Instruction ID: eda25b21766f87c9e7653392a4f0521df950bcc9429ab3b84d3fde8e55bcacab
Opcode Fuzzy Hash: a4af2d02c008adb14c7648a5a5b304faa312c13159171ad8f0426653eaf18456
Instruction Fuzzy Hash: 3B4228B4A40219CFCB25DF70D94869DBBB6BF88205F5084E9D909A3348DF399E82CF45

Function 05657098 Relevance: 3.5, APIs: 2, Instructions: 541libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85232ddf51410bc97573be14f3eeea00bdf815ab5dece6518a95c662dc15359f
Instruction ID: 58ded56fb3eb91ac77f3e20fcef7be909869fefd90aa7d2f612d2ad346154637
Opcode Fuzzy Hash: 85232ddf51410bc97573be14f3eeea00bdf815ab5dece6518a95c662dc15359f
Instruction Fuzzy Hash: 2A4227B4A00219CFCB24DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF45

Function 056570DD Relevance: 3.5, APIs: 2, Instructions: 534libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 792e932bfe87ee2eb437f7c3cb24eea5ae7648d02339515723776e4d466626d5
Instruction ID: 2f20d77c131beebc6fa02884b6e35111976831ff8f26ac28d6c9ac43b91bf23a
Opcode Fuzzy Hash: 792e932bfe87ee2eb437f7c3cb24eea5ae7648d02339515723776e4d466626d5
Instruction Fuzzy Hash: CC4227B4A40219CFCB24DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF55

Function 05657122 Relevance: 3.5, APIs: 2, Instructions: 527libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5cda9498b70375a5369df68bb5f6ecedeff73df71169aac228bd9a536c659015
Instruction ID: 409b95c31d7e8deb74efddf58b99ab32d7208562c22861d7e206bfab0c15df0e
Opcode Fuzzy Hash: 5cda9498b70375a5369df68bb5f6ecedeff73df71169aac228bd9a536c659015
Instruction Fuzzy Hash: BD3228B4A40219CFCB24DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF55

Function 05657167 Relevance: 3.5, APIs: 2, Instructions: 518libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a41928a3a8e5b181037ce07668277b18660ef4f5b055e98f042ae3c2cf50727
Instruction ID: 295fe46aa3d9de813b17aaf396a8e1093cb69f0885c5f3c6c2dfecbcca736979
Opcode Fuzzy Hash: 5a41928a3a8e5b181037ce07668277b18660ef4f5b055e98f042ae3c2cf50727
Instruction Fuzzy Hash: 1C3228B4A40219CFCB24DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF55

Function 056571A3 Relevance: 3.5, APIs: 2, Instructions: 513libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 299dbd6b85fec07aad8c63629e70e4875e0c1f9711efe81e96b4df8170c192da
Instruction ID: 7a7e73b8bcdee6883c288f1fb5c5679dfe6cf78df088a2d84363b606ff9b74b8
Opcode Fuzzy Hash: 299dbd6b85fec07aad8c63629e70e4875e0c1f9711efe81e96b4df8170c192da
Instruction Fuzzy Hash: 093228B4A00219CFCB24DF70D94869DBBB6BF88205F5085E9D909A3348DF399E82CF55

Function 056571E8 Relevance: 3.5, APIs: 2, Instructions: 506libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28260b6e9e5e00430267c3bffc174336307a47f85cc4ad6900a156268b850a8c
Instruction ID: 8108a313deb1717c0026de56499367daf9bd176f45f7b1e517e3af717c537593
Opcode Fuzzy Hash: 28260b6e9e5e00430267c3bffc174336307a47f85cc4ad6900a156268b850a8c
Instruction Fuzzy Hash: FE3228B4A00219CFCB24DF74D94869DBBB6BF88205F5085E9D909A3348DF399E82CF55

Function 0565722D Relevance: 3.5, APIs: 2, Instructions: 497libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0565727F
LdrInitializeThunk.NTDLL ref: 0565735E

Memory Dump Source

Source File: 00000007.00000002.4197085215.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5650000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8dfb7dd9e293943db5bec227bd21045415b5637ee411994da18a452e1a457410
Instruction ID: 8a5a13d5a4041a8923bbdced16a50b7fbe4cd91728672ab6d3964d5febf923e7
Opcode Fuzzy Hash: 8dfb7dd9e293943db5bec227bd21045415b5637ee411994da18a452e1a457410
Instruction Fuzzy Hash: 503228B4A00219CFCB24DF74D94869DBBB6BF88205F5085E9D909A3348DF399E82CF55

Function 00F094E8 Relevance: 2.8, Strings: 2, Instructions: 250COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00F096FA
Hbq, xrefs: 00F0972D

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 61f2f763046e1e615f85f80cc1ef91df1d1ec9a5cf5439daef28f0ba56e9d5f0
Instruction ID: 8eba94f9879a2bcad388f2b2adca7e3e7007cc383d1f67b750667fa87574e9a2
Opcode Fuzzy Hash: 61f2f763046e1e615f85f80cc1ef91df1d1ec9a5cf5439daef28f0ba56e9d5f0
Instruction Fuzzy Hash: 5D91CF31B041099FDB09EF68C864BAE7BA6BB88310F148429F506DB2C5DF75DD41EB91

Function 00F0BCF0 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00F0BE44
4'^q, xrefs: 00F0BE2D

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 3ba87d5e50e8a0d511492a6867f0ceb8881c27fb1618d944eada248441d5b1f2
Instruction ID: 29f95d38f354e13094837a753f50c22d26025005269a629320150e9bd36dea3d
Opcode Fuzzy Hash: 3ba87d5e50e8a0d511492a6867f0ceb8881c27fb1618d944eada248441d5b1f2
Instruction Fuzzy Hash: 2151AD307052459FDB05DF69D844BAEBBA6EF88320F148066F908CB396DB75CC02EB61

Function 00F071BF Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

PH^q, xrefs: 00F071A5
fcq, xrefs: 00F07131

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: fcq$PH^q
API String ID: 0-2325994563
Opcode ID: 39e3b204e624091e182da2e1025543c44bc7642291cf743e4d6fbdd7275586b5
Instruction ID: c2bcd5e59a979c8a8ef020ac67eb108debcbc6a9fbea2d74b696c149c6959eee
Opcode Fuzzy Hash: 39e3b204e624091e182da2e1025543c44bc7642291cf743e4d6fbdd7275586b5
Instruction Fuzzy Hash: 0E417131F002058FDB24AB74D95876E76E6BBC8750F204468E446DB3D8EF799C02AB91

Function 00F0BE10 Relevance: 2.5, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00F0BE44
4'^q, xrefs: 00F0BE2D

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 7cd72a62bd0805886bd1018f0df5b01559da3b8e8017d887e371f3327c806b70
Instruction ID: 34367b5cd8ba097bcae84dcf7a9b3363b0e20fad452fa918d7cb5a5fdc856972
Opcode Fuzzy Hash: 7cd72a62bd0805886bd1018f0df5b01559da3b8e8017d887e371f3327c806b70
Instruction Fuzzy Hash: 1D0186353441052FDB081AA998549BABB9BEBCC360B14847AF909C7395DE76CC035351

Function 010F52E0 Relevance: 1.8, APIs: 1, Instructions: 304COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 010F56B6

Memory Dump Source

Source File: 00000007.00000002.4151291955.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10f0000_qXLPL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 099e03fa18a9ceff5efdbce682c67e18de7305b4720f00307fce296f2f9c53f2
Instruction ID: b0020e7e89d8ad8d2ac43a55b8a7a07aa9595147b28c26ffa620538046bdc67d
Opcode Fuzzy Hash: 099e03fa18a9ceff5efdbce682c67e18de7305b4720f00307fce296f2f9c53f2
Instruction Fuzzy Hash: 9CC1AF70A007068FDB05DF69D89565EBBF2FF88300B008A6ED586DBB51DB74E945CB90

Function 00EF4230 Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00EF4271

Memory Dump Source

Source File: 00000007.00000002.4148156501.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ef0000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f07914bf5b14e3c5d895c2ad6c4cb1b563dbec041d6829f35eb847912e0d0a65
Instruction ID: 485935b2e815239082c417676a79f40f0c35b95652a7f5ae87be3120ccee08a5
Opcode Fuzzy Hash: f07914bf5b14e3c5d895c2ad6c4cb1b563dbec041d6829f35eb847912e0d0a65
Instruction Fuzzy Hash: FD618871A00209DFDB14EFB4D858BAEBBB2AF85304F108529EA52A7394DF799945CB40

Function 010F6681 Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010F680A

Memory Dump Source

Source File: 00000007.00000002.4151291955.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10f0000_qXLPL.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0cc7e1d3f675f06b3dc2b75c8df10eb04c9b5e91f513992ee0ad55e82bc3ac53
Instruction ID: d12a932d61638e40bc97ab77bd36934d17a336f105ae5b6e90ec2959cd8b9096
Opcode Fuzzy Hash: 0cc7e1d3f675f06b3dc2b75c8df10eb04c9b5e91f513992ee0ad55e82bc3ac53
Instruction Fuzzy Hash: 6B5111B1C04349AFDF01CFA9C980ADEBFB1BF48310F19816AE508AB221D3759955CF50

Function 010F66F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010F680A

Memory Dump Source

Source File: 00000007.00000002.4151291955.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10f0000_qXLPL.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8e4c7281bb1b02645f794bff12bee09932545e76c6942f2d1166f4006524ecb4
Instruction ID: 4771ff96aa073de52c0d5b108c37a16c7ce979d5bc66c8b4382aa3b3c9c2358f
Opcode Fuzzy Hash: 8e4c7281bb1b02645f794bff12bee09932545e76c6942f2d1166f4006524ecb4
Instruction Fuzzy Hash: A641AFB1D003099FDB14CF9AC984ADEBFB5BF48310F24822EE519AB210D775A945CF91

Function 010FA164 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 010FB579

Memory Dump Source

Source File: 00000007.00000002.4151291955.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10f0000_qXLPL.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e2f5a58d8b7f4b1a428ddbe8718895f1fc7a62a3e9f4826dfd7aeceb63fe156b
Instruction ID: 05ad7d7c2c7c7332779ac32243bc7c825a567cef55fae9940a080c85c559c96b
Opcode Fuzzy Hash: e2f5a58d8b7f4b1a428ddbe8718895f1fc7a62a3e9f4826dfd7aeceb63fe156b
Instruction Fuzzy Hash: 744107B4A00305CFDB14CF99C489AAEBBF5FB88714F24C459D659AB721D774A841CFA0

Function 05F3639E Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 05F36461

Memory Dump Source

Source File: 00000007.00000002.4197652305.0000000005F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5f30000_qXLPL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4ad77b2ff19ad8ccdd1eb93c8497a5e2f50a616940809443f47a465d6db38d37
Instruction ID: a897c311a86d9ade8923331107f0598d7063a9d12fe3cd3677e10027958a52d8
Opcode Fuzzy Hash: 4ad77b2ff19ad8ccdd1eb93c8497a5e2f50a616940809443f47a465d6db38d37
Instruction Fuzzy Hash: 953112B1D04258EFDB20CFAAC880A8EBFF5BF48300F14802AE859AB314D7749905CF90

Function 05F32D08 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 05F36461

Memory Dump Source

Source File: 00000007.00000002.4197652305.0000000005F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5f30000_qXLPL.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5f185e38c6239dd9cc4f48d76ed524eca5c8074e5b6a2fb854e139025361bf74
Instruction ID: 11402a50346473cfa8a7d2eac301d3ca4b6455f1e129175aaaabafb10d626893
Opcode Fuzzy Hash: 5f185e38c6239dd9cc4f48d76ed524eca5c8074e5b6a2fb854e139025361bf74
Instruction Fuzzy Hash: B131D1B1D04258EFDB24CF9AC985A9EBBF5BF48710F14802AE819AB314D7749945CF90

Function 00EF41D0 Relevance: 1.6, APIs: 1, Instructions: 85libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00EF4271

Memory Dump Source

Source File: 00000007.00000002.4148156501.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ef0000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e033204dd423ba15cf99be048c33929e49277b1a953b51e505982bf1c044c970
Instruction ID: 4e9357d948b6ffc3a773593b9db7b71059916aaf94d6b380642faaf8fe4a3cfa
Opcode Fuzzy Hash: e033204dd423ba15cf99be048c33929e49277b1a953b51e505982bf1c044c970
Instruction Fuzzy Hash: 5C312170A05348DFDB02DFB8D458BAEBFB2AF45300F1485ADE141AB791D73A9845CB50

Function 010FA5F0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010FA67F

Memory Dump Source

Source File: 00000007.00000002.4151291955.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10f0000_qXLPL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 39de305b12068961378784c1079a1c011a58400769f1e07433116e0ada37176d
Instruction ID: 8881904bc00762831cbd788ea2b78163972bedc7bd63115941842b79e9247c80
Opcode Fuzzy Hash: 39de305b12068961378784c1079a1c011a58400769f1e07433116e0ada37176d
Instruction Fuzzy Hash: 5921E3B5D00208DFDB10CF9AD985ADEBBF8EB48310F14801AE958A7310D378A944CFA5

Function 010FA5F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010FA67F

Memory Dump Source

Source File: 00000007.00000002.4151291955.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10f0000_qXLPL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 509fd1fd98cff97bddb65d63299133d0a1065717cbcef3e312089300e33c469e
Instruction ID: c2f64ca608ca7a401cd9724837abb775ff86717e2d6fd644798cacbf0ea39183
Opcode Fuzzy Hash: 509fd1fd98cff97bddb65d63299133d0a1065717cbcef3e312089300e33c469e
Instruction Fuzzy Hash: F721B3B5D002589FDB10CF9AD584ADEBBF8EB48310F14841AE958A7250D378A954CFA5

Function 05F35F04 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05F388BA), ref: 05F389A7

Memory Dump Source

Source File: 00000007.00000002.4197652305.0000000005F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5f30000_qXLPL.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 9fdffa1a60242fd46db44d4a206a28acaa1e7be4f5a097ba959fae954fe5e53c
Instruction ID: 124d9cba65c7446d5b74acb2ba21095ca62264777a461617463f9d1e6ee9c0ec
Opcode Fuzzy Hash: 9fdffa1a60242fd46db44d4a206a28acaa1e7be4f5a097ba959fae954fe5e53c
Instruction Fuzzy Hash: E61130B1C052599BDB10CF9AC544B9EFBF4BB48320F10812AE818B7240E378A940CFA6

Function 05F38938 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,05F388BA), ref: 05F389A7

Memory Dump Source

Source File: 00000007.00000002.4197652305.0000000005F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5f30000_qXLPL.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: b8adbb707ab97d7716cf30dd7d8a88d571607b17bb33bbabb2405ee986a10760
Instruction ID: 2373228207237be92383ef788b47980842b008f51ac91bfcae2479c53d6a3607
Opcode Fuzzy Hash: b8adbb707ab97d7716cf30dd7d8a88d571607b17bb33bbabb2405ee986a10760
Instruction Fuzzy Hash: 1D1133B1C052699FDB10CFAAC545BEEFBF4BF48320F14816AD818A7251D378A944CFA1

Function 010FFEB0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 010FFF2A

Memory Dump Source

Source File: 00000007.00000002.4151291955.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10f0000_qXLPL.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 07ab4909c38c556619c72ea51ae76f0ca7780d215a37f5afabbb3f90c47115de
Instruction ID: 8ea0b3c629face5bcded9d0c95ab0f36d0f8f02d5cc6ffa8311299e50e118777
Opcode Fuzzy Hash: 07ab4909c38c556619c72ea51ae76f0ca7780d215a37f5afabbb3f90c47115de
Instruction Fuzzy Hash: 3911BBB190034ACFDB60CFA9C40979EBFF4FB05314F24802AD554A3646DB39A544CFA1

Function 010F36BC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 010F56B6

Memory Dump Source

Source File: 00000007.00000002.4151291955.00000000010F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_10f0000_qXLPL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e9ea1417dfd79dfb4106a6ed52e439fda14d1c2f83a05537e89d61d18982ae7d
Instruction ID: 064e04cff359f1cf0da4c729b3be8dca0d030f58ed573ede167cc695abf545ea
Opcode Fuzzy Hash: e9ea1417dfd79dfb4106a6ed52e439fda14d1c2f83a05537e89d61d18982ae7d
Instruction Fuzzy Hash: 58113FB5C003498FDB10DF9AD844BDEFBF4EB88220F14846ADA68B7610D378A545CFA4

Function 00F05CC0 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

Hbq, xrefs: 00F05D6D

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 909376e2e33d92f4563d7f88be4cedd29ce2bf0484cb7c89a6f499e585528aba
Instruction ID: 3ddb562d9d995c76dc4e2eae1beff246e7ceccd11521867157b730f6d67946a8
Opcode Fuzzy Hash: 909376e2e33d92f4563d7f88be4cedd29ce2bf0484cb7c89a6f499e585528aba
Instruction Fuzzy Hash: 9531F230A0A6848FCB45DB7CC8187AE7FB1AF81300F5485BAD048CBA92DA398D06DB51

Function 00F0BAD1 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c4d36f91eebebf2afc2131ee78a80ec0b17fb1835c0619149674642a92c096
Instruction ID: fdc674987dbe80b826f470ac0aeaa113560bff71cb790dc334c0f4a63298a2c3
Opcode Fuzzy Hash: 17c4d36f91eebebf2afc2131ee78a80ec0b17fb1835c0619149674642a92c096
Instruction Fuzzy Hash: C7914671A056058FC711CF6CD8845AAFBB1FF85320B14C6AAE854DB396D731EC12DBA1

Function 00F082F0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad33a4740c611a62761c46f9b34bd44e2935e3a318f861a81e8778826fc8d77c
Instruction ID: f0c5cb8f2449642ecf3e3d08393b18a0a42e793ff3a95cd59c432c9fa0138817
Opcode Fuzzy Hash: ad33a4740c611a62761c46f9b34bd44e2935e3a318f861a81e8778826fc8d77c
Instruction Fuzzy Hash: 48616975E0024ADFCF05CFA4C844ADEBFB2FF88350F148126E845AB2A5DB349956EB50

Function 00F08C60 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fcaff4eac803893d7b0ede273310ba9160e2383186ed70771342e021bb3c8c
Instruction ID: 2219aba7b4f0528d97d3fb4808a4d6c6d945bef7b0eb70186e97e020e55b4966
Opcode Fuzzy Hash: b2fcaff4eac803893d7b0ede273310ba9160e2383186ed70771342e021bb3c8c
Instruction Fuzzy Hash: A2618C71E007498FCF15CFA5C5406DEFBF2AF99350F248619E894AB281DB70AD86EB40

Function 00F05A18 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7e4e74712eb2db5dabff8421ecf837e997e75f461d282161153302fa2585eb
Instruction ID: 2ed0b182872e4ae1ae4b6257e0016ac002565a5c86e55416f34c9e0ef4571f7c
Opcode Fuzzy Hash: 5a7e4e74712eb2db5dabff8421ecf837e997e75f461d282161153302fa2585eb
Instruction Fuzzy Hash: 5161A474D00218CFDB24DFB4E89859DBBB6FF89301F10856AE84AA7358DB399942CF50

Function 00F08443 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a971064b2ce08814ea8359e89112ec16b72bfa3abd113a3b942be6d3f59c35d2
Instruction ID: e136465050820c560e5e4bbda74b7892b642873f217e66b8a46599354d3990c6
Opcode Fuzzy Hash: a971064b2ce08814ea8359e89112ec16b72bfa3abd113a3b942be6d3f59c35d2
Instruction Fuzzy Hash: F651C434A04289DFCF11CFA4C8506AEBFB1AF45360F144166E891EB2E2CB35DD16EB51

Function 00F04E50 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24f39b15184052472eab99a5dce4039e1d4baa9f7192fa28049875ca8df6a8d
Instruction ID: 79e93bd9e0e0c520daa83b977483428d1d85ce1b25033f423403400f457ba22c
Opcode Fuzzy Hash: b24f39b15184052472eab99a5dce4039e1d4baa9f7192fa28049875ca8df6a8d
Instruction Fuzzy Hash: 9F31E270A053458FCB05CBA8E94469EBFF2EB85314F2481BAD108EB395E735AC02DB50

Function 00F085AF Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9f324220e3dbf2e48dc1e020132f0ccefdd0d6e4d441070bc345156fd317e2
Instruction ID: e22d2bb75f0e732dc9a025a841fefd02d91d5d99f3b00aded26ff1947f1db62b
Opcode Fuzzy Hash: 4d9f324220e3dbf2e48dc1e020132f0ccefdd0d6e4d441070bc345156fd317e2
Instruction Fuzzy Hash: 2031C3306042848FCB11CF68CC547AA7FB1AF05364F094599E4C6DB6E2CB71EC42EB55

Function 00F05450 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b012983e64feaef29c2c226609a263f9876f306c5b6504dca6e50fb347b28a43
Instruction ID: 92730ee58d395de5951ef1547d3b4575ec9694d2f67de71b42ba4db82364aae7
Opcode Fuzzy Hash: b012983e64feaef29c2c226609a263f9876f306c5b6504dca6e50fb347b28a43
Instruction Fuzzy Hash: D321BE75F002158FCB10EFB898046AF7BF6AB88B50F108029E945E7384EB78DD019F95

Function 0101D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4150083230.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_101d000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4485a415116cff3567d8f035297273c8f11ffabee5a0695252781eb0c1dc94
Instruction ID: 4b870643c2386a82b6f1b4ffb2ebe2078e377a412898d089409edce9e7377ff3
Opcode Fuzzy Hash: ce4485a415116cff3567d8f035297273c8f11ffabee5a0695252781eb0c1dc94
Instruction Fuzzy Hash: 2F212575504200DFCB16DF58D988B16BFA5FB84314F20C5ADE9894B25AC33AD447CB61

Function 00F0B728 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb4fd35ac5f216be176abf92cb5d11366a61dfa7fe30803191e7e4a7c16cf65
Instruction ID: 7d890f061855cd7d64d37727fda7713f38541c5fd82b36dfe57ebe93bcc602fc
Opcode Fuzzy Hash: cdb4fd35ac5f216be176abf92cb5d11366a61dfa7fe30803191e7e4a7c16cf65
Instruction Fuzzy Hash: 26215A70E10219DBDB24DFA0D956BAEBFF9BF84305F104429E501A73D4CB759A02EB90

Function 00F0B821 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90707a368321e1238f99a0af9dbe0617d85a6e49f5635f93a064abb8e87660b8
Instruction ID: f37a1164ccbf9b732eead76361c41488070418280abaf459a24df7946fef0071
Opcode Fuzzy Hash: 90707a368321e1238f99a0af9dbe0617d85a6e49f5635f93a064abb8e87660b8
Instruction Fuzzy Hash: 79215A70E012499FDB05DFA5D550AEEBFF6BF48315F14802AF411E62A4DB349A42EB60

Function 00F05A08 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be52107db87b6d8679f603df3ac169f13cfba4e61820affadcf36c16c34a6e0
Instruction ID: 4f50a9bf5de9c46ec714423933a3d4a0b6ed3e4c8b04b76c367f9e57b72ebb5c
Opcode Fuzzy Hash: 4be52107db87b6d8679f603df3ac169f13cfba4e61820affadcf36c16c34a6e0
Instruction Fuzzy Hash: D621F574E002099FDF14EFF4E85869DBBB1BF88304F008569E55AAB398DB3959468F41

Function 00F09528 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f58adc1ea0091d277ab5d878460cd5e76b68ae6f899dea31aa9b6a4c68b09d
Instruction ID: 9063846ed27328f4c0b07822229167cef68f0dc7475993c2b09d7223646b0cda
Opcode Fuzzy Hash: e0f58adc1ea0091d277ab5d878460cd5e76b68ae6f899dea31aa9b6a4c68b09d
Instruction Fuzzy Hash: 3E11E031B04114CFCB15EF29D95477DB3A2AB84721F688529E81ACB2D2EBB1DC41FB90

Function 00F0B719 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5788de6e3f47009d8e6e83d343274c60a2abd5e45276979926f9afe9faf3b0b
Instruction ID: ccef733fdebd79eec35ddb5a34f4b25a98a164eaa9c491ebce85bc2e783f6779
Opcode Fuzzy Hash: d5788de6e3f47009d8e6e83d343274c60a2abd5e45276979926f9afe9faf3b0b
Instruction Fuzzy Hash: 0D11BE70E142589FDB15DF64D955A9EBFB1BF80300F10492EE441A77D8CB349802EB50

Function 0101D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4150083230.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_101d000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: e96775076a5ba4b1027b67bfa55b6291fda18b934bb889845dc19e27deddfd15
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 8C119075504280DFDB16CF58D5C8B16FFA2FB44314F24C6AAE8494B65AC33BD44ACB62

Function 00F04DD8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfcbdbf6ef4e61795777797731ef6e28f687a9ed33a4bec6d67d3931dcabf060
Instruction ID: fb297ff6b00de49f544a253f8b9aad916f34c7d6791ddde69113cbf905c0f37f
Opcode Fuzzy Hash: cfcbdbf6ef4e61795777797731ef6e28f687a9ed33a4bec6d67d3931dcabf060
Instruction Fuzzy Hash: 8AF030B1E441169FCB509FAC68492EE7FF5FBC9220B20067AEA49D3704D67949038BD1

Function 00F04DE8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f0665c85287372503f019ccc4161d540240eb5c781a1d6848759e055ec72b4
Instruction ID: 2cead402a05ec129e3e20c650c4b8bd9b498590d2ad4d3e2e444f75dd5f3612b
Opcode Fuzzy Hash: c9f0665c85287372503f019ccc4161d540240eb5c781a1d6848759e055ec72b4
Instruction Fuzzy Hash: 0DE012B2E041199F87509BADA8056AE7BF9FB88621B100476E609D3304EA744A019BD1

Function 00F061C4 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85bc17243ef40ec31925dfe7c2c6ef3da9ea3d3cfa79c3b35b5b2274451dff53
Instruction ID: c3a666ddd5f4ab207ed3acc4f78a0c5be2697621ff57bfdff61314cde35ba995
Opcode Fuzzy Hash: 85bc17243ef40ec31925dfe7c2c6ef3da9ea3d3cfa79c3b35b5b2274451dff53
Instruction Fuzzy Hash: EFD01211B512669ECF842BBF151033E04C72BC43D2B708C7A6503CA2EAFC2CCE913255

Function 00F0EE58 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4148501426.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f00000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e6c254f69953e60acc003e6c26ec02454d06583106e3568e4870754cc4a3812
Instruction ID: 32d1be376c2587a904bb37d0641709286ad81145a3c2b69bc4d1aabae293ecdd
Opcode Fuzzy Hash: 0e6c254f69953e60acc003e6c26ec02454d06583106e3568e4870754cc4a3812
Instruction Fuzzy Hash: C4C0486544E3C16FC703473C88640647F30281702038A02EB8081CA8A7E64E492A87A3

Analysis Process: qXLPL.exePID: 2056, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	111
Total number of Limit Nodes:	6

Executed Functions

Function 04F42838 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c05a4abdf2488f0c827f526ef840da1beb9258f279f1852b2bafb1767d93d0e
Instruction ID: fc783129086e50a9592baa06e2d921c9de902e0278778d88d55538f5a53f153d
Opcode Fuzzy Hash: 2c05a4abdf2488f0c827f526ef840da1beb9258f279f1852b2bafb1767d93d0e
Instruction Fuzzy Hash: 1E912870E012098BDB04DFE9D4546AEBFB2BF88350F15D469E814A7355EF34A982CF51

Function 04F42070 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197bdfb07863006413d30ef9270562c2a829c59e8834defbae4521de64ad80bc
Instruction ID: 5a3566a742ef430665384a75d498f7d3f1db1a284cc1415529a41db52ccc7a74
Opcode Fuzzy Hash: 197bdfb07863006413d30ef9270562c2a829c59e8834defbae4521de64ad80bc
Instruction Fuzzy Hash: 88A11671E002198BEB14DFA9C8447ADBFB2BF89340F11D4A9E518B7244EB706A86CF51

Function 04F42061 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe8b66ddb96ca09cdf924faf2b6e7d62e063b91007da657d34ee9805891b2c6
Instruction ID: e08c5efb24e8f4956746d5c681cfcd4bf12febacc1b95f5ea26d5449abe9c13e
Opcode Fuzzy Hash: dbe8b66ddb96ca09cdf924faf2b6e7d62e063b91007da657d34ee9805891b2c6
Instruction Fuzzy Hash: 72814971E002198BDB14DFA9D8407AEBFB2BFC9340F11D4A9E518B7254EF706A868F51

Function 04F42828 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62728d02ace8b693f5535efe66a3dec8a6e1a4ab8c45e9ca912ed0528c2074e2
Instruction ID: aed344c7aba6d0c4eb3cbcabd8ed30779b817a4abb89adbec0bb524d947bbd3c
Opcode Fuzzy Hash: 62728d02ace8b693f5535efe66a3dec8a6e1a4ab8c45e9ca912ed0528c2074e2
Instruction Fuzzy Hash: 32711671E012098BDB04DFE9D4447AEBFF2BF88350F15D46AE814AB355EF34A9828B51

Function 01547540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015475BE
GetCurrentThread.KERNEL32 ref: 015475FB
GetCurrentProcess.KERNEL32 ref: 01547638
GetCurrentThreadId.KERNEL32 ref: 01547691

Memory Dump Source

Source File: 00000008.00000002.2150677810.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1540000_qXLPL.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fa1fd3d360596db7f5239405b9f5992121ce1e05a8682dc918604936ff9f52b2
Instruction ID: 4d6ff5f1e77491a55155f047d5c909f2303c248ee549c8046127566acf790c47
Opcode Fuzzy Hash: fa1fd3d360596db7f5239405b9f5992121ce1e05a8682dc918604936ff9f52b2
Instruction Fuzzy Hash: E95125B0D002498FDB18DFAAD548B9EBBF1BB48318F20C559D019AB360D774A988CF65

Function 0154753C Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015475BE
GetCurrentThread.KERNEL32 ref: 015475FB
GetCurrentProcess.KERNEL32 ref: 01547638
GetCurrentThreadId.KERNEL32 ref: 01547691

Memory Dump Source

Source File: 00000008.00000002.2150677810.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1540000_qXLPL.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 09bcc20742ce78301041fe29734687a643fde1c8a94f3fb8dfdbbea5bb21e2e4
Instruction ID: 39fe807c2bb6975d6dcb589dfd7b6759f37211c837d0d18d16961a1d82490cea
Opcode Fuzzy Hash: 09bcc20742ce78301041fe29734687a643fde1c8a94f3fb8dfdbbea5bb21e2e4
Instruction Fuzzy Hash: 6B5126B0D002498FDB18DFAAD548BDEBBF1BB48318F20C559D019AB360D734A988CF65

Function 04F45940 Relevance: 2.6, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d8cq, xrefs: 04F45AB8
Hbq, xrefs: 04F45A00

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID: Hbq$d8cq
API String ID: 0-70480990
Opcode ID: 54e57bbc5d5aea0b06a38adcd865e71e0cfab9c51258febe5848a13d715ee72a
Instruction ID: 9449df4fba9acb75970f8de45f4f02f037568bf81504eb0e0388bd8d24e95638
Opcode Fuzzy Hash: 54e57bbc5d5aea0b06a38adcd865e71e0cfab9c51258febe5848a13d715ee72a
Instruction Fuzzy Hash: 6021C1307542047FE7186A395C95B7E2E9BEBC5760F288429F60A9F2C0DE74AC028355

Function 09CD7C14 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09CD7E4E

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4490f2bf759aa08f7280693fe789466cdb24d232ccb7e3f1b8e22ca850d6de57
Instruction ID: 6dd46490ab71f13bfa8d9da4a7a4c6f4c31180f25ef08bdbd83fb2833292b19b
Opcode Fuzzy Hash: 4490f2bf759aa08f7280693fe789466cdb24d232ccb7e3f1b8e22ca850d6de57
Instruction Fuzzy Hash: 80915FB1D01219CFEB20CF68D8417EEBBB2FF44314F1485A9E918A7254DB749A85CF91

Function 09CD7C18 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09CD7E4E

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cd8346767c98e66abd84d05f31ba9994efc61ef8f3edc41c06b768456236a78d
Instruction ID: d8a575431b9be22565338443da2db452ef83d59ca4c710aaf77b83a6efb71d5f
Opcode Fuzzy Hash: cd8346767c98e66abd84d05f31ba9994efc61ef8f3edc41c06b768456236a78d
Instruction Fuzzy Hash: 6C915EB1D01219CFEB20CF68D8417EEBBB2BF48314F1485A9E908A7244DB749A85CF91

Function 0154FAD0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0154FBE2

Memory Dump Source

Source File: 00000008.00000002.2150677810.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1540000_qXLPL.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e44c07241f72e87f2564227e9167c2722fd8850979381946e007a44f4bc9a8e
Instruction ID: cb398570e0b736ae20e61d6e6dd4df828eba62c30291454f4964266edd49e0fa
Opcode Fuzzy Hash: 1e44c07241f72e87f2564227e9167c2722fd8850979381946e007a44f4bc9a8e
Instruction Fuzzy Hash: 0F41B0B1D103499FDB14CF99C984ADEBFB5FF48314F24862AE818AB210D7759845CF91

Function 09CD78F8 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09CD7990

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 74c15cc3b4882d0ad14dc8d3162b9099619d40ed747b1d5d5c874f6054e93309
Instruction ID: ed3917edc9a6dff09036b3376d24751706a64b96a834ca07956f8e596fa86790
Opcode Fuzzy Hash: 74c15cc3b4882d0ad14dc8d3162b9099619d40ed747b1d5d5c874f6054e93309
Instruction Fuzzy Hash: 652146B2D012199FDB10DFA9C881BDEBBF1FF48310F108429E958A7250D7799945CBA4

Function 09CD7900 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09CD7990

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d95cfdb626aa5daa1d828b6ecba7676b84b9c967495fe6fb4ac6f5ad1e52ce3f
Instruction ID: 8eb11c415a6f220ebf138d6a809ee15ad209b53c2ad58e7065b2b0aa561d4b06
Opcode Fuzzy Hash: d95cfdb626aa5daa1d828b6ecba7676b84b9c967495fe6fb4ac6f5ad1e52ce3f
Instruction Fuzzy Hash: 592136B2D003599FDB10DFA9C885BDEBBF5FF48310F10842AE958A7250C7789944CBA4

Function 09CD7670 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09CD76F6

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b28b8457f42bb976ea32ff03fbec6c3e5b78e772a47d488a02f5c0dc8651a7bf
Instruction ID: 0602860e126c0e154e10c1121fed6ea9a3ea3c81864e21cc438d43d6d0febe62
Opcode Fuzzy Hash: b28b8457f42bb976ea32ff03fbec6c3e5b78e772a47d488a02f5c0dc8651a7bf
Instruction Fuzzy Hash: A42138B1D002098FDB10DFAAC4857EEBBF4EF88324F10C42AD559A7240D7789A46CFA5

Function 09CD7678 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09CD76F6

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c663a717953c5b73f708c5bfe7b0972426dc0ee7a1042de76812d293e2a69f6d
Instruction ID: ebbce3605d028bc8fe8f81fb6f96532fa465fa3df635177acd7e2b5bf7546934
Opcode Fuzzy Hash: c663a717953c5b73f708c5bfe7b0972426dc0ee7a1042de76812d293e2a69f6d
Instruction Fuzzy Hash: 0D2118B1D002098FDB10DFAAC4857EEBBF4EF48324F14842AD559A7241D7789945CFA5

Function 09CD7A20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09CD7AA0

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: edab4f2fa7480c1ec670b7781d11a155921bdd149599c37344653076084b531b
Instruction ID: d8d2f9d0550d6f470c16ef0a1ffe8560b67b332fe9d07f33a59a2a04aec6ede1
Opcode Fuzzy Hash: edab4f2fa7480c1ec670b7781d11a155921bdd149599c37344653076084b531b
Instruction Fuzzy Hash: 7C2139B1C003599FDB10DFAAC880AEEFBF5FF48310F108429E558A7250C7749944CBA4

Function 01547788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0154780F

Memory Dump Source

Source File: 00000008.00000002.2150677810.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1540000_qXLPL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 69563cc9b9ca6de7e8e5ae16b186ac9f1da0530ded0e5dc789d81ca91d8e07a1
Instruction ID: fede5adc9c60ac9212c38edd0b2693394f6dca76b4ac078845375ee870a66269
Opcode Fuzzy Hash: 69563cc9b9ca6de7e8e5ae16b186ac9f1da0530ded0e5dc789d81ca91d8e07a1
Instruction Fuzzy Hash: 0921C2B5D002589FDB10CFAAD984ADEBFF8FB48324F14841AE958A7350D374A944CFA5

Function 09CD7A18 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09CD7AA0

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6f7dbb17f0d46f70e7ca4ab51bddab9f4439c539f0947ff0148f98470d93a90e
Instruction ID: 39b2ac5161ba6f6d7558e3a2370b41e59a5788e4dbae5b470e6c8852404d271d
Opcode Fuzzy Hash: 6f7dbb17f0d46f70e7ca4ab51bddab9f4439c539f0947ff0148f98470d93a90e
Instruction Fuzzy Hash: B72114B1D003498FDB10CFA9D9807EEFBF1BF48324F10842AE958A7250C7789951DBA4

Function 09CD7810 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09CD787E

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ccbf49d2e83a9a41f9db1aac8d8acc4ab1d6a14fedcc4951b07138729c01fe79
Instruction ID: 6f6217efe7109c42af960afb3aec37f6818303788fdc6b71b971138726412a4c
Opcode Fuzzy Hash: ccbf49d2e83a9a41f9db1aac8d8acc4ab1d6a14fedcc4951b07138729c01fe79
Instruction Fuzzy Hash: 7E1123B29002499FCB10DFAAD844ADEBBF5EF88324F208429E559A7250C775A944CFA4

Function 09CD7808 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09CD787E

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: db50fc583cb95b87b74140de15947ee37e51f914225794bfebe9a50f4573b097
Instruction ID: b32add95e1878f0efc57c38dc705ba7b8364cf488a1f256de8a72c1851c2bc3d
Opcode Fuzzy Hash: db50fc583cb95b87b74140de15947ee37e51f914225794bfebe9a50f4573b097
Instruction Fuzzy Hash: 611137B5900349CFCB14CFA9D9407DEBBF1AF48324F14842AD959A7260C7759950CF94

Function 09CD7598 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09CD75FA

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b98e4b5b6f0e9aefbb213f13983714779a0f70235e72dbe3803cc98ddec7215d
Instruction ID: 812bca8de863e1698ab3796e585094062bcd1760368460cb43577b07d591208b
Opcode Fuzzy Hash: b98e4b5b6f0e9aefbb213f13983714779a0f70235e72dbe3803cc98ddec7215d
Instruction Fuzzy Hash: 4E1136B1D002488FDB20DFAAC4457DEFBF4EB88324F20882AD559A7250CB75A944CFA5

Function 0154D6C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0154D72E

Memory Dump Source

Source File: 00000008.00000002.2150677810.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1540000_qXLPL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ef25999c35b9061c07360ff2f8b4c21f0bc022a5da6dedb2286d1859a1de562b
Instruction ID: 0de2e387095ea0791d3c2c2d6dbf96702eed4c7fe3c76fba482916fa019827e5
Opcode Fuzzy Hash: ef25999c35b9061c07360ff2f8b4c21f0bc022a5da6dedb2286d1859a1de562b
Instruction Fuzzy Hash: 0011E0B5D002498FDB10CF9AC444BDEFBF5AB88328F10852AD959B7210C375A545CFA5

Function 09CD77CF Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09CD787E

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 473aaf49bbfc1bd62e0875225a772b4d76d30da33504814cb05ef59a7e802d72
Instruction ID: 45caf9338683aa60780a05dd28b3202953d208a837240645b0a3d78459f300d3
Opcode Fuzzy Hash: 473aaf49bbfc1bd62e0875225a772b4d76d30da33504814cb05ef59a7e802d72
Instruction Fuzzy Hash: E411E9B68043499FCB15CFA8E8047DFFFF2AF81318F14885AE658A7160C7398655CB92

Function 09CD7590 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09CD75FA

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 80d40de51b4678d57b167cb6c69dd92200f516df9af60dab657da53a6b8169fd
Instruction ID: de08662d2125bbc1975526aed2a5602a41e49796bd248da44e3185df40c02e43
Opcode Fuzzy Hash: 80d40de51b4678d57b167cb6c69dd92200f516df9af60dab657da53a6b8169fd
Instruction Fuzzy Hash: 6B1136B5D003498FDB14CFA9C5453DEFBF1AF88324F24882AC559A7250CB75A945CF98

Function 09CD9708 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09CD9765

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0969d29013e8b9f1ea54c9c7668ae672611ba46ec96f5c61a5fa39c5f20c7cb8
Instruction ID: 883bf3f5dfb12dd1336ec3ac07c95d3bdd03fd343a9c10e1be5ab35f9c31ea1f
Opcode Fuzzy Hash: 0969d29013e8b9f1ea54c9c7668ae672611ba46ec96f5c61a5fa39c5f20c7cb8
Instruction Fuzzy Hash: B611E2B9800349DFDB10DF9AD985BDEFBF8EB48324F10845AE558A7210C375A984CFA5

Function 09CD9700 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 09CD9765

Memory Dump Source

Source File: 00000008.00000002.2195187873.0000000009CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_9cd0000_qXLPL.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 80db20c0a6ba3c769cac28647e3cef91525ac3ffc60430f111a4e1cb9b9674bf
Instruction ID: 4f461ab3d079da62062b9c5f6e23dceb8c898e51b8236ce7add193475a7e138c
Opcode Fuzzy Hash: 80db20c0a6ba3c769cac28647e3cef91525ac3ffc60430f111a4e1cb9b9674bf
Instruction Fuzzy Hash: 251115B9800349CFDB10CF99D584BDEBBF4FB48324F10855AD958A7250C375A940CFA0

Function 01547848 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2150677810.0000000001540000.00000040.00000800.00020000.00000000.sdmp, Offset: 01540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1540000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ea0ce20153c9d21910ad5feb6cc7a237a7467e63351b3e84010772a685db44
Instruction ID: ef04357357709004b4978989d5c4eabc807514d5e4469702e3d20c629153c241
Opcode Fuzzy Hash: b4ea0ce20153c9d21910ad5feb6cc7a237a7467e63351b3e84010772a685db44
Instruction Fuzzy Hash: 98F08972908384CFEB2297ACD51839DBFE0EF89328F28889AC095DB152C3755445CB92

Function 04F40260 Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

8bq, xrefs: 04F402E5

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 87cb6f7e87ed6d9a40dc1d123f08e29653011947e157ca159ad195682dc84f22
Instruction ID: 608f02f6dd086436d4836563e1e2efad94c609650315cab9f98134391bf37368
Opcode Fuzzy Hash: 87cb6f7e87ed6d9a40dc1d123f08e29653011947e157ca159ad195682dc84f22
Instruction Fuzzy Hash: 5DB1A074E00218CFDB54DFA9D844AADBBB2FF89300F10846AE509AB355EF346986CF51

Function 04F4024F Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

8bq, xrefs: 04F402E5

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: e257d260ae553c03c8865743844252bbf7a6f31a3b1052eee593af9a7753557b
Instruction ID: 2bb0b3bc2dd1cdf136ac21ad6d7b0b4e8e6bf0edc90bb223b7c6c1059fcde1a4
Opcode Fuzzy Hash: e257d260ae553c03c8865743844252bbf7a6f31a3b1052eee593af9a7753557b
Instruction Fuzzy Hash: 4DA1B374E04218CFDB54DFA9D844A9DBFB2FF89300F10846AE509AB355EB34A986CF51

Function 04F40F38 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

Te^q, xrefs: 04F41099

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: b7e952f75f9b21012af7151a6b116feb4d77f743080e91294d1bb3ecd81c6b7f
Instruction ID: 4c342b6d1c7e56ea4c8a5613c088e62e35868d994b9a86246b3bb495dd168885
Opcode Fuzzy Hash: b7e952f75f9b21012af7151a6b116feb4d77f743080e91294d1bb3ecd81c6b7f
Instruction Fuzzy Hash: B5419E31B102168FCB15DF7988488AEBBF6FFC82247158529E559DB391EF30ED0687A0

Function 04F40A50 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 04F40ABB

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 86a5e3e559b5aae6366e32ead00e7e882083342bd074a6a72f2c5d9310784e74
Instruction ID: ff36aca5bc8c3df0c7b27ea360c046833b8bf36a9755926535b6ff248fab757e
Opcode Fuzzy Hash: 86a5e3e559b5aae6366e32ead00e7e882083342bd074a6a72f2c5d9310784e74
Instruction Fuzzy Hash: AF112E71F0020A8FCB54EFB999105EFBAF6ABC8314B50446AC509E7344EF359E06CBA5

Function 04F41700 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00bef51090c9522b6f25943f1939dfa5cb8c23d97f57a53c676a50ee8b7b3963
Instruction ID: b81a3a2910c7768ae6d1c530ffee381c9ef5e6573206dfc05244a4d3005e8297
Opcode Fuzzy Hash: 00bef51090c9522b6f25943f1939dfa5cb8c23d97f57a53c676a50ee8b7b3963
Instruction Fuzzy Hash: 79612A35A00619DFDB14DFA9C558A9DBBF1FF88314F218159E909AB360DB70ED85CB80

Function 04F416F1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0a12b5729ea21e28a525c317cf6c337d62868d4efa7b585c88ec103d01a803
Instruction ID: 1be556429fac4d706b4e7516f44e7bf87c238721867be3b7953b03486a53a9e6
Opcode Fuzzy Hash: 0e0a12b5729ea21e28a525c317cf6c337d62868d4efa7b585c88ec103d01a803
Instruction Fuzzy Hash: 1E612935A007199FDB14DFA9C998A9DBBF2FF88314F118159E409AB364DB70ED85CB80

Function 04F45FC7 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f3ac060cbb000e8bb68e4bdc58120764f112bb2b484e251637dd5f6d8c2a05
Instruction ID: e5c7c72d00d2789e546defffae361e5c8da764162b8a2fa1b55e7d7e6b2979a8
Opcode Fuzzy Hash: f5f3ac060cbb000e8bb68e4bdc58120764f112bb2b484e251637dd5f6d8c2a05
Instruction Fuzzy Hash: 6871C878902218CFD750EF69E998A49BFB2FB49311F0091A9F409DB365EB34AD85CF11

Function 04F45BFC Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04b680ec8bc0f463a36e21650ab2fc12e4091027e7d7b1b632017aba4a62a8e
Instruction ID: 9503855afa4544c03521acfbfbe8b07c2e4f03b4ea43429036600baf064849aa
Opcode Fuzzy Hash: e04b680ec8bc0f463a36e21650ab2fc12e4091027e7d7b1b632017aba4a62a8e
Instruction Fuzzy Hash: C8710974D41219CFDB50DFA8E948A9DBBB2FF88301F108169E50AAB355DB386D85CF50

Function 0124D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2148982414.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_124d000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e296d06a4833993b05b129938107205f18087b81e536db0ced6b5ef51f55855
Instruction ID: 6a75268807d6184fceb8ab91e2ebbffdc670e978840a6459d76dc0b358560efc
Opcode Fuzzy Hash: 6e296d06a4833993b05b129938107205f18087b81e536db0ced6b5ef51f55855
Instruction Fuzzy Hash: F2212571510208DFDB09DF98D9C0B67BF65FBA4324F20C569EA090B256C376E456CAB1

Function 0125D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2149086388.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_125d000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c577b9a9fd90d6d3c3199a8d391d8d2ce61f932ccb3b98a945dc1b1c1df52730
Instruction ID: 4ea98efebf56826115d04568d59b6d5258d22cea70832a7517318eedacf58984
Opcode Fuzzy Hash: c577b9a9fd90d6d3c3199a8d391d8d2ce61f932ccb3b98a945dc1b1c1df52730
Instruction Fuzzy Hash: B9213471514208EFDB41DF98C9C0B26BBA5FB84324F20C66DED098B257C376D846CA61

Function 0125D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2149086388.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_125d000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91c7cc28511680063751f0f6c207ae6e52534a81925dfc59c76696b876efaba
Instruction ID: b19b12d9ab0989d6be67036f02f1cbc906a246f81b5d0416aa32da94d0db8090
Opcode Fuzzy Hash: a91c7cc28511680063751f0f6c207ae6e52534a81925dfc59c76696b876efaba
Instruction Fuzzy Hash: 43214270214208DFCB51DF68D9C0B26BFA1EB84314F20C56DDD0A4B256C37AD407CA61

Function 04F4CDF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0a1c166b15faa83099969e03b5a147b7a2396b79b7ffd382c2fb49c90e8379
Instruction ID: 8e626497582b2f20728dafdf1bcc6f6f53bc4de7955b668b889fa9afa4595778
Opcode Fuzzy Hash: 3e0a1c166b15faa83099969e03b5a147b7a2396b79b7ffd382c2fb49c90e8379
Instruction Fuzzy Hash: D7214A74E05249DFCB14DFA9D0446AEFFB5BB88300F11D569D414A7340DB35AA82CF91

Function 04F410DC Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3caa2fa66d594386d38fa422ac69b52de6eab692fb1eca8d461760fffeba180
Instruction ID: 3efd0e83f2a6370e24d766b10574d7581cdc29053c087e3ac3e10e48fb16160c
Opcode Fuzzy Hash: d3caa2fa66d594386d38fa422ac69b52de6eab692fb1eca8d461760fffeba180
Instruction Fuzzy Hash: 2D31D4B0D01219DFDB20DF99CA89BCEBFF5AB88314F14815AE404BB251C7B56986CF91

Function 04F40BF0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521ea83179c209774555affad10aa4452bcd10884836f474bc963e04f919ecb7
Instruction ID: c4e9245a520c4947a8e2dc0b4f2df13f2b6f5ee52dfe0775e007a8d078a72648
Opcode Fuzzy Hash: 521ea83179c209774555affad10aa4452bcd10884836f474bc963e04f919ecb7
Instruction Fuzzy Hash: A031D5B0D01218DFDB20DF99C688B8EBFF4AB88314F14805AE404BB251D7B56886CF95

Function 04F45E7A Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b70a5f893dbb79c4240172e087f7e757f69831bdcb049dc4ceff174f546ad28
Instruction ID: f8d577fce1c2382d913337809aec0db2484759e6506d81c910fe5c65e9ba6c34
Opcode Fuzzy Hash: 3b70a5f893dbb79c4240172e087f7e757f69831bdcb049dc4ceff174f546ad28
Instruction Fuzzy Hash: 2731B73494025ACFDB64DFA4E844BADBB71FB84300F0085BAD50AA7754DB786E85CF61

Function 04F40F2A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1969117b4fb22c29dda184a0f2a666ea4ff9a6040549cd814f94af6b2f34dd9
Instruction ID: 6e8f6af439375da824aa14036f9bd5d269beead1880618554f6f6b813db02f1f
Opcode Fuzzy Hash: b1969117b4fb22c29dda184a0f2a666ea4ff9a6040549cd814f94af6b2f34dd9
Instruction Fuzzy Hash: B911C276B002165F9B15DF798C40ABFBAFBEBC8260B148528E514D7380EF30E90687A0

Function 0125D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2149086388.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_125d000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e563794630f549067dcb6a8c441a60529d20a9fd6f4cf1a62ac90ef3231477e2
Instruction ID: d72c03bd0912ecfb5b9a86a252578b4bd197306b213ac2107cc62bb2812eb1d6
Opcode Fuzzy Hash: e563794630f549067dcb6a8c441a60529d20a9fd6f4cf1a62ac90ef3231477e2
Instruction Fuzzy Hash: 52219A755093848FDB03CF24D9D4B15BF71EB46314F28C5EAD9498B2A7C33A980ACB62

Function 0124D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2148982414.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_124d000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e6123bea7a4cbcb97f5d4e6e87e4e37037ce25da891e2acc2abe2653d8e4a9b9
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: F4110376404244CFCB06CF54D5C4B56BF72FB94324F24C5A9D9090B657C33AE45ACBA1

Function 0125D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2149086388.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_125d000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: e75c23c6e109590de3d3b1976566f37a838087c79484b64806e9adb727d4e433
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4C11BB75504284DFDB02CF54C5C4B15BFA1FB84224F24C6AEDD498B297C33AD44ACB61

Function 04F40219 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d89b28092c3b1c5e3ec61203c6e757caf87b91cb61408670dc4cd03f77be185
Instruction ID: 32d9c369332fefe490e9d0f187433376fc42d1ef131bd69f34a829a7c6bc8695
Opcode Fuzzy Hash: 9d89b28092c3b1c5e3ec61203c6e757caf87b91cb61408670dc4cd03f77be185
Instruction Fuzzy Hash: D101263178E109DFC305DBA8D8167EE7F76DB86314F044198E948872D2EF31AA42D780

Function 04F401C0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a209897643c0d991ad560676b88765c3b46137b12d8b3398878aac61f19c712e
Instruction ID: e716b2a4c5e94e76a7aeb4e93fee899d9227d72a2f8300e79486478f70070c4f
Opcode Fuzzy Hash: a209897643c0d991ad560676b88765c3b46137b12d8b3398878aac61f19c712e
Instruction Fuzzy Hash: 3DF02B3179E105DFC306DF74D5057ED7F22AB8A311F109158E859872D2DF319A07E680

Function 04F458E8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb319b9fff6b939673cd0d56dd5df648c620dbd9fd13e1ec464f2eb4ff5a631
Instruction ID: f7eabc462e99ecc82f2e02a51e51fc4286e5fe8180d08479b99ca8e8c52cd54f
Opcode Fuzzy Hash: 4eb319b9fff6b939673cd0d56dd5df648c620dbd9fd13e1ec464f2eb4ff5a631
Instruction Fuzzy Hash: 22F0E931A08289EFDB21DFA4E400698BFF0AF16324F0492D9E894522A2D7301A46DB00

Function 04F401D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad50026127a7ecda1ff7d05689782b3cf8d179a45b15ba0642c3866359aa85b5
Instruction ID: a0d238734809a3c9cc07cbe85a1c473e2167ec3ccaae3fcf681a4b9889a219b6
Opcode Fuzzy Hash: ad50026127a7ecda1ff7d05689782b3cf8d179a45b15ba0642c3866359aa85b5
Instruction Fuzzy Hash: 71E04831949208DFC704EF64E4455BDBF75BB8A311F109159F90553350EF306A55EB94

Function 04F458F8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b96672b7a360a31a6a8fe0d1291ef2654dcab2eb557aa8a14acfb38db19f29d
Instruction ID: 0e354a52fdc7b0920d5b49faf433acbc126d042dd9011f98fc12b0e5f63e5ae8
Opcode Fuzzy Hash: 8b96672b7a360a31a6a8fe0d1291ef2654dcab2eb557aa8a14acfb38db19f29d
Instruction Fuzzy Hash: 2DE0C275E0520CEFCF54EFA8E80469CBFF5EB48310F0091A9E80892310EB355A55EF80

Function 04F45BBC Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea83074f5934d5d4367ecdd3fc5d0cc8dd84ee192e2ff02801ca12f9ec6f04f
Instruction ID: fe3f56b0a9866fa26ff45a8dca061bd63578c9c75fad20ab83a9f7e2e886568d
Opcode Fuzzy Hash: bea83074f5934d5d4367ecdd3fc5d0cc8dd84ee192e2ff02801ca12f9ec6f04f
Instruction Fuzzy Hash: C0E0923150829ADFEB028F54D890AA97FB1FF97300F000696D199C7651DB382E49CF01

Function 04F40652 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879a77d3da0b7cfc87563cba1161ed2e7b810d96e811a4fdf29cd8373ffcae5a
Instruction ID: 00306e644ff3143cad67481d49dc54919749e42c0eacd36268862148b611d82d
Opcode Fuzzy Hash: 879a77d3da0b7cfc87563cba1161ed2e7b810d96e811a4fdf29cd8373ffcae5a
Instruction Fuzzy Hash: 69D02B3298B009CAC3408EE0D6017A87B69ABC1208F04019D890A23190EF345E01D200

Function 04F40660 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63891737b890ccb1ff1af861fe32d313d7ffa27c43c6db72b81188b9fb377bae
Instruction ID: 575893ed573f8e2f6ef11f7af3a021de833a0bbd49939b737fa31c965314ce17
Opcode Fuzzy Hash: 63891737b890ccb1ff1af861fe32d313d7ffa27c43c6db72b81188b9fb377bae
Instruction Fuzzy Hash: 05D0223298F10CEFC780DAE4D401AA97BEDD7C2208F0010ACEA0E23220EF712E01D685

Function 04F40A18 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2174280462.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4f40000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d451aa70dd38680d520b26ad54edb0d7826219d3db2d454e7e524b603f9adb9d
Instruction ID: 019a08c450f03bc3cf0df106a89246caf01c824f5cfc45c313c91e5c1a3a3b87
Opcode Fuzzy Hash: d451aa70dd38680d520b26ad54edb0d7826219d3db2d454e7e524b603f9adb9d
Instruction Fuzzy Hash: 16C08C362152016EC302E658CD20B8C7BF6FF90344F4E80A0A080CB2B1C322C81AE791

Analysis Process: qXLPL.exePID: 6548, Parent PID: 2056COMMON

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	128
Total number of Limit Nodes:	12

Executed Functions

Function 015C9F78 Relevance: 7.3, Strings: 5, Instructions: 1091
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xbq, xrefs: 015CA4C4
Xbq, xrefs: 015CA3BE
Xbq, xrefs: 015CA477
Xbq, xrefs: 015CA3F8
4'^q, xrefs: 015C9FDA

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: 4'^q$Xbq$Xbq$Xbq$Xbq
API String ID: 0-1948246764
Opcode ID: fc8e602c023dec203d5fbc0b80530e476df73eee6d422b2e9131155d027087fa
Instruction ID: 3791e9d86c480888f70f404e500e27185e5625780f4cb9b2d8d80ce21ca6eaa8
Opcode Fuzzy Hash: fc8e602c023dec203d5fbc0b80530e476df73eee6d422b2e9131155d027087fa
Instruction Fuzzy Hash: 53827432A163099FE7A4CE68E4CA2FBB7A1FF45670B04416FD0008AA65F7755C448BDB

Function 015C6030 Relevance: 5.8, Strings: 4, Instructions: 785
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 015C615E
\, xrefs: 015C6069
\, xrefs: 015C6123
PH^q, xrefs: 015C65B0

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: PH^q$\$\$\
API String ID: 0-2373583716
Opcode ID: bd3622817d5dbdbec2af223436c8b8ad27903bee4dc290fcc01824a628fb7bef
Instruction ID: bc276821e2ee324ea32c4d549ec579cce5c62bb1ae49a488f164307095e29866
Opcode Fuzzy Hash: bd3622817d5dbdbec2af223436c8b8ad27903bee4dc290fcc01824a628fb7bef
Instruction Fuzzy Hash: 70528D30B002158FDB249FB8D8547AEBBF2BF84714F2485A9D40ADB395EB35DD828B51

Function 015CCEE0 Relevance: 5.4, Strings: 3, Instructions: 1628COMMON

Download Yara Rule

Strings

Xbq, xrefs: 015CDDBC
Xbq, xrefs: 015CDDF2
Xbq, xrefs: 015CD7F7

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq
API String ID: 0-3756318479
Opcode ID: 98c7f5cd6ad62b454bb2a4011cb4417135b8991edd2d8d5dbfea23e92dcdc4a7
Instruction ID: 29474706b5f6a7031c1bfd46333d11258cf740610068f198d8e15e446e9b2fbf
Opcode Fuzzy Hash: 98c7f5cd6ad62b454bb2a4011cb4417135b8991edd2d8d5dbfea23e92dcdc4a7
Instruction Fuzzy Hash: 45C27E71B01309CFDBA58E99D88A3FDB7B2FB81729F1445AED0019E641EA328D41CBD5

Function 015C7207 Relevance: .7, Instructions: 667COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e310620812aeab0d3c7dc5e3e175288ee4630ffa6bd2648876ea6798e8c9dc6
Instruction ID: 6c4818f28649406e82a0fedc0742fe78396a631a381bc8876a38aeae2dace4d1
Opcode Fuzzy Hash: 6e310620812aeab0d3c7dc5e3e175288ee4630ffa6bd2648876ea6798e8c9dc6
Instruction Fuzzy Hash: F0426030E002488FEB25DFACC89479DBBF2BF89704F24846DD4099F296DA759C85CB52

Function 015CC220 Relevance: 6.5, Strings: 5, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 015CC537
XPcq, xrefs: 015CC3DE
\Ocq, xrefs: 015CC4A2
fcq, xrefs: 015CC2E4
PH^q, xrefs: 015CC474

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: fcq$PH^q$PH^q$XPcq$\Ocq
API String ID: 0-2308457832
Opcode ID: 452dda3e22efa999f6753f1a2925714877c6f59a3f774694c831fb716f16e28d
Instruction ID: de2ca1d3e8d38c82aa3d4f35e5b5baeec23c2a9b04b9cf2fa287cdd6541da998
Opcode Fuzzy Hash: 452dda3e22efa999f6753f1a2925714877c6f59a3f774694c831fb716f16e28d
Instruction Fuzzy Hash: B3919270B002099FDB24AFF9D85476EBAE7FB88714F20846DE15ADB394DE748C418B51

Function 0146A3A0 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0146A42E
GetCurrentThread.KERNEL32 ref: 0146A46B
GetCurrentProcess.KERNEL32 ref: 0146A4A8
GetCurrentThreadId.KERNEL32 ref: 0146A501

Memory Dump Source

Source File: 00000009.00000002.4142906213.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1460000_qXLPL.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 57cebfefd68eff4362dfa76d822e205c4b4aa72f72dcb3ab49fd6347bd21c2e5
Instruction ID: 1465cd39b0c7063795e5847ec5351d292de3e2525f65873cabb2894b999ccc9b
Opcode Fuzzy Hash: 57cebfefd68eff4362dfa76d822e205c4b4aa72f72dcb3ab49fd6347bd21c2e5
Instruction Fuzzy Hash: 525166B09017098FDB14DFA9D948BDEBBF5EF88308F208469D049A7364D7349984CF66

Function 0146A3B0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0146A42E
GetCurrentThread.KERNEL32 ref: 0146A46B
GetCurrentProcess.KERNEL32 ref: 0146A4A8
GetCurrentThreadId.KERNEL32 ref: 0146A501

Memory Dump Source

Source File: 00000009.00000002.4142906213.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1460000_qXLPL.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: da1b1569816b1bc0e510080c96eb476b3ca56bff518cab3d6ee45fd2a31255d9
Instruction ID: d1580659fe57deddc5f7c85e346dd97d8c3ba8137b3758467036abc5e96dc72d
Opcode Fuzzy Hash: da1b1569816b1bc0e510080c96eb476b3ca56bff518cab3d6ee45fd2a31255d9
Instruction Fuzzy Hash: 3D5154B49017098FDB14DFAAD548BDEBBF5EF88308F208469D049A7364D7349984CF66

Function 015B7678 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 312
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 015B78AF

Strings

LR^q, xrefs: 015B78E6
LR^q, xrefs: 015B794A

Memory Dump Source

Source File: 00000009.00000002.4149318465.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID: LR^q$LR^q
API String ID: 2994545307-4089051495
Opcode ID: 539475dd571d2b2f004e8e378f1b49fef65d50f59ec8cd0ff4db1f684d82930a
Instruction ID: 019d35f188098230ef28ca3bb70b3e16f07a411c041be0a7c4d76b13084ba277
Opcode Fuzzy Hash: 539475dd571d2b2f004e8e378f1b49fef65d50f59ec8cd0ff4db1f684d82930a
Instruction Fuzzy Hash: 47B1D730B053459FD7029BB9D854BAE7BE6AFC9304F1484AAE405CF392EA74EC49C752

Function 015C94E8 Relevance: 5.3, Strings: 4, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 015C9849
Hbq, xrefs: 015C96FA
Hbq, xrefs: 015C972D
,bq, xrefs: 015C982E

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: ,bq$,bq$Hbq$Hbq
API String ID: 0-3042663465
Opcode ID: a561ae594b1c86c63a5f6fff69e3a3385bf5934cdd9c64e211e088815d35eb35
Instruction ID: 5c612857d66ed87a995cc2225972348704d9aff08670fb61838f9aa1a16a243d
Opcode Fuzzy Hash: a561ae594b1c86c63a5f6fff69e3a3385bf5934cdd9c64e211e088815d35eb35
Instruction Fuzzy Hash: 55A1B8347002099FDB05EFA8C854AAE7BE6BFC8B04F248829E506DF295DB75DC41CB91

Function 015C5E70 Relevance: 4.0, Strings: 3, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 015C5F99
LR^q, xrefs: 015C5F3F
\, xrefs: 015C6069

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: LR^q$\$\
API String ID: 0-2226078569
Opcode ID: 4604c18eccdccc919e8d1a601027acc8fc8b909a7d8e829c4c90a3b068e3a5bc
Instruction ID: ee3edc5cbbc9b9e7b401140d9443bdf190e8e40f278eb8712be6bedc55a548b9
Opcode Fuzzy Hash: 4604c18eccdccc919e8d1a601027acc8fc8b909a7d8e829c4c90a3b068e3a5bc
Instruction Fuzzy Hash: 4271E230B042058FDB19CFE9C8506AE7BF6BB85710F1484AEE518DF292EB78DD428791

Function 015C6ED0 Relevance: 4.0, Strings: 3, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 015C7131
PH^q, xrefs: 015C71A5
fcq, xrefs: 015C713D

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: fcq$ fcq$PH^q
API String ID: 0-4172635152
Opcode ID: 74796493cef1f3ded7bdfd88ae6f8e331806c467e73f95d8d40ca5dfc7f1b53f
Instruction ID: 1adb530457bdfc7ffd16a3e53c7141a5d188fcb41f529269ba5f3f878a5d42e3
Opcode Fuzzy Hash: 74796493cef1f3ded7bdfd88ae6f8e331806c467e73f95d8d40ca5dfc7f1b53f
Instruction Fuzzy Hash: AD715F35B002058FDB549FB9D55876E7AFBAFC8710F208429E40ADB384EF749C428B92

Function 015C6AF8 Relevance: 3.0, Strings: 2, Instructions: 481
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 015C7131
PH^q, xrefs: 015C71A5

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: fcq$PH^q
API String ID: 0-2325994563
Opcode ID: 6db0ac8ba3dbffb7e0abca8490f2071c5ed45228b83c4d27b48436465964c34b
Instruction ID: ccb494fd7f450321b6accbb7cf9d68c32511ab5b0ee9f99ad77fdafe02eb688a
Opcode Fuzzy Hash: 6db0ac8ba3dbffb7e0abca8490f2071c5ed45228b83c4d27b48436465964c34b
Instruction Fuzzy Hash: 37025A30B002068FDB15DFB8D4546AE7BF6BF89710F20846AE40ADB395EF349D428B91

Function 015C86A0 Relevance: 2.8, Strings: 2, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 015C86B9
4'^q, xrefs: 015C86DF

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: e66fd34827bcfd7a004a5601f41582c92f79671567faced76e6f5137674c6f46
Instruction ID: 75afe644d27332bd74186b21c78c0719b88914a2e12ed51c5e7d22b2c0b77cef
Opcode Fuzzy Hash: e66fd34827bcfd7a004a5601f41582c92f79671567faced76e6f5137674c6f46
Instruction Fuzzy Hash: A4B12D343045018FEB259FADC85473D7AE6FF85E24F1844AEE106CF3A6EA69CC528742

Function 015CBCF0 Relevance: 2.6, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 015CBE44
4'^q, xrefs: 015CBE2D

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 6925ae5d68fbe93e0517379ddf2dc5a8912861eb3955ce41a252fb95e512be80
Instruction ID: 09396d16dfa49b3a8f5843f72c6ce45ef722a41e3c37f3a6db4a409334cfdd16
Opcode Fuzzy Hash: 6925ae5d68fbe93e0517379ddf2dc5a8912861eb3955ce41a252fb95e512be80
Instruction Fuzzy Hash: 16518F347042499FDB05DFA9C844B6EBBEAFF88750F14846AE908CF256DB75CC418B52

Function 015C71BF Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

fcq, xrefs: 015C7131
PH^q, xrefs: 015C71A5

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: fcq$PH^q
API String ID: 0-2325994563
Opcode ID: 5c8310d67938df6f6306d1c5d6da1180c884c8c55a65bc9296a6b2bea7d2a292
Instruction ID: b8ed9fe7280cd0ba6fda6bfe314309c64db2eea19f9665086f7679d3175bbb8d
Opcode Fuzzy Hash: 5c8310d67938df6f6306d1c5d6da1180c884c8c55a65bc9296a6b2bea7d2a292
Instruction Fuzzy Hash: 22413F35B002058FDB64AFB8D55877E7AFBBBC8B51F244429E506DB394EE748C028B91

Function 015B4230 Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015B4271

Memory Dump Source

Source File: 00000009.00000002.4149318465.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb6446a4ae4ed53ce49986fe810630203d40fddd9dc06410d95366a119a20d05
Instruction ID: 5264baa0d6444169bcf4040f969cbb5e1648a60ad5a73a4ab5381f943c969319
Opcode Fuzzy Hash: eb6446a4ae4ed53ce49986fe810630203d40fddd9dc06410d95366a119a20d05
Instruction Fuzzy Hash: 88614A30A00305DFDB24EBB9D4987AEBBB6BF85304F148929E402AB395DF799C45CB51

Function 014666ED Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0146680A

Memory Dump Source

Source File: 00000009.00000002.4142906213.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1460000_qXLPL.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d7eea5053f9dafdc0fc4f163777aa5465c5c35cd9a7c8d25ef7cd4a8002defc4
Instruction ID: 79ffc7626bf24a2be3b59c71bbcf7c57b20b51febda85c3623f474cdf7741c8b
Opcode Fuzzy Hash: d7eea5053f9dafdc0fc4f163777aa5465c5c35cd9a7c8d25ef7cd4a8002defc4
Instruction Fuzzy Hash: 7E51D1B1D003199FDB14CFA9C884ADEBFB5BF48314F25812AE818AB210D7749841CF91

Function 014666F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0146680A

Memory Dump Source

Source File: 00000009.00000002.4142906213.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1460000_qXLPL.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9fca2da49845656d80e2e259200745c787047df08da883d28d524e36fe3c7f73
Instruction ID: ab1dd9d4bfb46a4391b8e5eea16f0cdc0b8e10aece418051b2eca1a1489e8473
Opcode Fuzzy Hash: 9fca2da49845656d80e2e259200745c787047df08da883d28d524e36fe3c7f73
Instruction Fuzzy Hash: 9741C0B1D003099FDB14CFAAD884ADEBFB5FF48314F24812AE418AB220D775A845CF91

Function 0146A164 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0146B579

Memory Dump Source

Source File: 00000009.00000002.4142906213.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1460000_qXLPL.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 532abfb3d200578d50979abe8f00e9e4947b7aa4d319fad247f0e980beef864d
Instruction ID: 347cd0d4e15c40a0effeac6c8d723ae6922cd5d8129b3b0a6dab3a18bf1f98b3
Opcode Fuzzy Hash: 532abfb3d200578d50979abe8f00e9e4947b7aa4d319fad247f0e980beef864d
Instruction Fuzzy Hash: 90411AB4A00345CFCB14CF99C488AAABBF9FF88318F14C459D519AB321D774A841CFA1

Function 015B41D0 Relevance: 1.6, APIs: 1, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 015B4271

Memory Dump Source

Source File: 00000009.00000002.4149318465.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15b0000_qXLPL.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a7467e9f5b703b7bc092195d20b2f464bd327e6a3ce0a19d1e21064ae2608634
Instruction ID: a936a52430dbb2d6c7e6817c1e939422b4b93fdb0be1e3b49af6ba8d1647b5b6
Opcode Fuzzy Hash: a7467e9f5b703b7bc092195d20b2f464bd327e6a3ce0a19d1e21064ae2608634
Instruction Fuzzy Hash: 9931AF70A01345DFDB11DFB9E494AEDBBB2FF85314F24886DD4029B252DB399845CB50

Function 0146A5F0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0146A67F

Memory Dump Source

Source File: 00000009.00000002.4142906213.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1460000_qXLPL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c47b0278a0fc954a0c4ca81043672748108d9840dbab6eb4340401522ac8f76f
Instruction ID: 07aadf242ecdcfe8e034dd6c87b2b9994333b928ad1f7d3ff58a4827e86b8ffe
Opcode Fuzzy Hash: c47b0278a0fc954a0c4ca81043672748108d9840dbab6eb4340401522ac8f76f
Instruction Fuzzy Hash: 002105B5D002189FDB10CFA9D884AEEBBF8EB48314F14801AE958A3320D374A950CFA5

Function 0146A5F8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0146A67F

Memory Dump Source

Source File: 00000009.00000002.4142906213.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1460000_qXLPL.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: aa40d4a85c8cffd47c59a56b55271418c4e04b026ff210ce6fa133ec6cd632b5
Instruction ID: a7dd4db0034e804b5087ca78d12fbd4d8daed9397fd72d2b57f30436ef46dbf9
Opcode Fuzzy Hash: aa40d4a85c8cffd47c59a56b55271418c4e04b026ff210ce6fa133ec6cd632b5
Instruction Fuzzy Hash: 3721E4B59002189FDB10CF9AD584ADEBFF8EB48314F14801AE958A7310D374A954CFA5

Function 0146FEB0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0146FF2A

Memory Dump Source

Source File: 00000009.00000002.4142906213.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1460000_qXLPL.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: bf2ef83ead8aca83e8ae7aa4eb5597dba4760fb47ec22eab5eded185b2a843fe
Instruction ID: e61a8a951cd551a98ff4cddf9ea103be3797c138fa30a75ac0fdbb01087bba50
Opcode Fuzzy Hash: bf2ef83ead8aca83e8ae7aa4eb5597dba4760fb47ec22eab5eded185b2a843fe
Instruction Fuzzy Hash: BB11AC75901349CFDB20DFA9D42879EBFF8FB09328F24802AD454A3256D739A544CFA2

Function 014636BC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 014656B6

Memory Dump Source

Source File: 00000009.00000002.4142906213.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1460000_qXLPL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ae27463c1e6c24be975e58b7148b45df96be6d69da8116bc65d0b8085d2bc13d
Instruction ID: 06fa54ba2e6a60c35d74569faa6c0fae74e6e68f336f2de555e3cb2e1fe96188
Opcode Fuzzy Hash: ae27463c1e6c24be975e58b7148b45df96be6d69da8116bc65d0b8085d2bc13d
Instruction Fuzzy Hash: 351102B5D007498FDB10DF9AD444ADEFBF8EB88224F10846AD519BB320C375A945CFA5

Function 01465649 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 014656B6

Memory Dump Source

Source File: 00000009.00000002.4142906213.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1460000_qXLPL.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a89976ac987a859ef9e0865886b147a65646433915eb6da28132431cc9e68d68
Instruction ID: afc29e65dec351e6b1efa15b4831808ba1ff8ec93cc5a4a55d133d0782a719b3
Opcode Fuzzy Hash: a89976ac987a859ef9e0865886b147a65646433915eb6da28132431cc9e68d68
Instruction Fuzzy Hash: A811FDB5D002498FDB20CFAAE444ADEFBF5AF88314F14846AD469A7320C379A545CFA5

Function 015C5CC0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

Hbq, xrefs: 015C5D6D

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: 418b8ac9cac5ce0296344a1b184a138237b7e3f2ae2dbc23706178922939f598
Instruction ID: 38793becdf70113ed1bc458e0380fc82706482b4b40f339037912b4f1e150b70
Opcode Fuzzy Hash: 418b8ac9cac5ce0296344a1b184a138237b7e3f2ae2dbc23706178922939f598
Instruction Fuzzy Hash: FA319934A053459FC745DFB8D4186AE7BF1BB81310F2484BAD049CF291EA389E86CB51

Function 015C4EB0 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842f577fe74f11508bb5694d00a3982edd776ffe5607d7cff74203b34fb86c5c
Instruction ID: 109e25b6d7284a4a5fcfc5dbbb3f63bf356b9f9cd2b9c837b5128f959d181299
Opcode Fuzzy Hash: 842f577fe74f11508bb5694d00a3982edd776ffe5607d7cff74203b34fb86c5c
Instruction Fuzzy Hash: 71D16A30B002058FDB15DFF8D8986ADBBE2BF88710F248469E506DB365EA75EC42CB51

Function 015CCB6B Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6ea3d4efeb30211e0e0c56fd1d1c12299375d22cb2721e9f262efba33a6fe0
Instruction ID: e5ee2c48d903bfda59c30bbd82ab3f04bb5de07d78ccd275eebfd09b72f1ca79
Opcode Fuzzy Hash: 2c6ea3d4efeb30211e0e0c56fd1d1c12299375d22cb2721e9f262efba33a6fe0
Instruction Fuzzy Hash: 49C1B231A006058FDB21CFEDD8906AEBBB2FF85710F10896AE159CF366D634D845CB91

Function 015C51E8 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373a78ca6155ddead240d19431fede8130e71117169938a0e834ef8a088301c3
Instruction ID: ad072ca40e7fd901e6a0f664a337e974e6d22c842ffdff0c308f5200aa92520a
Opcode Fuzzy Hash: 373a78ca6155ddead240d19431fede8130e71117169938a0e834ef8a088301c3
Instruction Fuzzy Hash: D6A1E230B142028FDB229FFDD85466E7BE6FB85B10F24447AE505CF292EA74EC468752

Function 015C7B40 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811595773e1c247d95a724b1e50ccd2c5703d716af0889e9ad1050dcc6a3f267
Instruction ID: 19f634a1f74c1c6ce8b09cb9e84709946085b4c4010e9dc6082774da08bba61f
Opcode Fuzzy Hash: 811595773e1c247d95a724b1e50ccd2c5703d716af0889e9ad1050dcc6a3f267
Instruction Fuzzy Hash: 2FA156317002458FDB16DFA8C894A6E7BE5BF89A00F1940AAE915CF7A2DB74DC41CB91

Function 015CBAD1 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3534e2fd092c9e868227aee274cb7694ce8c4b8cc759ecbbe53b8c0ae4917419
Instruction ID: c5df18ffe6e11225b3d2e1e5b262ac25e34c1a7216a3ec60abe1a5ca4b0f066f
Opcode Fuzzy Hash: 3534e2fd092c9e868227aee274cb7694ce8c4b8cc759ecbbe53b8c0ae4917419
Instruction Fuzzy Hash: 93A13A30901606CFC711CFACC88559ABBB5FF85364B15866ED968CF356D731E852CBA0

Function 015C82F0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70cd5ae8e71fdc4ddb1a5f61e998b26014e5a0e4980b6d68f295e2349e67738
Instruction ID: f32fc666b44c8b63ef1ed9e18e7117184f831d85eff579edb05ed7aa05bfaa38
Opcode Fuzzy Hash: e70cd5ae8e71fdc4ddb1a5f61e998b26014e5a0e4980b6d68f295e2349e67738
Instruction Fuzzy Hash: 69A18931A002499FCF16CFE8C884ADEBFB2FF89310F14846AE945AF265D774A845CB54

Function 015CA058 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd8191510fbf3b64f9ce9c3ed5d8f5714ccb2a21d494f225a6f39900a557bcc
Instruction ID: c2f7c917b2d4fe30019a4c48c4e7007d05d4b1052c92b6548bef607d0d285741
Opcode Fuzzy Hash: edd8191510fbf3b64f9ce9c3ed5d8f5714ccb2a21d494f225a6f39900a557bcc
Instruction Fuzzy Hash: 77717E30B002199FD728ABB9C99876EBAE7BFC5704F24886DD0469F3A4DA759C41C781

Function 015C8C60 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ff30804008b85f13c15d755699376d0ddf8788fd3428cab40a714da7887a13
Instruction ID: 98185191692bcd5347912b333ffb785ec1805e2f79b13f657a65caafb822c655
Opcode Fuzzy Hash: b9ff30804008b85f13c15d755699376d0ddf8788fd3428cab40a714da7887a13
Instruction Fuzzy Hash: 84613570E007598FDF12CFE9C5406AEBBF2BF89700F24865AE855AF242D770A985CB50

Function 015C5A18 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1cfc86170f92d761692a097a3dcb7544d45d98561b1930da67a658e663b27e
Instruction ID: 48ebfb3f89ee95fd1d083a56fdb2ffbf775b1a5929e0a61f0b3ad4fceaea632b
Opcode Fuzzy Hash: df1cfc86170f92d761692a097a3dcb7544d45d98561b1930da67a658e663b27e
Instruction Fuzzy Hash: 2C618F78E00318CFDB64EFB4D89899DBBB6BF48305F50456AE81AA7358DB349942CF50

Function 015CD229 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de9e28fcb39b96e0f5c11f1489df0858f3d6b8e6d0c6c6c456a94e309891c0e
Instruction ID: 53e182f0007275b2ba07843704141569877bd9bb3c98d09f97d0967f24c35ac1
Opcode Fuzzy Hash: 0de9e28fcb39b96e0f5c11f1489df0858f3d6b8e6d0c6c6c456a94e309891c0e
Instruction Fuzzy Hash: 27419330B002095FEB14ABA8D994B6EB6F7BBD5704F24886DE405EF295CA75CC418791

Function 015C8C50 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac01d505db1d7a032938c8e7e64694eaa0711c99f54efe27a6b2d7febb1d84a
Instruction ID: be39ee4be125b64903eae3d1916f318092fbd5a07063f6f7fe9489333cae4a92
Opcode Fuzzy Hash: 4ac01d505db1d7a032938c8e7e64694eaa0711c99f54efe27a6b2d7febb1d84a
Instruction Fuzzy Hash: A5514871E007499FDF12CFE9C5406AEBBF2BF89710F24465AE845AF242D770A985CB40

Function 015C8443 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fb4241f29a3b8bf880a68ad298376117a9ab66e81122dbe6f0ead22ae8b289
Instruction ID: 6e2a2ce2b8dabb5c0d157b35cba14499e6995e23e55bfe55d65c6d02b84c0f29
Opcode Fuzzy Hash: 42fb4241f29a3b8bf880a68ad298376117a9ab66e81122dbe6f0ead22ae8b289
Instruction Fuzzy Hash: 8241AD30A04249DFCF12CFA8C884A9EBFB1BF49714F048459E955AF2A6D374E954CBA4

Function 015CB9E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1235f04777ab332675e57c4586ce8358e8572c5858510978fb7c455c785a6e4b
Instruction ID: 54de1151ad3d5cf22143e61bc6bd635e4d3f1d937c426010062fb8894c5be71c
Opcode Fuzzy Hash: 1235f04777ab332675e57c4586ce8358e8572c5858510978fb7c455c785a6e4b
Instruction Fuzzy Hash: 37319C31801A029FC314CFACCC85549BBAABE817B9355CB59E5B94F6E2C771E8528AD0

Function 015C4E50 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba56e64a921aa719f28c26018250a5379d28bdb1f5ff6c18e4ab007575fdead
Instruction ID: 8176ce94825215683dce64ec4fbbfbfd97495aa985036eaf259de2bd1b94146d
Opcode Fuzzy Hash: fba56e64a921aa719f28c26018250a5379d28bdb1f5ff6c18e4ab007575fdead
Instruction Fuzzy Hash: A931B370A053498FCB01CFE9E95469DBBF2FB85324F25846AD104DB351E735AC42CB55

Function 015C94DA Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18566e415696c920920fac145f7bbbeff9642ec6de10d769d4218e9ade62cb46
Instruction ID: f8df308586ed8d73dc75ae1c2af7d9634c6dbb703f3ad2375f870491fa9b15bc
Opcode Fuzzy Hash: 18566e415696c920920fac145f7bbbeff9642ec6de10d769d4218e9ade62cb46
Instruction Fuzzy Hash: C121CC34B04205CFC711DFA8D464A6A7BE2BF95B29F1584AED40ACF292EB35DC41CB91

Function 015CB9D1 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c8155aa42f0c47648fc2aabe1920487fb376c515dd50465b9e726f278d76460
Instruction ID: 5d6ee75fffe04d2f5720ca49060642471a363696dc45af4c0986d4ec94953bc8
Opcode Fuzzy Hash: 2c8155aa42f0c47648fc2aabe1920487fb376c515dd50465b9e726f278d76460
Instruction Fuzzy Hash: 6D218E31801A028FC314CFACCC85558BB66BF817B9759CB59D5B94F7D2C772E8528AD0

Function 0138D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4141673326.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_138d000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe525d403c45a5ad86edf7d6317f6d6ab544ca51736af81b5c7b04d84d78602
Instruction ID: 17b582227c59ba50c3b5ae452d7ab4cebdbec33e3f05d3f282252574df9fdf76
Opcode Fuzzy Hash: 4fe525d403c45a5ad86edf7d6317f6d6ab544ca51736af81b5c7b04d84d78602
Instruction Fuzzy Hash: 542122B1604304DFDB15EF98D984B26BFA5FB84318F20C56DD80A4B396C33AD447CA61

Function 015CB728 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610312d75f7f6b6ed47d7e65eb10b90e72312835ddfad515e159ed0f51debb0a
Instruction ID: 87aac67b3183b773eed68b99f0e11a0dc63d09a0322cfd0713d471a9f7dd3df2
Opcode Fuzzy Hash: 610312d75f7f6b6ed47d7e65eb10b90e72312835ddfad515e159ed0f51debb0a
Instruction Fuzzy Hash: 62217674E00219DFEB24DFA6D956BAEBBF5BF44740F10402DE801AB284CB799941CBA0

Function 015CB821 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5579f2afa9c934cc90d07b947d253f4c175eba0845c2c0148ff2bbf1d2f191c6
Instruction ID: 645ef8c80a4350f6c0cef1dca267fa83f3ec9df3917ad565f005fb7d5af2eabe
Opcode Fuzzy Hash: 5579f2afa9c934cc90d07b947d253f4c175eba0845c2c0148ff2bbf1d2f191c6
Instruction Fuzzy Hash: B4217774E012489FDB05DFEAD550AEEBFB6FF48741F14802AE411AA250DB38D941DB60

Function 015C5A08 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d6f63ac9755f91857eeef2ae992409063cd16e13bfb311beae2275daad3d68
Instruction ID: cd44819f4769092d522b1a90fc7876410356c000f4f62d5621cfc88bff47fa88
Opcode Fuzzy Hash: 92d6f63ac9755f91857eeef2ae992409063cd16e13bfb311beae2275daad3d68
Instruction Fuzzy Hash: C021E578E002099BDF24EFF8D85869DBBB1FF88300F10846AD51AA7258EB3459468F41

Function 015CB71A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720ac6d560b4e8399693b0f8d9157aa7e46db026ea916724db713a4093cba5d0
Instruction ID: 37430250eb3652e4fadd661768a2b6de900edb9bbe0242b83a38e5b9a643d875
Opcode Fuzzy Hash: 720ac6d560b4e8399693b0f8d9157aa7e46db026ea916724db713a4093cba5d0
Instruction Fuzzy Hash: B911BE70A01219DFEB28EFA5D9556AEBBF5FF40740F10442DE801AB394CB789C41CB90

Function 0138D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4141673326.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_138d000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: af53d568839933dc112eab31eca0de8df607c81ea012b28f3e35ef4ab21a8390
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 7311BEB5504380CFDB12DF54D5C4B15BF61FB44318F24C6AAD8494B696C33AD40BCB61

Function 015C82E0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b753cc4c26bec54ba4fd0f7abe4d7dfd0924c2bda52f53ce0cb9eac05e340c
Instruction ID: f05e43c2ad2e0dcb217bfcd1d1fe589ffe4cb39fc8edad049fc4878a91fed9ae
Opcode Fuzzy Hash: 57b753cc4c26bec54ba4fd0f7abe4d7dfd0924c2bda52f53ce0cb9eac05e340c
Instruction Fuzzy Hash: A001D371A002199FCF08CF99D9458DEBBF9FF88310F01816AE905AB254DB359A19CB90

Function 015C4DD8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c6405989f7b8cb34963b3cfb38dc2dc9c4dadeec89c97d6450b85fb47f7365
Instruction ID: c4181bb710b1cabac38c6d84cb9eac8980d1d03b80e95ebc57b58422c3c0695e
Opcode Fuzzy Hash: 74c6405989f7b8cb34963b3cfb38dc2dc9c4dadeec89c97d6450b85fb47f7365
Instruction Fuzzy Hash: 21F08272E042164F87509FA868451FE7BF9EAC9271B10083AD909D3204D67549528BD1

Function 015C4DE8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c39c53f2a6d8db24ffe757a3a2ec85e358e31ada48f9e56df5e3b3e2c073ee4
Instruction ID: 0bfdc0e0527dc599c77397a131f91e6c67ed784637339d02b789fcd8c8910c08
Opcode Fuzzy Hash: 0c39c53f2a6d8db24ffe757a3a2ec85e358e31ada48f9e56df5e3b3e2c073ee4
Instruction Fuzzy Hash: ACE01271E042199F8B50ABADA8046AE7BF9EA88621B110476D609D3304E6704A018BD1

Function 015C61C4 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e90086cc1a06663108507a445f515ab5964ae4f8efbf359c5f24f345fc6c626
Instruction ID: a29e3677a1133a337c8bd8c14accb7860412a51864cafef1c07d4a1134854a9c
Opcode Fuzzy Hash: 8e90086cc1a06663108507a445f515ab5964ae4f8efbf359c5f24f345fc6c626
Instruction Fuzzy Hash: FDD0C905B516669E8F852EBE151023E04C63AC4293B608C6A6502CE2EAFC2CCA801255

Function 015CEE58 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4731f6803d34fd56438afd2b5340030834c27d3ec3a2db8268e7ba17315bf5d1
Instruction ID: 08bf191982edc63babb2ef8fc8a858b390ab074aa68fd60693d1b13beda488cd
Opcode Fuzzy Hash: 4731f6803d34fd56438afd2b5340030834c27d3ec3a2db8268e7ba17315bf5d1
Instruction Fuzzy Hash: 1AC04C7544FBC26FC343477894500507FB06D0313035605D6C180C94A7D59D48958791

Function 015CB9B0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77feae0a15cf731329377b516f7db5e80c8a220b363959e51006f876f4dcbac3
Instruction ID: f0ff9655b10eb7f401bdd49e0ba572759a162163f7d0104df83485936f10e8fe
Opcode Fuzzy Hash: 77feae0a15cf731329377b516f7db5e80c8a220b363959e51006f876f4dcbac3
Instruction Fuzzy Hash: 70C09B31449680CFCF179734D5552513FB4AB86345F3540DF8485C955BD6A84555C713

Non-executed Functions

Function 015CA375 Relevance: 5.1, Strings: 4, Instructions: 107COMMON

Download Yara Rule

Strings

Xbq, xrefs: 015CA4C4
Xbq, xrefs: 015CA3BE
Xbq, xrefs: 015CA477
Xbq, xrefs: 015CA3F8

Memory Dump Source

Source File: 00000009.00000002.4149527271.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_15c0000_qXLPL.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 127a1d91ab4e144eab4b66b0e5ada4cb2b8cf56590ef82f6cdac4ced67d11d85
Instruction ID: 76ad8b2357c610863d428b6a19fa63ca290aff6cbbfea65913fd37a0195bb3af
Opcode Fuzzy Hash: 127a1d91ab4e144eab4b66b0e5ada4cb2b8cf56590ef82f6cdac4ced67d11d85
Instruction Fuzzy Hash: 1741AC30D0435D8FDB268FAC889436EBFB5BB81700F1440ADC5159B296EB748985CB92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rwzBBMVxUb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qXLPL.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rwzBBMVxUb.exe.log

C:\Users\user\AppData\Roaming\3cm3pfgj.nbc\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite

C:\Users\user\AppData\Roaming\le4u0yqd.oud\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite

C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe

C:\Users\user\AppData\Roaming\qXLPL\qXLPL.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\tcyi2soj.5kk\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
rwzBBMVxUb.exe

Function 02367507 Relevance: 6.2, APIs: 4, Instructions: 150
threadCOMMON

Function 02367540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 086A7C0D Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 086A7C18 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0236D4C8 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Function 0236FAD0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre