Edit tour

Windows Analysis Report
MQNT.exe

Overview

General Information

Sample name:	MQNT.exe
Analysis ID:	1592723
MD5:	27f5aa99c8e512ca56c2a46fb0b7be6b
SHA1:	65a1336c182612c091ef925d52477639c7735d01
SHA256:	575d39610e80fff09fc08eb068983bd0524bd2ef9508607be2749620150ddc85
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Yara detected aPLib compressed binary

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

MQNT.exe (PID: 7032 cmdline: "C:\Users\user\Desktop\MQNT.exe" MD5: 27F5AA99C8E512CA56C2A46FB0B7BE6B)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
MQNT.exe	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\update.exe	CN_Honker_WordpressScanner	Sample from CN Honker Pentest Toolset - file WordpressScanner.exe	Florian Roth	0xd571c:$s0: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 0xe8368:$s1: (http://www.eyuyan.com) 0xcbd6c:$s2: GetConnectString 0xe2cd4:$s4: #if !defined(AFX_RESOURCE_DLL) \|\| defined(AFX_TARG_CHS)

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000000.2052285705.00000000006CD000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: MQNT.exe PID: 7032	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.MQNT.exe.71faeb.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.MQNT.exe.6e9d0f.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.MQNT.exe.71faeb.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.MQNT.exe.6e9d0f.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.MQNT.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.MQNT.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T13:24:02.272126+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	103.235.46.96	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://47.92.98.180:88/MQNT/MQNT.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\update.exe

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: MQNT.exe

Virustotal: Detection: 65%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\update.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: MQNT.exe

Joe Sandbox ML: detected

Source: MQNT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 103.235.46.96:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.5:49732 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 103.235.46.96 103.235.46.96
Source: Joe Sandbox View	IP Address: 103.235.46.96 103.235.46.96

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 103.235.46.96:443

Source: global traffic

HTTP traffic detected: HEAD / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveAccept: text/html, application/xhtml+xml, */*Accept-Encoding: identityAccept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: www.baidu.com

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.baidu.com
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: MQNT.exe	String found in binary or memory: http://47.92.98.180:18081/myauth/web/getUserCount?skey=c0ecd8de-75e7-47a6-a22b-8adedbf78780&apikey=c
Source: update.exe.0.dr	String found in binary or memory: http://47.92.98.180:88/MQNT/GX_RZ.txt
Source: MQNT.exe	String found in binary or memory: http://47.92.98.180:88/MQNT/MQNT.exe
Source: MQNT.exe, update.exe.0.dr	String found in binary or memory: http://47.92.98.180:88/MQNT/data.txt
Source: MQNT.exe	String found in binary or memory: http://ip-api.com/json/?lang=zh-CN
Source: MQNT.exe	String found in binary or memory: http://q1.qlogo.cn/g?b=qq&nk=
Source: MQNT.exe	String found in binary or memory: http://whois.pconline.com.cn/ipJson.jsp?json=true
Source: MQNT.exe	String found in binary or memory: http://www.eyuyan.com
Source: MQNT.exe, update.exe.0.dr	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: MQNT.exe	String found in binary or memory: http://www.eyuyan.comservice
Source: MQNT.exe	String found in binary or memory: http://www.ibsensoftware.com/
Source: MQNT.exe	String found in binary or memory: http://www.ip138.com
Source: MQNT.exe	String found in binary or memory: http://www.ip138.comUser-Agent:
Source: MQNT.exe	String found in binary or memory: https://api.ip.sb/ip
Source: MQNT.exe	String found in binary or memory: https://cdid.c-ctrip.com/model-poc2/h
Source: MQNT.exe	String found in binary or memory: https://cdid.c-ctrip.com/model-poc2/hhttps://ip.cn/api/index?ip=&type=0User-Agent:
Source: MQNT.exe	String found in binary or memory: https://club.vip.qq.com/api/aggregation?g_tk=
Source: MQNT.exe	String found in binary or memory: https://club.vip.qq.com/api/aggregation?g_tk=content-type:
Source: MQNT.exe	String found in binary or memory: https://ip.cn/api/index?ip=&type=0
Source: MQNT.exe	String found in binary or memory: https://ipinfo.io/json
Source: MQNT.exe	String found in binary or memory: https://www.baidu.com
Source: MQNT.exe	String found in binary or memory: https://www.baidu.comDate:KB3140245/
Source: MQNT.exe	String found in binary or memory: https://www.uc.cn/ip
Source: MQNT.exe	String found in binary or memory: https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 103.235.46.96:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\Desktop\update.exe, type: DROPPED

Matched rule: Sample from CN Honker Pentest Toolset - file WordpressScanner.exe Author: Florian Roth

Source: C:\Users\user\Desktop\MQNT.exe

Code function: 0_2_00411D24: CreateFileA,DeviceIoControl,CloseHandle,

0_2_00411D24

Source: C:\Users\user\Desktop\MQNT.exe	Code function: 0_2_00417922		0_2_00417922
Source: C:\Users\user\Desktop\MQNT.exe	Code function: 0_2_00462BA2		0_2_00462BA2

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\update.exe 0C274B149400E89EBC0F6335A9181005B4249CABEFA8EC8B47C1D56710B2D3EF

Source: C:\Users\user\Desktop\MQNT.exe

Code function: String function: 00401080 appears 59 times

Source: MQNT.exe, 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXY.HWSS.dllf# vs MQNT.exe
Source: MQNT.exe, 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexy.WSS.HTTPS.dllp( vs MQNT.exe
Source: MQNT.exe	Binary or memory string: OriginalFilenameXY.HWSS.dllf# vs MQNT.exe
Source: MQNT.exe	Binary or memory string: OriginalFilenamexy.WSS.HTTPS.dllp( vs MQNT.exe

Source: MQNT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\update.exe, type: DROPPED

Matched rule: CN_Honker_WordpressScanner date = 2015-06-23, author = Florian Roth, description = Sample from CN Honker Pentest Toolset - file WordpressScanner.exe, score = 0b3c5015ba3616cbc616fc9ba805fea73e98bc83, reference = Disclosed CN Honker Pentest Toolset, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal88.evad.winEXE@1/3@2/1

Source: C:\Users\user\Desktop\MQNT.exe

Code function: 0_2_00401B6D CreateToolhelp32Snapshot,Module32First,

0_2_00401B6D

Source: C:\Users\user\Desktop\MQNT.exe

File created: C:\Users\user\Desktop\update.exe

Jump to behavior

Source: MQNT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MQNT.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MQNT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MQNT.exe

Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MQNT.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\MQNT.exe

File written: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: MQNT.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: MQNT.exe

Static file information: File size 5524480 > 1048576

Source: MQNT.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1e3800
Source: MQNT.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x32f400

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: MQNT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.MQNT.exe.71faeb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MQNT.exe.6e9d0f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MQNT.exe.71faeb.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.MQNT.exe.6e9d0f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MQNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.MQNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2052285705.00000000006CD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MQNT.exe PID: 7032, type: MEMORYSTR

Source: C:\Users\user\Desktop\MQNT.exe

Code function: 0_2_005C28F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005C28F0

Source: C:\Users\user\Desktop\MQNT.exe	Code function: 0_2_005B6920 push eax; ret		0_2_005B694E
Source: C:\Users\user\Desktop\MQNT.exe	Code function: 0_2_005B8E18 push eax; ret		0_2_005B8E36

Source: C:\Users\user\Desktop\MQNT.exe

File created: C:\Users\user\Desktop\update.exe

Jump to dropped file

Source: C:\Users\user\Desktop\MQNT.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\MQNT.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\update.exe

Jump to dropped file

Source: C:\Users\user\Desktop\MQNT.exe TID: 2972

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\MQNT.exe

File opened: PhysicalDrive0

Jump to behavior

Source: MQNT.exe, 00000000.00000002.2117310347.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2071390426.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2114799320.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2082746130.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2114465348.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWBS1)
Source: MQNT.exe, 00000000.00000002.2117054668.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000002.2117310347.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2071390426.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2114799320.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2082746130.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp, MQNT.exe, 00000000.00000003.2114465348.0000000000CA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\MQNT.exe

Code function: 0_2_005C28F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005C28F0

Source: C:\Users\user\Desktop\MQNT.exe	Code function: 0_2_00433142 mov ebx, dword ptr fs:[00000030h]	0_2_00433142
Source: C:\Users\user\Desktop\MQNT.exe	Code function: 0_2_00435217 mov ebx, dword ptr fs:[00000030h]	0_2_00435217
Source: C:\Users\user\Desktop\MQNT.exe	Code function: 0_2_00409A24 mov ebx, dword ptr fs:[00000030h]	0_2_00409A24
Source: C:\Users\user\Desktop\MQNT.exe	Code function: 0_2_00422225 mov ebx, dword ptr fs:[00000030h]	0_2_00422225
Source: C:\Users\user\Desktop\MQNT.exe	Code function: 0_2_00421E1E mov ebx, dword ptr fs:[00000030h]	0_2_00421E1E

Source: C:\Users\user\Desktop\MQNT.exe

Code function: 0_2_0046B2DC HeapAlloc,RtlFreeHeap,GetProcessHeap,HeapReAlloc,

0_2_0046B2DC

Source: C:\Users\user\Desktop\MQNT.exe

Code function: 0_2_00411C79 cpuid

0_2_00411C79

Source: C:\Users\user\Desktop\MQNT.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\MQNT.exe

Code function: 0_2_005BB17C GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,

0_2_005BB17C

Source: C:\Users\user\Desktop\MQNT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MQNT.exe	65%	Virustotal		Browse
MQNT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\update.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\update.exe	50%	ReversingLabs

Source	Detection	Scanner	Label
http://www.ip138.comUser-Agent:	0%	Avira URL Cloud	safe
http://47.92.98.180:88/MQNT/GX_RZ.txt	0%	Avira URL Cloud	safe
http://www.eyuyan.comservice	0%	Avira URL Cloud	safe
http://47.92.98.180:88/MQNT/data.txt	0%	Avira URL Cloud	safe
http://47.92.98.180:88/MQNT/MQNT.exe	100%	Avira URL Cloud	malware
https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip	0%	Avira URL Cloud	safe
https://www.baidu.comDate:KB3140245/	0%	Avira URL Cloud	safe
http://www.eyuyan.com	0%	Avira URL Cloud	safe
https://www.uc.cn/ip	0%	Avira URL Cloud	safe
http://47.92.98.180:18081/myauth/web/getUserCount?skey=c0ecd8de-75e7-47a6-a22b-8adedbf78780&apikey=c	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.wshifen.com	103.235.46.96	true	false	high
18.31.95.13.in-addr.arpa	unknown	unknown	false	high
www.baidu.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://47.92.98.180:88/MQNT/GX_RZ.txt	update.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.eyuyan.com)DVarFileInfo$	MQNT.exe, update.exe.0.dr	false		high
https://api.ip.sb/ip	MQNT.exe	false		high
https://club.vip.qq.com/api/aggregation?g_tk=	MQNT.exe	false		high
http://whois.pconline.com.cn/ipJson.jsp?json=true	MQNT.exe	false		high
http://www.ip138.comUser-Agent:	MQNT.exe	false	Avira URL Cloud: safe	unknown
https://club.vip.qq.com/api/aggregation?g_tk=content-type:	MQNT.exe	false		high
http://www.eyuyan.comservice	MQNT.exe	false	Avira URL Cloud: safe	unknown
http://www.ibsensoftware.com/	MQNT.exe	false		high
https://cdid.c-ctrip.com/model-poc2/h	MQNT.exe	false		high
https://cdid.c-ctrip.com/model-poc2/hhttps://ip.cn/api/index?ip=&type=0User-Agent:	MQNT.exe	false		high
https://ipinfo.io/json	MQNT.exe	false		high
https://ip.cn/api/index?ip=&type=0	MQNT.exe	false		high
https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip	MQNT.exe	false	Avira URL Cloud: safe	unknown
http://www.eyuyan.com	MQNT.exe	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?lang=zh-CN	MQNT.exe	false		high
https://www.baidu.comDate:KB3140245/	MQNT.exe	false	Avira URL Cloud: safe	unknown
http://47.92.98.180:88/MQNT/MQNT.exe	MQNT.exe	true	Avira URL Cloud: malware	unknown
http://47.92.98.180:88/MQNT/data.txt	MQNT.exe, update.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://q1.qlogo.cn/g?b=qq&nk=	MQNT.exe	false		high
https://www.uc.cn/ip	MQNT.exe	false	Avira URL Cloud: safe	unknown
http://www.ip138.com	MQNT.exe	false		high
http://47.92.98.180:18081/myauth/web/getUserCount?skey=c0ecd8de-75e7-47a6-a22b-8adedbf78780&apikey=c	MQNT.exe	false	Avira URL Cloud: safe	unknown
https://www.baidu.com	MQNT.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.235.46.96	www.wshifen.com	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592723
Start date and time:	2025-01-16 13:23:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MQNT.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@1/3@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.23, 4.175.87.197, 13.107.246.45, 13.95.31.18
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:24:02	API Interceptor	1x Sleep call for process: MQNT.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.235.46.96	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	DNF#U604b#U62180224a.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/s?wd=www.cfjuzi.com&rsv_spt=1&issp=1&rsv_bp=0&ie=utf-8&tn=utf8speed_dg&inputT=453
	New Al Maktoum International Airport Enquiry Ref #2401249.exe	Get hash	malicious	FormBook	Browse	www.wvufcw948o.top/pt46/?ara=runx2q514acjuuceA0OTyKdTIzcy0YcAOvUMICEfyLgC3vUfTcW2aWKxfLyo5+IB4FDn&D8V=_FNDAz
	4.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	2.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	1.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	3.exe	Get hash	malicious	BlackMoon, XRed	Browse	www.baidu.com/
	1.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	f1.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.wshifen.com	https://imtcoken.im/	Get hash	malicious	Unknown	Browse	103.235.47.188
	http://www.toekan.im/	Get hash	malicious	Unknown	Browse	103.235.47.188
	https://wap.sunblock-pro.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	5vrRrFN56j.exe	Get hash	malicious	Bdaejec	Browse	103.235.47.188
	http://m.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	https://www.xietaoz.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	http://wap.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://m.activeselfie.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	http://m.ccsurj.org/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.activeselfie.com/	Get hash	malicious	Unknown	Browse	103.235.46.96

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	chromsetup.exe	Get hash	malicious	Unknown	Browse	185.10.104.109
	https://imtcoken.im/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.toekan.im/	Get hash	malicious	Unknown	Browse	103.235.46.96
	https://wap.sunblock-pro.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	5vrRrFN56j.exe	Get hash	malicious	Bdaejec	Browse	103.235.47.188
	http://m.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	https://www.xietaoz.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://wap.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://m.activeselfie.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://m.ccsurj.org/	Get hash	malicious	Unknown	Browse	103.235.46.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random.exe	Get hash	malicious	LummaC	Browse	103.235.46.96
	PEN2ydG.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	103.235.46.96
	vXn4pan2US.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	OC1025QPR.docx.doc	Get hash	malicious	Unknown	Browse	103.235.46.96
	CLOlOswCpi.msi	Get hash	malicious	Unknown	Browse	103.235.46.96
	vXn4pan2US.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	8jm0z0L.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	103.235.46.96
	Set-up.exe	Get hash	malicious	LummaC	Browse	103.235.46.96
	celebrationannabirthday.mp4.hta	Get hash	malicious	LummaC	Browse	103.235.46.96
	Infoblatt_Ausnahmesituation.pdf.lnk	Get hash	malicious	LummaC	Browse	103.235.46.96

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\update.exe	5vrRrFN56j.exe	Get hash	malicious	Bdaejec	Browse
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Users\user\Desktop\MQNT.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	422
Entropy (8bit):	3.9822709529024487
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmWvclLwv2G4wmL66uCEuyLyn:QCGwv4o0BlLweTL66uuyW
MD5:	12848C48DA8097C0879B053388DFBAA3
SHA1:	EDA6082B0982F73B9AEF2FABA3F867BE30EC04C9
SHA-256:	2573DC5A90C39667074D2CEB4F18DA5F4713708B6CF6A52D0675707A222D392F
SHA-512:	C9CFFDA09CB896665BFE70F238E3F5727AB8B12F4BDDA78137A39065D769BB9F7A5022300D9E0BCD5710FFC0376983FCE29876294F4D9A2C382ACBC7EBEEEDBE
Malicious:	false
Reputation:	low
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.o.c.u.m.e.n.t.s.\.1.9.C.A.D.7.2.1.B.5.9.B.0.9.B.2.0.8.B.5.A.7.E.2.F.6.3.8.7.8.4.3...i.c.o.....I.n.f.o.T.i.p.=.....Q............. ............. .................Q.Q.........................

C:\Users\user\Desktop\update.exe

Download File

Process:	C:\Users\user\Desktop\MQNT.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	954368
Entropy (8bit):	6.344965617584001
Encrypted:	false
SSDEEP:	24576:YvtI2D6CEhvugYa3EZfup4jflORg0RBQI:YevLEZ7cRg0RJ
MD5:	8A619EBB79546DD4487F312B9C57934F
SHA1:	6986759E032DB2694D625C85EC5C8B4AD74A689B
SHA-256:	0C274B149400E89EBC0F6335A9181005B4249CABEFA8EC8B47C1D56710B2D3EF
SHA-512:	AB29923B35AA1D21813F9D6B012979385F7C4B161FEE51C28A4987768B93297C81E88EAA969B9F491F0A359FD18F3515CC19C694ABD95413A575053C5BA29C7B
Malicious:	true
Yara Hits:	Rule: CN_Honker_WordpressScanner, Description: Sample from CN Honker Pentest Toolset - file WordpressScanner.exe, Source: C:\Users\user\Desktop\update.exe, Author: Florian Roth
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: 5vrRrFN56j.exe, Detection: malicious, Browse Filename: wRhEMj1swo.exe, Detection: malicious, Browse Filename: wRhEMj1swo.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......p.-.4.C.4.C.4.C.[.H.=.C.[.I.2.C...M...C.O.O.1.C.b.P...C.V.P.(.C.4.B...C.....7.C...H.E.C...I..C..H.W.C..I./.C.4.C.m.C..E.5.C.Rich4.C.........................PE..L.....\|g.........................................@..........................................................................Q..,....0...e..............................................................................0............................text...n........................... ..`.rdata.............................@..@.data...j...........................@....rsrc....e...0...p... ..............@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\19CAD721B59B09B208B5A7E2F6387843.ico

Download File

Process:	C:\Users\user\Desktop\MQNT.exe
File Type:	MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	67646
Entropy (8bit):	5.7039139970238075
Encrypted:	false
SSDEEP:	1536:vrpcQaRJlr5a3QEC2ADfYVmqpPZf++r7MJsEzlDtr66Evbag:vrpcQaGHVmOhf++razdtYp
MD5:	19CAD721B59B09B208B5A7E2F6387843
SHA1:	7AB6F085A11E86D5514E182BF0DF1C96723C8901
SHA-256:	F9DFF22EF297227202F34343DA1BA9585F843B3AA0834B1074F273C9D9542252
SHA-512:	E6DB461CB85A7B4C9F44019678E49562B68B820FFF6F0EE82A7533F710858C7AA7DF72FE57E4FE0A6A8291C33AAD819C5DCD7B75F9A55CFF12AF12344A555E81
Malicious:	false
Reputation:	low
Preview:	............ .(.......(............. .................................................200.............................................. ...! ..! ..! ..$!..$!..$"..%#..&#..&#..'$..'$..(%.!(%.&+).),.,-+.,-+.),.-+.,-+.-.,.+.,.+.,.-.,.-.,.-.,.,-+.,,.(-,.(-,.'-,.'-,.'-,.&.-.'/..)/..)/..+32.+32.-32.-32.+33.+33.-32.-32..43..43..31..31..31..31..31./42.-41.+2/./-.+0..+2/.+2/.-0..).,.(-+.'.+.'.+.'.+.(-+.'.+.(/,.&/,.(/,.(/,.(/,.(/,.(/,.(/,.(/,.&/,.#,).!,). +(..'..(%..'$..%"..%"..&$..&$..$#..#"..#".."!.." .." .........................................PRR.............................................#%&.............................................. ..!!..!!..#!..$"..&$..%#..'$..&$..(%..'%..(&..(&..)'.!,.$,+.%-,.%-,.%-,.%-,.&.-.'/..'20.(31.21.21.21.+32.)33.)33.44.(44.)55.)55.)55.)55.66.+77.)55.)55.)55.)55.)55.)55.)55.)55.-77.-86.-86.-86.-86.-86.-86.-86.,75.+64.)42.(31.+64.+64.+32.(31.)42.'42.'42.'42.'42.'42.'42.&42.#0..#0..#0.."/-."/-.!.,.!.,.!.,..-+...+..,..,)..(..)&..'%..&$..%#..%$..$

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.076698191150393
TrID:	Win32 Executable (generic) a (10002005/4) 99.26% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02%
File name:	MQNT.exe
File size:	5'524'480 bytes
MD5:	27f5aa99c8e512ca56c2a46fb0b7be6b
SHA1:	65a1336c182612c091ef925d52477639c7735d01
SHA256:	575d39610e80fff09fc08eb068983bd0524bd2ef9508607be2749620150ddc85
SHA512:	f8754cb9c4b2f3ad266376da59765153c61c48b712ea0dafa41775e1504e6254ba67d7ac65690576a49667feb5a31bc5fe800e198607edfa5cc430d3f612f7a4
SSDEEP:	98304:5q+ZcUWX+lbbEipLaUTEZ7ce0R252Pw8B4DuR/6JBAUZLc:5q+ZcUWX+/yV0R2YPxoaiJVA
TLSH:	1146C013F142C0B2E5160BB021B2573DAA799F515E74C983EBE4FEB9BC33162976610E
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........D.}ID.}ID.}I+.vIM.}I+.wIB.}I?.qIA.}I..nIh.}I.. IF.}I..sIh.}ID.\|I..}I&.nI[.}IM..IE.}I..oIN.}Ir.vI..}Ir.wI..}I..vI*.}I..wIt.}

File Icon


Icon Hash:	2731d28aae6e218f

Static PE Info

General

Entrypoint:	0x5b5320
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6787A62E [Wed Jan 15 12:12:30 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2bbe6c36c6f18214d3400bb75b6c0bf1

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0083FE38h
push 005B8284h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [005E51C8h]
xor edx, edx
mov dl, ah
mov dword ptr [0099B1D4h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0099B1D0h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0099B1CCh], ecx
shr eax, 10h
mov dword ptr [0099B1C8h], eax
push 00000001h
call 00007F08E0B5BA7Bh
pop ecx
test eax, eax
jne 00007F08E0B55B3Ah
push 0000001Ch
call 00007F08E0B55BF8h
pop ecx
call 00007F08E0B5B826h
test eax, eax
jne 00007F08E0B55B3Ah
push 00000010h
call 00007F08E0B55BE7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F08E0B5B654h
call dword ptr [005E53F4h]
mov dword ptr [009A0444h], eax
call 00007F08E0B5B512h
mov dword ptr [0099B140h], eax
call 00007F08E0B5B2BBh
call 00007F08E0B5B1FDh
call 00007F08E0B590AEh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [005E5260h]
call 00007F08E0B5B18Eh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F08E0B55B38h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5119f0	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a1000	0x791c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1e5000	0x810	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1e376e	0x1e3800	1609d35bb8f2b5d4e7aefd501dd5f680	False	0.3852831930261117	data	6.388863710472058	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1e5000	0x32f398	0x32f400	eb0eb04ac146c1a8d268c433bd07365b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x515000	0x8b44a	0x2a200	e0e96501acb0a48ac8d7c2e58804932d	False	0.3509017989614243	data	5.96440390442563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5a1000	0x791c	0x7a00	e530300d5fc7c550178f7ba7e68665cc	False	0.44041367827868855	data	5.293603761108245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x5a1d9c	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0x5a1da8	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0x5a1dc0	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
WAVE	0x5a1f14	0x1448	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz	Chinese	China	0.8330123266563945
RT_CURSOR	0x5a335c	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0x5a3490	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x5a35c4	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x5a36f8	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_CURSOR	0x5a37ac	0x134	AmigaOS bitmap font "(", fc_YSize 4294967292, 3840 elements, 2nd "\377\370\017\377\377\374\037\377\377\376?\377\377\377\177\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.32792207792207795
RT_CURSOR	0x5a38e0	0x134	AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\370\037\377\377\370\037\377\377\370\037\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.3246753246753247
RT_BITMAP	0x5a3a14	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.3598901098901099
RT_BITMAP	0x5a3b80	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0x5a3dc8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0x5a3f0c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0x5a4064	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0x5a41bc	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0x5a4314	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0x5a446c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0x5a45c4	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0x5a471c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0x5a4874	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0x5a49cc	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x5a4fb0	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x5a5068	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x5a51d4	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x5a5318	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x5a5600	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x5a5728	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.5215759849906192
RT_MENU	0x5a67d0	0xc	data	Chinese	China	1.5
RT_MENU	0x5a67dc	0x284	data	Chinese	China	0.5
RT_DIALOG	0x5a6a60	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0x5a6af8	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0x5a6c74	0xfa	data	Chinese	China	0.696
RT_DIALOG	0x5a6d70	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0x5a6e5c	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0x5a770c	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0x5a77c0	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0x5a788c	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0x5a7940	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0x5a7a24	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0x5a7bb0	0x50	data	Chinese	China	0.85
RT_STRING	0x5a7c00	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x5a7c2c	0x78	data	Chinese	China	0.925
RT_STRING	0x5a7ca4	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x5a7e68	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x5a7f94	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x5a80dc	0x40	data	Chinese	China	0.65625
RT_STRING	0x5a811c	0x64	data	Chinese	China	0.73
RT_STRING	0x5a8180	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x5a8358	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x5a846c	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x5a8490	0x14	data	Chinese	China	1.4
RT_GROUP_CURSOR	0x5a84a4	0x14	data	Chinese	China	1.4
RT_GROUP_CURSOR	0x5a84b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x5a84cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x5a84e0	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0x5a8504	0x14	data			1.2
RT_GROUP_ICON	0x5a8518	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x5a852c	0x14	data	Chinese	China	1.25
RT_VERSION	0x5a8540	0x20c	data	Chinese	China	0.5515267175572519
RT_MANIFEST	0x5a874c	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
MSVFW32.dll	DrawDibDraw
AVIFIL32.dll	AVIStreamGetFrame, AVIStreamInfoA
iphlpapi.dll	GetAdaptersInfo
WINMM.dll	midiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutGetNumDevs, PlaySoundA
WS2_32.dll	inet_ntoa, WSAStartup, WSACleanup, select, send, closesocket, WSAAsyncSelect, recvfrom, ioctlsocket, recv, getpeername, accept, ntohl
RASAPI32.dll	RasGetConnectStatusA, RasHangUpA
KERNEL32.dll	GetVersion, FileTimeToSystemTime, TerminateThread, VirtualAlloc, VirtualFree, CreateMutexA, ReleaseMutex, SuspendThread, InterlockedIncrement, InterlockedDecrement, LocalFree, FileTimeToLocalFileTime, lstrcpynA, DuplicateHandle, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, lstrcmpiA, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GlobalGetAtomNameA, lstrcmpA, LocalAlloc, TlsAlloc, GlobalHandle, TlsFree, TlsSetValue, LocalReAlloc, TlsGetValue, GetFileTime, GetCurrentThread, GlobalFlags, SetErrorMode, GetProcessVersion, GetCPInfo, GetOEMCP, GetStartupInfoA, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, SetLastError, GetSystemDirectoryA, GetWindowsDirectoryA, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, MultiByteToWideChar, WideCharToMultiByte, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, GetTempPathA, FindFirstFileA, FindClose, SetFileAttributesA, GetFileAttributesA, MoveFileA, DeleteFileA, CopyFileA, CreateDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, SetLocalTime, GetCommandLineA, GetTickCount, WaitForSingleObject, CloseHandle, InterlockedExchange, GetTimeZoneInformation
USER32.dll	GetSysColorBrush, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, RegisterWindowMessageA, GetWindowPlacement, EndDialog, CreateDialogIndirectParamA, DestroyWindow, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, CharUpperA, GetWindowTextLengthA, SetWindowTextA, GetForegroundWindow, UnregisterHotKey, RegisterHotKey, CreateWindowExA, CallWindowProcA, GetWindowTextA, GetDlgItem, GetClassNameA, GetDesktopWindow, DrawStateA, FrameRect, GetNextDlgTabItem, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, TrackPopupMenu, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, LoadStringA, CreateIconFromResource, IntersectRect, UnregisterClassA
GDI32.dll	CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreatePatternBrush, CreateBitmap, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, TranslateCharsetInfo, SaveDC, RestoreDC, SetROP2, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, ExcludeClipRect, MoveToEx, CreateFontIndirectA, ExtSelectClipRgn, GetViewportExtEx, PtVisible, RectVisible, ExtTextOutA, Escape, GetTextMetricsA, SetDIBitsToDevice, SetTextColor, SetBkMode, TextOutA, SetBkColor, CreateRectRgnIndirect, CreateDIBSection, SetStretchBltMode, GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, CreateFontA, GetStockObject, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, GetPixel, CreateCompatibleDC, GetTextExtentPoint32A, LineTo, SetPolyFillMode, GetDeviceCaps
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
comdlg32.dll	ChooseColorA, ChooseFontA, GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA
ADVAPI32.dll	RegCreateKeyExA, RegQueryValueA, RegSetValueExA, RegOpenKeyExA, RegCloseKey
SHELL32.dll	DragAcceptFiles, DragQueryFileA, ShellExecuteA, Shell_NotifyIconA, SHGetSpecialFolderPathA, DragFinish
ole32.dll	CLSIDFromProgID, OleInitialize, CLSIDFromString, CoCreateInstance, OleRun, OleUninitialize
OLEAUT32.dll	VariantChangeType, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetDim, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetElement, VariantCopyInd, VariantClear, SysAllocString, SafeArrayDestroy, SafeArrayCreate, SafeArrayPutElement, RegisterTypeLib, LHashValOfNameSys, LoadTypeLib, UnRegisterTypeLib, VariantInit
COMCTL32.dll	ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_Destroy, ImageList_Create, ImageList_BeginDrag, ImageList_DragShowNolock, _TrackMouseEvent, ImageList_SetBkColor, ImageList_GetImageCount, ImageList_EndDrag, ImageList_Read, ImageList_Duplicate, ImageList_Add
WININET.dll	InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetReadFile, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetCanonicalizeUrlA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T13:24:02.272126+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	103.235.46.96	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 13:24:01.030925989 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:01.030977011 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:01.031116009 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:01.032244921 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:01.032268047 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:02.272031069 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:02.272125959 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:02.272161961 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:02.272212029 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:02.276002884 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:02.276015043 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:02.276453972 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:02.318317890 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:02.354747057 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:02.399327993 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:02.681462049 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:02.681629896 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:02.681797028 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:02.743047953 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:02.743047953 CET	49704	443	192.168.2.5	103.235.46.96
Jan 16, 2025 13:24:02.743079901 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:02.743093014 CET	443	49704	103.235.46.96	192.168.2.5
Jan 16, 2025 13:24:31.091870070 CET	49732	53	192.168.2.5	162.159.36.2
Jan 16, 2025 13:24:31.096692085 CET	53	49732	162.159.36.2	192.168.2.5
Jan 16, 2025 13:24:31.096791029 CET	49732	53	192.168.2.5	162.159.36.2
Jan 16, 2025 13:24:31.101697922 CET	53	49732	162.159.36.2	192.168.2.5
Jan 16, 2025 13:24:31.555143118 CET	49732	53	192.168.2.5	162.159.36.2
Jan 16, 2025 13:24:31.560211897 CET	53	49732	162.159.36.2	192.168.2.5
Jan 16, 2025 13:24:31.560291052 CET	49732	53	192.168.2.5	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 13:24:01.019107103 CET	63531	53	192.168.2.5	1.1.1.1
Jan 16, 2025 13:24:01.026106119 CET	53	63531	1.1.1.1	192.168.2.5
Jan 16, 2025 13:24:31.091058016 CET	53	59226	162.159.36.2	192.168.2.5
Jan 16, 2025 13:24:31.598798037 CET	54398	53	192.168.2.5	1.1.1.1
Jan 16, 2025 13:24:31.605582952 CET	53	54398	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 13:24:01.019107103 CET	192.168.2.5	1.1.1.1	0x561f	Standard query (0)	www.baidu.com	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:24:31.598798037 CET	192.168.2.5	1.1.1.1	0x6f90	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 13:24:01.026106119 CET	1.1.1.1	192.168.2.5	0x561f	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 13:24:01.026106119 CET	1.1.1.1	192.168.2.5	0x561f	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 16, 2025 13:24:01.026106119 CET	1.1.1.1	192.168.2.5	0x561f	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:24:01.026106119 CET	1.1.1.1	192.168.2.5	0x561f	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false
Jan 16, 2025 13:24:31.605582952 CET	1.1.1.1	192.168.2.5	0x6f90	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	103.235.46.96	443	7032	C:\Users\user\Desktop\MQNT.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 12:24:02 UTC	271	OUT	HEAD / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Accept: text/html, application/xhtml+xml, / Accept-Encoding: identity Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.baidu.com
2025-01-16 12:24:02 UTC	327	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 277 Content-Type: text/html Date: Thu, 16 Jan 2025 12:24:02 GMT Etag: "575e1f6f-115" Last-Modified: Mon, 13 Jun 2016 02:50:23 GMT Pragma: no-cache Server: bfe/1.0.8.18 Connection: close

Target ID:	0
Start time:	07:23:59
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\MQNT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MQNT.exe"
Imagebase:	0x400000
File size:	5'524'480 bytes
MD5 hash:	27F5AA99C8E512CA56C2A46FB0B7BE6B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000000.2052285705.00000000006CD000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	185
Total number of Limit Nodes:	16

Executed Functions

Function 00401B6D Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09cfac538bf957463d812a45abac09a9f2656fd1b27599a3ba0622ce3e18579
Instruction ID: c2de46c2e110e03bb3836efe9bf1d6d2d9826bb302206d3e888e94ac73e06a5a
Opcode Fuzzy Hash: a09cfac538bf957463d812a45abac09a9f2656fd1b27599a3ba0622ce3e18579
Instruction Fuzzy Hash: 1F0270B1E402569BFB00CF98DCC579EB7B1FF58324F180035E90AAB381D279A951CB22

Function 00411D24 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e865087d264eed9a8594edd006f706368dc5d3afd3d14627e4f84ae6c79cb85
Instruction ID: 2c122db4a046ccd08a9902a496f4fab6ed0343760d19c02a345c546a72c11e94
Opcode Fuzzy Hash: 3e865087d264eed9a8594edd006f706368dc5d3afd3d14627e4f84ae6c79cb85
Instruction Fuzzy Hash: 4071F5B1E40309ABEF10DFD4DD46BDF7BB4AB18710F140065FA08BA2C1E6B65A548B66

Function 005DD371 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(0099ADA0,0099AD74,00000000,?,0099AD84,0099AD84,005DD70C,?,00000000,005DD15F,005DCA59,005DD17B,005D84DA,005D977F,?,00000000), ref: 005DD380
GlobalAlloc.KERNEL32(00002002,00000000,?,?,0099AD84,0099AD84,005DD70C,?,00000000,005DD15F,005DCA59,005DD17B,005D84DA,005D977F,?,00000000), ref: 005DD3D5
GlobalHandle.KERNEL32(00C00920), ref: 005DD3DE
GlobalUnlock.KERNEL32(00000000), ref: 005DD3E7
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 005DD3F9
GlobalHandle.KERNEL32(00C00920), ref: 005DD410
GlobalLock.KERNEL32(00000000), ref: 005DD417
LeaveCriticalSection.KERNEL32(005B5400,?,?,0099AD84,0099AD84,005DD70C,?,00000000,005DD15F,005DCA59,005DD17B,005D84DA,005D977F,?,00000000), ref: 005DD41D
GlobalLock.KERNEL32(00000000), ref: 005DD42C
LeaveCriticalSection.KERNEL32(?), ref: 005DD475

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 5ab22189311a2ebad29122c10dfcaf68b24ef659480a37e1aa2c4b6f0dffb315
Instruction ID: 7da33687dd2fc7b43df2b405b6fde943d063634548bb340dfe96d7c00ca1a114
Opcode Fuzzy Hash: 5ab22189311a2ebad29122c10dfcaf68b24ef659480a37e1aa2c4b6f0dffb315
Instruction Fuzzy Hash: 30315E752007069FDB349F28DC89A2ABBF9FB44345B004D2EF592C7761E7B1E8088B20

Function 005DDFD3 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000000,00000000,005D979E,00000000,00000000,00000000,00000000,?,00000000,?,005D06D2,00000000,00000000,00000000,00000000,005B5400), ref: 005DDFDC
SetErrorMode.KERNEL32(00000000,?,00000000,?,005D06D2,00000000,00000000,00000000,00000000,005B5400,00000000), ref: 005DDFE3

Part of subcall function 005DE036: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 005DE067
Part of subcall function 005DE036: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 005DE108
Part of subcall function 005DE036: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 005DE135

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 74979fa4a6354bda06d3e34d0de8cea16f9267f6b2a1f550bd31d889caff8fa5
Instruction ID: f648720d37e68f1e03ebf893b4601359daccb5772ceb2309d34479fd004753d0
Opcode Fuzzy Hash: 74979fa4a6354bda06d3e34d0de8cea16f9267f6b2a1f550bd31d889caff8fa5
Instruction Fuzzy Hash: 79F03C749142128FD724FFA8D449B1A7FA4BF84750F05844BF4888F362CB74D840CBA2

Function 005BB2C4 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,005B537E,00000001), ref: 005BB2D5

Part of subcall function 005BB17C: GetVersionExA.KERNEL32 ref: 005BB19B

HeapDestroy.KERNEL32 ref: 005BB314

Part of subcall function 005BEB55: HeapAlloc.KERNEL32(00000000,00000140,005BB2FD,000003F8), ref: 005BEB62

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: e382e7c3f428cd7d34fb75f93cedb8d05016d1001c53b2ca164e24fb5cfed674
Instruction ID: 29df3f369555872aa1071a143968944b911a3c305fd8de90a5eb22261fb7b6c9
Opcode Fuzzy Hash: e382e7c3f428cd7d34fb75f93cedb8d05016d1001c53b2ca164e24fb5cfed674
Instruction Fuzzy Hash: CFF06574914302DAFF101B345D56BA93EDCBB94742F300837F501CD0A2EBE0A480AA11

Function 005D84EA Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 005D84FD
SetWindowsHookExA.USER32(000000FF,005D8842,00000000,00000000), ref: 005D850D

Part of subcall function 005DD76D: __EH_prolog.LIBCMT ref: 005DD772

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 3d1efe0212738801cf29c23b8482a59eed54d785b68280a1e35d6b12a49e8380
Instruction ID: fd2ee590a910e95e936ca9d381a1cf88ff5bfd10e2ef3153c0d8fcf29b4bf27f
Opcode Fuzzy Hash: 3d1efe0212738801cf29c23b8482a59eed54d785b68280a1e35d6b12a49e8380
Instruction Fuzzy Hash: 5EF0A0314403526BDB343BFCB80DB282EB1FB80760F480657F1515A3D2CB648C84C7A2

Function 005B7AE6 Relevance: 1.6, APIs: 1, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,00000000,00000001,005BB10D,00000001,00000074,?,?,00000000,00000001), ref: 005B7BDC

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9fb456ad3c79d50fc741dbb5c3bcd7aac967e3bc3df556e0a144d19c14283bad
Instruction ID: a9bc743ccea399bc8b2816315feb11e12bed9fa9b3161697d07447f568360f55
Opcode Fuzzy Hash: 9fb456ad3c79d50fc741dbb5c3bcd7aac967e3bc3df556e0a144d19c14283bad
Instruction Fuzzy Hash: 64319032D0862DAFCF10AFA89C81ADDBF74FB88724F14422AE411B71D1D7346940DEA4

Function 005B6C65 Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 005B6D4C

Part of subcall function 005BD984: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,005B7B9C,00000009,00000000,00000000,00000001,005BB10D,00000001,00000074,?,?,00000000,00000001), ref: 005BD9C1
Part of subcall function 005BD984: EnterCriticalSection.KERNEL32(?,?,?,005B7B9C,00000009,00000000,00000000,00000001,005BB10D,00000001,00000074,?,?,00000000,00000001), ref: 005BD9DC

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 0830eec87d8e1843dbdd634952df152a0d7f83f24061c86e21bd218a78522b1e
Instruction ID: 7c35abca433f347f415975f1667e6c39adc1f51d5c7dda94e9840f3f2a7ba247
Opcode Fuzzy Hash: 0830eec87d8e1843dbdd634952df152a0d7f83f24061c86e21bd218a78522b1e
Instruction Fuzzy Hash: 05219532A00205ABDB10AB68DC46BE9BFA8FB00764F144616F510EB1D1D778F9419A54

Function 005B6B3E Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,005B7B9C,00000009,00000000,00000000,00000001,005BB10D,00000001,00000074), ref: 005B6C12

Part of subcall function 005BD984: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,005B7B9C,00000009,00000000,00000000,00000001,005BB10D,00000001,00000074,?,?,00000000,00000001), ref: 005BD9C1
Part of subcall function 005BD984: EnterCriticalSection.KERNEL32(?,?,?,005B7B9C,00000009,00000000,00000000,00000001,005BB10D,00000001,00000074,?,?,00000000,00000001), ref: 005BD9DC

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: f226b0d27769e0a77bebc0943ad755bc43ff9b9d074d98147188cc5668143e13
Instruction ID: 76c608aae71e8122beb7091c95e157632b6d1f51f4b4b03fd7352ba148979382
Opcode Fuzzy Hash: f226b0d27769e0a77bebc0943ad755bc43ff9b9d074d98147188cc5668143e13
Instruction Fuzzy Hash: AC21D47280560AABDF10AB94DC06FEEBF78FF04720F240129F410F61D1DB79A940CAA4

Function 005D92E6 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringA.USER32(?,?,?,?), ref: 005D92FD

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 7be3a6b6d769e87af5a2c25bce31723fcbb54a12d67e459c3bf1a37547124475
Instruction ID: 61130d7e66df4924a0710c23cfa5c522ce7a210218a7e727c13ee19e4d404c0d
Opcode Fuzzy Hash: 7be3a6b6d769e87af5a2c25bce31723fcbb54a12d67e459c3bf1a37547124475
Instruction Fuzzy Hash: 27D05E724083A29B8A119FA48808D4FBFA8BF54350B054C0AF58092211D3249444C661

Non-executed Functions

Function 00417922 Relevance: 15.7, Strings: 12, Instructions: 708COMMON

Download Yara Rule

Strings

\main\corn\zlib.dll, xrefs: 0041819B, 004181A0
\main\data\app, xrefs: 00417CED, 00417D52
\main\data, xrefs: 00417ACB, 00417B30, 00417C37, 00417C9C
\main\corn\libeay32.dll, xrefs: 00417F89, 00417F8E
\main\data\dll, xrefs: 00417E59, 00417EBE
0jn, xrefs: 0041793E
\main, xrefs: 0041795F, 004179C4
\main\data\plugin, xrefs: 00417DA3, 00417E08
\main\corn, xrefs: 00417B81, 00417BE6
\main\corn\sqlite3.dll, xrefs: 00418092, 00418097
/main/data/Bot/, xrefs: 00417F0F
\main\plugin, xrefs: 00417A15, 00417A7A

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID: /main/data/Bot/$0jn$\main$\main\corn$\main\corn\libeay32.dll$\main\corn\sqlite3.dll$\main\corn\zlib.dll$\main\data$\main\data\app$\main\data\dll$\main\data\plugin$\main\plugin
API String ID: 0-965314504
Opcode ID: c1c03016180e478c0ac920598340215be8034d766009a3c2441bbc7167f8ddc1
Instruction ID: 8d3680c0ec9d37c0f81c03ae8177cf5f6e3824b40b2e65d75c0d96bb8569ec76
Opcode Fuzzy Hash: c1c03016180e478c0ac920598340215be8034d766009a3c2441bbc7167f8ddc1
Instruction Fuzzy Hash: 163270B1F04345BBFB109ED59C86FAF7AB4EB10704F040079FE04B6382E6769A949B65

Function 005C28F0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,005BB47E,?,Microsoft Visual C++ Runtime Library,00012010,?,008402CC,?,0084031C,?,?,?,Runtime Error!Program: ), ref: 005C2902
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 005C291A
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 005C292B
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 005C2938

Strings

GetLastActivePopup, xrefs: 005C292D
MessageBoxA, xrefs: 005C2914
GetActiveWindow, xrefs: 005C2925
user32.dll, xrefs: 005C28FD

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 02597825a0ebac1ead56c12fa8be39a8735673cb763d1b0fc01b5f28d7ea5d45
Instruction ID: a5b160564d5e18a237ea3a7c54e87890ca981b852e425047a487d6b8b3e4de26
Opcode Fuzzy Hash: 02597825a0ebac1ead56c12fa8be39a8735673cb763d1b0fc01b5f28d7ea5d45
Instruction Fuzzy Hash: 1E015271718306AF97109FF96C80E177FE8B758B91B00042EA648D3222D7798845BB61

Function 005BB17C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 005BB19B
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 005BB1D0
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 005BB230

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 005BB20A
__MSVCRT_HEAP_SELECT, xrefs: 005BB1CB

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: aed3d3d59d55922db745ff103ecf3cad385a747ff14cc90285c697b987acddcc
Instruction ID: 89e40dc706d7996b255e60140a5dd3bf82a6b5ab8cf42a1b26132a563593d28d
Opcode Fuzzy Hash: aed3d3d59d55922db745ff103ecf3cad385a747ff14cc90285c697b987acddcc
Instruction Fuzzy Hash: 203137759412886DFB359A745C5ABEDBF68FF42304F2404E9E185DA042E7F0BE89CB11

Function 00462BA2 Relevance: 3.5, Strings: 1, Instructions: 2217COMMON

Download Yara Rule

Strings

!, xrefs: 00462C24

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: cb256e704a3ef711179e2cfd2e64b52d5ac3dfd5f8a2d77874b17285884bff1c
Instruction ID: 9e9b27764547914050b9cd5da6cbbb4a06d8c60d89eb7104d4e52fbfda42928b
Opcode Fuzzy Hash: cb256e704a3ef711179e2cfd2e64b52d5ac3dfd5f8a2d77874b17285884bff1c
Instruction Fuzzy Hash: 30131270D00619EBEF10AFD1ED8AADDBF71FF48310F10816AF9587A295DB724A608B51

Function 00433142 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction ID: 91d1f13879fe2af70fcff5c79436c4eed6fbb77cb5d0dae820a0aaef01d5960c
Opcode Fuzzy Hash: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction Fuzzy Hash: 5F111964A14208C7EB00DFA4D580BAFB376FF2C700F105169D908EB395E67A9F10C7AA

Function 00435217 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction ID: d3e49c5d33dce1431e6fd8aa759a7a76e5b6ef6f4c7b2453ebd6144ec9781717
Opcode Fuzzy Hash: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction Fuzzy Hash: 64111964A10608C7EB00CFA4D580BAFB375FF5C700F105069D508EB395E77A9E11CBAA

Function 00422225 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction ID: 01f099d18c6b415d3832f90d77feb675fcd7c53e74234c8559e8395d3005ed85
Opcode Fuzzy Hash: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction Fuzzy Hash: E6112B64A10208D7EB00CFA4D580BAFB375FF2C700F105069D908EB395E77A9E50C7AA

Function 00421E1E Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction ID: 7766a2280c4e9b36cfed8236e1ba4d3201192a5faea65bddfee612504bb00803
Opcode Fuzzy Hash: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction Fuzzy Hash: 12112B64A14208C7EB00DFA4D480BAFB375FF6C700F105069D909EB395E77A9E11C7AA

Function 0046B2DC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d7bfbdab18aea4cdce0da10df7c32ef1de199f2718a6935834140590d0a55c
Instruction ID: 2b9f377f2a5fed8a827970c6b3dbf1163f3a7f57913ce452a8326b52c108c3b8
Opcode Fuzzy Hash: 40d7bfbdab18aea4cdce0da10df7c32ef1de199f2718a6935834140590d0a55c
Instruction Fuzzy Hash: 2611FC78A55318EFCB11CF99E9C0A88BBF0BF1D314B5054A5DA489B306D2306E50EF62

Function 00411C79 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387a41c2cda38a352361a5503079e532562a1bb8d84b34a3624ffd7b7a34b8c3
Instruction ID: 87e5827b5320926c841f058aaa09686196a737325b56300e34f91b30ed841264
Opcode Fuzzy Hash: 387a41c2cda38a352361a5503079e532562a1bb8d84b34a3624ffd7b7a34b8c3
Instruction Fuzzy Hash: D10112B1D00209ABEF10DFD59D867EEBA74FF14300F1040A9EA1837392E6775A548BA2

Function 00409A24 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4166609f46e1e3870822f18e47ad906b85be3cb121b05c48cc550c3ccd7ee5f7
Instruction ID: 2dcd1bd821cbc9a0c9a99013c0af897fff7243ac31b2f2e11f57f49e9af32425
Opcode Fuzzy Hash: 4166609f46e1e3870822f18e47ad906b85be3cb121b05c48cc550c3ccd7ee5f7
Instruction Fuzzy Hash: 1DD0C934250789CFDB01CF54C0D1B41B3A8EB89748F108071DD419B385D2B8F945CAA1

Function 005BE884 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0084054C,00000001,00000000,00000000,7591E860,0099F0A4,?,?,?,005B70FD,?,?,?,00000000), ref: 005BE8C6
LCMapStringA.KERNEL32(00000000,00000100,00840548,00000001,00000000,00000000,?,?,005B70FD,?,?,?,00000000,00000001), ref: 005BE8E2
LCMapStringA.KERNEL32(?,?,?,005B70FD,?,?,7591E860,0099F0A4,?,?,?,005B70FD,?,?,?,00000000), ref: 005BE92B
MultiByteToWideChar.KERNEL32(?,0099F0A5,?,005B70FD,00000000,00000000,7591E860,0099F0A4,?,?,?,005B70FD,?,?,?,00000000), ref: 005BE963
MultiByteToWideChar.KERNEL32(00000000,00000001,?,005B70FD,?,00000000,?,?,005B70FD,?), ref: 005BE9BB
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,005B70FD,?), ref: 005BE9D1
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,005B70FD,?), ref: 005BEA04
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,005B70FD,?), ref: 005BEA6C

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: dc9e2076fc9567b3085baf16fee96769e4732fac43a86113aefe322a5478d841
Instruction ID: 810c3fb4cb9b44b9c5649ec3fac4571a87eedda2ccbbbb21422f3a76c37527da
Opcode Fuzzy Hash: dc9e2076fc9567b3085baf16fee96769e4732fac43a86113aefe322a5478d841
Instruction Fuzzy Hash: 15519D32900649EFCF228F54DC8AAEE7FB9FF49754F284119F910A5160E335AD50EB61

Function 005BB35A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 005BB3C7
GetStdHandle.KERNEL32(000000F4,008402CC,00000000,00000000,00000000,?), ref: 005BB49D
WriteFile.KERNEL32(00000000), ref: 005BB4A4

Strings

Runtime Error!Program: , xrefs: 005BB42D
..., xrefs: 005BB419
Microsoft Visual C++ Runtime Library, xrefs: 005BB473
<program name unknown>, xrefs: 005BB3D7

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 1db03452a98882469f3c5fb7b41adee18e0672fc6ea0d4f60989cbd50e111002
Instruction ID: 43871472c394f0d5185cbb7cd2b9c935937fae12e35983d2de8643c6c74e9674
Opcode Fuzzy Hash: 1db03452a98882469f3c5fb7b41adee18e0672fc6ea0d4f60989cbd50e111002
Instruction Fuzzy Hash: 7031B472A00208AFEF20AB64CD4AFEE7BADFB85700F500466F644E6142E7F4B944CE51

Function 005BAD93 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,005B53B6), ref: 005BADAE
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,005B53B6), ref: 005BADC2
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,005B53B6), ref: 005BADEE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,005B53B6), ref: 005BAE26
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,005B53B6), ref: 005BAE48
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,005B53B6), ref: 005BAE61
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,005B53B6), ref: 005BAE74
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 005BAEB2

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: bc6142ba86739c60ccae65c9280fb67a61a93eeb0c6f26a4fc17b237fe758cdb
Instruction ID: 8d54d50d2b1630a7565e5bbda38088bc073f8276d94ce1cba3625223b7e4c0b4
Opcode Fuzzy Hash: bc6142ba86739c60ccae65c9280fb67a61a93eeb0c6f26a4fc17b237fe758cdb
Instruction Fuzzy Hash: F331C6B25082656FDB207FB89CC88BB7F9CF699758755092AF592C3100E771FC4492A3

Function 005C201A Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0084054C,00000001,?,7591E860,0099F0A4,?,?,005B70FD,?,?,?,00000000,00000001), ref: 005C2059
GetStringTypeA.KERNEL32(00000000,00000001,00840548,00000001,?,?,005B70FD,?,?,?,00000000,00000001), ref: 005C2073
GetStringTypeA.KERNEL32(?,?,?,?,005B70FD,7591E860,0099F0A4,?,?,005B70FD,?,?,?,00000000,00000001), ref: 005C20A7
MultiByteToWideChar.KERNEL32(?,0099F0A5,?,?,00000000,00000000,7591E860,0099F0A4,?,?,005B70FD,?,?,?,00000000,00000001), ref: 005C20DF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,005B70FD,?), ref: 005C2135
GetStringTypeW.KERNEL32(?,?,00000000,005B70FD,?,?,?,?,?,?,005B70FD,?), ref: 005C2147

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: d88ebaae84529ebfe950663121b81a67342de8d899e5da1459765a3df676aca0
Instruction ID: a8bb65e482d21593df186225b6b358f48abf6f6f34b4bae0a7a37c473b16bb57
Opcode Fuzzy Hash: d88ebaae84529ebfe950663121b81a67342de8d899e5da1459765a3df676aca0
Instruction Fuzzy Hash: BA41AF72A00209AFCF219F94DC86EEF7F79FB08750F14042AFA15E6260D3359914DB90

Function 005DD4E0 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(0099AD84,0099AD74,00000000,?,0099AD84,?,005DD748,0099AD74,00000000,?,00000000,005DD15F,005DCA59,005DD17B,005D84DA,005D977F), ref: 005DD4EB
EnterCriticalSection.KERNEL32(0099ADA0,00000010,?,0099AD84,?,005DD748,0099AD74,00000000,?,00000000,005DD15F,005DCA59,005DD17B,005D84DA,005D977F), ref: 005DD53A
LeaveCriticalSection.KERNEL32(0099ADA0,00000000,?,0099AD84,?,005DD748,0099AD74,00000000,?,00000000,005DD15F,005DCA59,005DD17B,005D84DA,005D977F), ref: 005DD54D
LocalAlloc.KERNEL32(00000000,00000005,?,0099AD84,?,005DD748,0099AD74,00000000,?,00000000,005DD15F,005DCA59,005DD17B,005D84DA,005D977F), ref: 005DD563
LocalReAlloc.KERNEL32(?,00000005,00000002,?,0099AD84,?,005DD748,0099AD74,00000000,?,00000000,005DD15F,005DCA59,005DD17B,005D84DA,005D977F), ref: 005DD575
TlsSetValue.KERNEL32(0099AD84,00000000), ref: 005DD5B1

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 2ca6b3cba18ca24217bf527ddf05e036b185bbeaa95a8183f16844c96af8c3c6
Instruction ID: d0ecf769678f7da3e30af50ed204bdbb94464ffe6a52f21c22c4a3f8c6bfefa7
Opcode Fuzzy Hash: 2ca6b3cba18ca24217bf527ddf05e036b185bbeaa95a8183f16844c96af8c3c6
Instruction Fuzzy Hash: 5F318E75100A06AFD724DF58D889F6ABBF8FF85358F00891AE556CB750E770E909CB60

Function 005DE036 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 005DE067

Part of subcall function 005DE153: lstrlenA.KERNEL32(00000104,00000000,?,005DE097), ref: 005DE18A

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 005DE108
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 005DE135

Strings

.INI, xrefs: 005DE12F
.HLP, xrefs: 005DE102

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 8ea3bc26a90596c83f1408a2a2dee1272323a6e9adc27387cba94f0f4d0067ae
Instruction ID: 0626d0527fa51c390e52313910c4e4c2833dc321f80fe017117b5fc04a58c01c
Opcode Fuzzy Hash: 8ea3bc26a90596c83f1408a2a2dee1272323a6e9adc27387cba94f0f4d0067ae
Instruction Fuzzy Hash: 413163759047199FDB21EBB4D889BC6BBF8BB44300F10496BE299D7241DB74A984CF60

Function 005BAEC5 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 005BAF23
GetFileType.KERNEL32(?,?,00000000), ref: 005BAFCE
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 005BB031
GetFileType.KERNEL32(00000000,?,00000000), ref: 005BB03F
SetHandleCount.KERNEL32 ref: 005BB076

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 509cde762f58b435e4039584e76e329be269318e836ff09a5820fff0d10f802a
Instruction ID: 32c139b9ecff22ca85c098a144ec5a20ae7d61922c0fe9c2877e19f152e4d438
Opcode Fuzzy Hash: 509cde762f58b435e4039584e76e329be269318e836ff09a5820fff0d10f802a
Instruction Fuzzy Hash: 695146755086468FD720DF28C8887FA7FE0FB21368F244669D5A2CB2E1D7B0E905D751

Function 005BB0E8 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,005B76F2,005B9FA8,00000000,?,?,00000000,00000001), ref: 005BB0EA
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 005BB0F8
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 005BB144

Part of subcall function 005B7AE6: RtlAllocateHeap.NTDLL(00000008,?,00000000,00000000,00000001,005BB10D,00000001,00000074,?,?,00000000,00000001), ref: 005B7BDC

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 005BB11C
GetCurrentThreadId.KERNEL32 ref: 005BB12D

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread
String ID:
API String ID: 2047054392-0
Opcode ID: 413326f26ddf3ed0e8644b47c25416e80d8ea17eff9dc983b0dd4535cddb9d34
Instruction ID: 6b3bce78a42b613e1e129ba3c8751f93eed0a01a09c3d3403e94571bb10324cf
Opcode Fuzzy Hash: 413326f26ddf3ed0e8644b47c25416e80d8ea17eff9dc983b0dd4535cddb9d34
Instruction Fuzzy Hash: 07F0F636501A129BD7253B34BC0D69E3F10FB547B1F100A24FA91991A0FBE09840AA50

Function 005BF69C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,0093C630,0093C630,?,?,005BFB68,00000000,00000010,00000000,00000009,00000009,?,005B6D11,00000010,00000000), ref: 005BF6BD
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,005BFB68,00000000,00000010,00000000,00000009,00000009,?,005B6D11,00000010,00000000), ref: 005BF6E1
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,005BFB68,00000000,00000010,00000000,00000009,00000009,?,005B6D11,00000010,00000000), ref: 005BF6FB
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,005BFB68,00000000,00000010,00000000,00000009,00000009,?,005B6D11,00000010,00000000,?), ref: 005BF7BC
HeapFree.KERNEL32(00000000,00000000,?,?,005BFB68,00000000,00000010,00000000,00000009,00000009,?,005B6D11,00000010,00000000,?,00000000), ref: 005BF7D3

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 68813af4335caf302f85bfe5e603fb0cfdabf0c465b60a2f9ce2f6055567f21e
Instruction ID: 90316d71a968b235e8b8b2236aa74a8787435009eaa7cedc7ab2e851a1bd640e
Opcode Fuzzy Hash: 68813af4335caf302f85bfe5e603fb0cfdabf0c465b60a2f9ce2f6055567f21e
Instruction Fuzzy Hash: 2031F4B5600B069BD3308F28DC86BA1BFE4FB54758F20453AE595AB6A0EB70B804DB44

Function 005B5320 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 005B5346

Part of subcall function 005BB2C4: HeapCreate.KERNEL32(00000000,00001000,00000000,005B537E,00000001), ref: 005BB2D5
Part of subcall function 005BB2C4: HeapDestroy.KERNEL32 ref: 005BB314

GetCommandLineA.KERNEL32 ref: 005B53A6
GetStartupInfoA.KERNEL32(?), ref: 005B53D1
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 005B53F4

Part of subcall function 005B544D: ExitProcess.KERNEL32 ref: 005B546A

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: c305aaafea5752434a90eb38f41c8c429d33974189e7010a9360edcc92d66ed2
Instruction ID: 61e9e0f06172acf076dce06e158b9555e0fe1b97b30278eb918b7c56d0b7af9e
Opcode Fuzzy Hash: c305aaafea5752434a90eb38f41c8c429d33974189e7010a9360edcc92d66ed2
Instruction Fuzzy Hash: FC21B4B1944B46AFEB1CAFA4DD59BBD7FA8FF84700F00042AF5019A291EB745440DBA1

Function 005BA249 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 005BA25D

Strings

, xrefs: 005BA2A6
, xrefs: 005BA282

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: acced1e81391b46b2d9a800b8bf8524fc81180c7b45ce8134d7cd5f628e48ef7
Instruction ID: 8feac04754ae3e1a7d638928782ea5889c3a8ea21c2f59bed21cfd3a2377282a
Opcode Fuzzy Hash: acced1e81391b46b2d9a800b8bf8524fc81180c7b45ce8134d7cd5f628e48ef7
Instruction Fuzzy Hash: 47413B320082585EEB129718DC6ABFABFD9BB01704F2808F6D589C7053D2765A48D7A3

Function 005BF1FA Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,005BEFC2,00000000,00000000,00000000,005B6CB3,00000000,00000000,?,00000000,00000000,00000000), ref: 005BF222
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,005BEFC2,00000000,00000000,00000000,005B6CB3,00000000,00000000,?,00000000,00000000,00000000), ref: 005BF256
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 005BF270
HeapFree.KERNEL32(00000000,?), ref: 005BF287

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: a2158c197440031b1b98bb2af31e4dc83cc8a837d34fbe207f6c6824d8c6ad6e
Instruction ID: 2f5d71fe6a833a117b1b2554116f1abbde6f24c08b0746fb021d9c98c0b8d672
Opcode Fuzzy Hash: a2158c197440031b1b98bb2af31e4dc83cc8a837d34fbe207f6c6824d8c6ad6e
Instruction Fuzzy Hash: CF116D75204600AFCB208F1DEC95962FBFAFB447257644A3EE195C71B1D371A85AEF10

Function 005DE44F Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0099AF48,?,00000000,?,?,005DD78E,00000010,?,00000000,?,?,?,005DD175,005DD1D8,005DCA59,005DD17B), ref: 005DE48A
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,005DD78E,00000010,?,00000000,?,?,?,005DD175,005DD1D8,005DCA59,005DD17B), ref: 005DE49C
LeaveCriticalSection.KERNEL32(0099AF48,?,00000000,?,?,005DD78E,00000010,?,00000000,?,?,?,005DD175,005DD1D8,005DCA59,005DD17B), ref: 005DE4A5
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,005DD78E,00000010,?,00000000,?,?,?,005DD175,005DD1D8,005DCA59,005DD17B,005D84DA), ref: 005DE4B7

Part of subcall function 005DE3BC: GetVersion.KERNEL32(?,005DE45F,?,005DD78E,00000010,?,00000000,?,?,?,005DD175,005DD1D8,005DCA59,005DD17B,005D84DA,005D977F), ref: 005DE3CF

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 9d86293134f0c893355f2f7a2124a4962e6ded661ceabc3aeccb3ad86bf37d4b
Instruction ID: 819726f5c05c638beb68bdea9d4ec91a3e256d42cfd4c6136f62bb50296504e6
Opcode Fuzzy Hash: 9d86293134f0c893355f2f7a2124a4962e6ded661ceabc3aeccb3ad86bf37d4b
Instruction Fuzzy Hash: 0DF0AF7200421EDFCF20EF5DECC5856B7ACFB2431AB00482BE65587026E734A409EAA1

Function 005BD95B Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,005BB087,?,005B5390), ref: 005BD968
InitializeCriticalSection.KERNEL32(?,005BB087,?,005B5390), ref: 005BD970
InitializeCriticalSection.KERNEL32(?,005BB087,?,005B5390), ref: 005BD978
InitializeCriticalSection.KERNEL32(?,005BB087,?,005B5390), ref: 005BD980

Memory Dump Source

Source File: 00000000.00000002.2115954936.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2115934061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116115854.00000000006CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116407572.0000000000915000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116431648.0000000000917000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116453806.0000000000919000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116470820.0000000000923000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116489093.0000000000924000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116513053.000000000092A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116531446.000000000092B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116562819.000000000093A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116583185.000000000093E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000988000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.0000000000999000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116604791.000000000099F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2116713997.00000000009A1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_MQNT.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 5305b68c16c88aaa0b1bf9994405d9a83480e21acf49109446e433e50e6f3bdd
Instruction ID: 9d93f04f6e04f713068ef9f3c719804f2383eb45da4ce9559e058ecdaa81e7ec
Opcode Fuzzy Hash: 5305b68c16c88aaa0b1bf9994405d9a83480e21acf49109446e433e50e6f3bdd
Instruction Fuzzy Hash: B5C002B1828938ABCE166B65FE4684E3F66EB052A0301806BE144720309A621C24FFC0

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MQNT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\desktop.ini

C:\Users\user\Desktop\update.exe

C:\Users\user\Documents\19CAD721B59B09B208B5A7E2F6387843.ico

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
MQNT.exe

Function 005DD371 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMON

Function 005DDFD3 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 005BB2C4 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 005D84EA Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Function 005B7AE6 Relevance: 1.6, APIs: 1, Instructions: 99
memoryCOMMON

Function 005B6C65 Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Function 005B6B3E Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Function 005D92E6 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON