Play interactive tour

Edit tour

Analysis Report RFQ No A'4762QHTECHNICAL DETAILS.exe

Overview

General Information

Sample Name:	RFQ No A'4762QHTECHNICAL DETAILS.exe
Analysis ID:	385367
MD5:	229efbbb09801172c9d35851a3ce484e
SHA1:	bfa35ba04c7cce63dc1fdf161cebfa7bd9e63cd2
SHA256:	3744807c95cb27f6e9c5ef01f2b5b32a78ceef7016fb54babe6a797977b72763
Infos:
Most interesting Screenshot:

Detection

AgentTesla Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected MultiObfuscated

Yara detected Snake Keylogger

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Beds Obfuscator

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Startup

System is w10x64

RFQ No A'4762QHTECHNICAL DETAILS.exe (PID: 5584 cmdline: 'C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe' MD5: 229EFBBB09801172C9D35851A3CE484E)

schtasks.exe (PID: 5992 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "glory@alyamamha.comuzzNhLK6smtp.alyamamha.com"}}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.473634820.0000000002CE8000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.472526143.0000000002C11000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584	JoeSecurity_MultiObfuscated	Yara detected MultiObfuscated	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.2c90320.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 4 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe' , ParentImage: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe, ParentProcessId: 5584, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp', ProcessId: 5992

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "glory@alyamamha.comuzzNhLK6smtp.alyamamha.com"}}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe

ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Show sources

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	Virustotal: Detection: 22%			Perma Link
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	ReversingLabs: Detection: 20%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Joe Sandbox ML: detected

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49718 version: TLS 1.0

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	DNS query: name: checkip.dyndns.org

Source: Joe Sandbox View	IP Address: 131.186.113.70 131.186.113.70
Source: Joe Sandbox View	IP Address: 172.67.188.154 172.67.188.154

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49718 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndn
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/HB
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.orgD8
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479925894.000000000C1E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.app
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479925894.000000000C1E0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.3
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.3x
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473634820.0000000002CE8000.00000004.00000001.sdmp, RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

System Summary:

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0087929D	0_2_0087929D
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_012BC164	0_2_012BC164
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_012BE5AB	0_2_012BE5AB
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_012BE5B0	0_2_012BE5B0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC54D8	0_2_05CC54D8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC6490	0_2_05CC6490
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC97A8	0_2_05CC97A8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC3F28	0_2_05CC3F28
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC46E0	0_2_05CC46E0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC2113	0_2_05CC2113
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCEB80	0_2_05CCEB80
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCABA0	0_2_05CCABA0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCDB50	0_2_05CCDB50
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8581	0_2_05CC8581
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8590	0_2_05CC8590
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC54CA	0_2_05CC54CA
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC9CC0	0_2_05CC9CC0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC9CE0	0_2_05CC9CE0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8C40	0_2_05CC8C40
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC6453	0_2_05CC6453
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC2C30	0_2_05CC2C30
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8C32	0_2_05CC8C32
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC6433	0_2_05CC6433
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC87A0	0_2_05CC87A0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC87B0	0_2_05CC87B0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC9749	0_2_05CC9749
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC4F68	0_2_05CC4F68
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC4F78	0_2_05CC4F78
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCDED8	0_2_05CCDED8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC7ED8	0_2_05CC7ED8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC46D0	0_2_05CC46D0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC7EE8	0_2_05CC7EE8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC3E7D	0_2_05CC3E7D
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC81D8	0_2_05CC81D8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC81E8	0_2_05CC81E8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCB068	0_2_05CCB068
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCAB91	0_2_05CCAB91
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC6377	0_2_05CC6377
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC7300	0_2_05CC7300
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC5318	0_2_05CC5318
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC32EA	0_2_05CC32EA
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC32F8	0_2_05CC32F8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC72F0	0_2_05CC72F0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCE2B0	0_2_05CCE2B0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8A51	0_2_05CC8A51
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8A60	0_2_05CC8A60
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE4C880	0_2_0BE4C880
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE4D2D0	0_2_0BE4D2D0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE4E010	0_2_0BE4E010
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE44458	0_2_0BE44458
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE4D2CB	0_2_0BE4D2CB
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE422A0	0_2_0BE422A0

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.478928457.0000000006020000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472526143.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479237220.000000000BA90000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.469874287.0000000000908000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamer8 vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYE18D5SL.exe4 vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.469960912.0000000000CF6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	Binary or memory string: OriginalFilenamer8 vs RFQ No A'4762QHTECHNICAL DETAILS.exe

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QscoSjjAofYnyT.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/2@3/2

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File created: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_01

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp

Jump to behavior

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	Virustotal: Detection: 22%
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	ReversingLabs: Detection: 20%

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File read: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe 'C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe'
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: 0x8EA81DF5 [Sat Nov 4 04:26:29 2045 UTC]

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_012B5553 push edx; ret	0_2_012B5554
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_012BF65A push 0000003Ah; iretd	0_2_012BF65C
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40B68 pushad ; ret	0_2_0BE40BB5
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE46B30 pushfd ; iretd	0_2_0BE46B32
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE46B33 pushfd ; iretd	0_2_0BE46B3A
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40B00 pushad ; ret	0_2_0BE40BB5
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE409E8 push edi; iretd	0_2_0BE40A2A
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE409D7 push edi; iretd	0_2_0BE409DA
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40910 push edi; iretd	0_2_0BE40912
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40913 push edi; iretd	0_2_0BE4091A
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE408F1 push edi; iretd	0_2_0BE408F2
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40841 push edi; iretd	0_2_0BE40842
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40858 push edi; iretd	0_2_0BE4085A
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE4085B push edi; iretd	0_2_0BE40862

Source: initial sample	Static PE information: section name: .text entropy: 7.86754540187
Source: initial sample	Static PE information: section name: .text entropy: 7.86754540187

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File created: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match

File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe TID: 6136

Thread sleep time: -31500s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Thread delayed: delay time: 31500

Jump to behavior

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Code function: 0_2_0BE4C880 LdrInitializeThunk,

0_2_0BE4C880

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'

Jump to behavior

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, type: MEMORY

Yara detected Snake Keylogger

Show sources

Source: Yara match	File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 00000000.00000002.473634820.0000000002CE8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.472526143.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.2c90320.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, type: MEMORY

Yara detected Snake Keylogger

Show sources

Source: Yara match	File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection12	Masquerading1	OS Credential Dumping2	Security Software Discovery211	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFQ No A'4762QHTECHNICAL DETAILS.exe	22%	Virustotal		Browse
RFQ No A'4762QHTECHNICAL DETAILS.exe	21%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
RFQ No A'4762QHTECHNICAL DETAILS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe	21%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
freegeoip.app	1%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	Virustotal		Browse
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/HB	0%	Avira URL Cloud	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.3x	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.3	0%	Avira URL Cloud	safe
http://freegeoip.app	0%	URL Reputation	safe
http://freegeoip.app	0%	URL Reputation	safe
http://freegeoip.app	0%	URL Reputation	safe
http://checkip.dyndn	0%	URL Reputation	safe
http://checkip.dyndn	0%	URL Reputation	safe
http://checkip.dyndn	0%	URL Reputation	safe
http://checkip.dyndns.orgD8	0%	URL Reputation	safe
http://checkip.dyndns.orgD8	0%	URL Reputation	safe
http://checkip.dyndns.orgD8	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freegeoip.app	172.67.188.154	true	false	1%, Virustotal, Browse	unknown
checkip.dyndns.com	131.186.113.70	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://freegeoip.app/xml/	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.org/HB	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/84.17.52.3x	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/LoadCountryNameClipboard	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://freegeoip.app/xml/84.17.52.3	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://freegeoip.app	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndn	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.orgD8	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
131.186.113.70	checkip.dyndns.com	United States		33517	DYNDNSUS	false
172.67.188.154	freegeoip.app	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385367
Start date:	12.04.2021
Start time:	11:36:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFQ No A'4762QHTECHNICAL DETAILS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/2@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0%) Quality average: 43.2% Quality standard deviation: 43.3%
HCA Information:	Successful, ratio: 98% Number of executed functions: 83 Number of non-executed functions: 29
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 131.253.33.200, 13.107.22.200, 93.184.220.29, 92.122.145.220, 168.61.161.212, 13.64.90.137, 20.50.102.62, 184.30.24.56, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 20.82.210.154 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:37:10	API Interceptor	1x Sleep call for process: RFQ No A'4762QHTECHNICAL DETAILS.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
131.186.113.70	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	fyi.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.DownloaderNET.154.8159.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PURCHASE ORDER - XIFFA55,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	cricket.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Yeni siparis _WJO-001, pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Yeni siparis _WJO-001, pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Payment Slip E05060_47.doc	Get hash	malicious	Browse	checkip.dyndns.org/
	Urgent RFQ_AP65425652_040621,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PURCHASE ORDER - XIFFA55.PDF.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	AD1-2001028L.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PO XIFFA55,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PURCHASE ORDER - E3007921.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SWIFT copy.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Inquiries.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	8090800.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	IMG_501_367_089.doc	Get hash	malicious	Browse	checkip.dyndns.org/
	CE90343555.exe	Get hash	malicious	Browse	checkip.dyndns.org/
172.67.188.154	3MndTUzGQn.exe	Get hash	malicious	Browse	freegeoip.app/json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
freegeoip.app	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	SOA.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ No A'4762GHTECHNICAL DETAILS.exe	Get hash	malicious	Browse	104.21.19.200
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	104.21.19.200
	PAYMENT RECEIPT.exe	Get hash	malicious	Browse	172.67.188.154
	fyi.exe	Get hash	malicious	Browse	172.67.188.154
	reconocer PO #700-20 D462021,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	EJ000.exe	Get hash	malicious	Browse	172.67.188.154
	KOCjBQexoH.exe	Get hash	malicious	Browse	172.67.188.154
	36crb2VRQn.exe	Get hash	malicious	Browse	172.67.188.154
	Message Body.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ 100400806 SUPPLY.exe	Get hash	malicious	Browse	172.67.188.154
	PANORAMICA,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Purchase_skyN39331,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.DownloaderNET.154.8159.exe	Get hash	malicious	Browse	172.67.188.154
	PRODUCT_INQUIRY_PO_0009044_PDF.exe	Get hash	malicious	Browse	104.21.19.200
	ETL_126_072_60.doc	Get hash	malicious	Browse	104.21.19.200
	MT103_YIU LIAN08042021_Xerox Scan_202104_.exe	Get hash	malicious	Browse	172.67.188.154
	lfQuSBwdSf.exe	Get hash	malicious	Browse	172.67.188.154
	PURCHASE ORDER - XIFFA55,pdf.exe	Get hash	malicious	Browse	172.67.188.154
checkip.dyndns.com	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	131.186.113.70
	SOA.exe	Get hash	malicious	Browse	131.186.161.70
	RFQ No A'4762GHTECHNICAL DETAILS.exe	Get hash	malicious	Browse	216.146.43.70
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	131.186.113.70
	PAYMENT RECEIPT.exe	Get hash	malicious	Browse	131.186.161.70
	fyi.exe	Get hash	malicious	Browse	131.186.113.70
	reconocer PO #700-20 D462021,pdf.exe	Get hash	malicious	Browse	162.88.193.70
	EJ000.exe	Get hash	malicious	Browse	131.186.161.70
	KOCjBQexoH.exe	Get hash	malicious	Browse	131.186.161.70
	36crb2VRQn.exe	Get hash	malicious	Browse	162.88.193.70
	Message Body.exe	Get hash	malicious	Browse	216.146.43.71
	RFQ 100400806 SUPPLY.exe	Get hash	malicious	Browse	216.146.43.71
	PANORAMICA,pdf.exe	Get hash	malicious	Browse	216.146.43.70
	Purchase_skyN39331,pdf.exe	Get hash	malicious	Browse	131.186.161.70
	SecuriteInfo.com.Trojan.DownloaderNET.154.8159.exe	Get hash	malicious	Browse	131.186.113.70
	PRODUCT_INQUIRY_PO_0009044_PDF.exe	Get hash	malicious	Browse	216.146.43.70
	ETL_126_072_60.doc	Get hash	malicious	Browse	216.146.43.70
	MT103_YIU LIAN08042021_Xerox Scan_202104_.exe	Get hash	malicious	Browse	216.146.43.71
	lfQuSBwdSf.exe	Get hash	malicious	Browse	162.88.193.70
	PURCHASE ORDER - XIFFA55,pdf.exe	Get hash	malicious	Browse	131.186.113.70

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DYNDNSUS	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	131.186.113.70
	SOA.exe	Get hash	malicious	Browse	131.186.161.70
	RFQ No A'4762GHTECHNICAL DETAILS.exe	Get hash	malicious	Browse	216.146.43.70
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	131.186.113.70
	PAYMENT RECEIPT.exe	Get hash	malicious	Browse	131.186.161.70
	fyi.exe	Get hash	malicious	Browse	131.186.113.70
	reconocer PO #700-20 D462021,pdf.exe	Get hash	malicious	Browse	162.88.193.70
	EJ000.exe	Get hash	malicious	Browse	131.186.161.70
	KOCjBQexoH.exe	Get hash	malicious	Browse	131.186.161.70
	36crb2VRQn.exe	Get hash	malicious	Browse	162.88.193.70
	Message Body.exe	Get hash	malicious	Browse	216.146.43.71
	RFQ 100400806 SUPPLY.exe	Get hash	malicious	Browse	216.146.43.71
	PANORAMICA,pdf.exe	Get hash	malicious	Browse	216.146.43.70
	Purchase_skyN39331,pdf.exe	Get hash	malicious	Browse	131.186.161.70
	SecuriteInfo.com.Trojan.DownloaderNET.154.8159.exe	Get hash	malicious	Browse	131.186.113.70
	PRODUCT_INQUIRY_PO_0009044_PDF.exe	Get hash	malicious	Browse	216.146.43.70
	MT103_YIU LIAN08042021_Xerox Scan_202104_.exe	Get hash	malicious	Browse	216.146.43.71
	lfQuSBwdSf.exe	Get hash	malicious	Browse	162.88.193.70
	PURCHASE ORDER - XIFFA55,pdf.exe	Get hash	malicious	Browse	131.186.113.70
	PRICE_QUOTATION_RFQ_000988_PDF.exe	Get hash	malicious	Browse	131.186.113.70
CLOUDFLARENETUS	Rechung-2021.12.04.2021.pdf.exe	Get hash	malicious	Browse	162.159.130.233
	INV_0008434567987.doc	Get hash	malicious	Browse	172.67.222.176
	mfalomirm@gentalia.eu.HTM	Get hash	malicious	Browse	104.19.133.58
	KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Get hash	malicious	Browse	104.21.17.57
	YNzE2QUkvaTK7kd.exe	Get hash	malicious	Browse	172.67.148.14
	NdBLyH2h5d.exe	Get hash	malicious	Browse	23.227.38.74
	s6G3ZtvHZg.exe	Get hash	malicious	Browse	172.67.130.43
	4oItdZkNOZ.exe	Get hash	malicious	Browse	23.227.38.74
	ieuHgdpuPo.exe	Get hash	malicious	Browse	104.21.17.57
	Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exe	Get hash	malicious	Browse	172.67.222.176
	Payment Slip.doc	Get hash	malicious	Browse	104.21.17.57
	Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exe	Get hash	malicious	Browse	104.21.17.57
	INQUIRY 1820521 pdf.exe	Get hash	malicious	Browse	104.21.82.58
	PaymentCopy.vbs	Get hash	malicious	Browse	172.67.222.131
	PAYMENT COPY.exe	Get hash	malicious	Browse	104.21.28.135
	PO NUMBER 3120386 3120393 SIGNED.exe	Get hash	malicious	Browse	1.2.3.4
	Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exe	Get hash	malicious	Browse	172.67.222.176
	BL2659618800638119374.xls.exe	Get hash	malicious	Browse	172.67.222.176
	Purchase order and quote confirmation.exe	Get hash	malicious	Browse	172.67.222.176
	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	172.67.188.154

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Rechung-2021.12.04.2021.pdf.exe	Get hash	malicious	Browse	172.67.188.154
	KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Get hash	malicious	Browse	172.67.188.154
	ieuHgdpuPo.exe	Get hash	malicious	Browse	172.67.188.154
	Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	BL2659618800638119374.xls.exe	Get hash	malicious	Browse	172.67.188.154
	Purchase order and quote confirmation.exe	Get hash	malicious	Browse	172.67.188.154
	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Re Confirm#U00ffthe invoice#U00ffthe payment slip.exe	Get hash	malicious	Browse	172.67.188.154
	SOA.exe	Get hash	malicious	Browse	172.67.188.154
	RFQ No A'4762GHTECHNICAL DETAILS.exe	Get hash	malicious	Browse	172.67.188.154
	GQ5JvPEI6c.exe	Get hash	malicious	Browse	172.67.188.154
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	172.67.188.154
	PAYMENT RECEIPT.exe	Get hash	malicious	Browse	172.67.188.154
	COMMERCIAL INVOICE N#U00c2#U00ba 0001792E21.exe	Get hash	malicious	Browse	172.67.188.154
	9479_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	fyi.exe	Get hash	malicious	Browse	172.67.188.154
	MINUSCA P01-21.exe	Get hash	malicious	Browse	172.67.188.154
	Invoice-ID-(87656532).vbs	Get hash	malicious	Browse	172.67.188.154

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp Download File
Process:	C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.197683476639004
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBuBtn:cbh47TlNQ//rydbz9I3YODOLNdq3I
MD5:	37FC4BD0D262FDAF006E8C7A4B7468F3
SHA1:	899AA212659232891A464070114278B24C7AADBA
SHA-256:	381DA5EA1C882FEDC5BCA004457C3EFE5773D6AA7632C83F6601C11422256F8F
SHA-512:	1D498AFB062EBCF83A625A02E2CED603D58257B2B52E0B61EDD9BE43065BFC2A2C47146320FE7D4FA145FE15F90FCE5C1C6CFC7B7EFF6AC62C871EE45BD93C7B
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe Download File
Process:	C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	611328
Entropy (8bit):	7.859751813686353
Encrypted:	false
SSDEEP:	12288:XaRN/cqUrIyKEiFzxpETMWMFUcl0qtxc1y:Xac9OEibSTMCcl09o
MD5:	229EFBBB09801172C9D35851A3CE484E
SHA1:	BFA35BA04C7CCE63DC1FDF161CEBFA7BD9E63CD2
SHA-256:	3744807C95CB27F6E9C5EF01F2B5B32A78CEEF7016FB54BABE6A797977B72763
SHA-512:	F59E194C95CF1BCE01AC97AB989CC69AAA95E87A18E1C640BB0196FA479ADD9754D7EE77F26562B0CEC0D66A4BEE535703CAFCDA4F7359B546D785190A7CADCA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..J..........Nh... ........@.. ....................................@..................................g..O....................................g............................................... ............... ..H............text...TH... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B................0h......H...........@o......1........T..........................................".(......r...p.......{...."..}......{...."..}....".(......0...........r...p.+....0...........r...p.+..".(.......{...."..}......{...."..}....".(.....^..}.....(.......(.......0............o......,y.s.......{....o....o.......{....o....o.....~......,....(......+....(...........,..(....o.....s....(......+..r...p(....&......0..5.........o....r...p(....,..o....r...p(....+....,....+...+......0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.859751813686353
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	RFQ No A'4762QHTECHNICAL DETAILS.exe
File size:	611328
MD5:	229efbbb09801172c9d35851a3ce484e
SHA1:	bfa35ba04c7cce63dc1fdf161cebfa7bd9e63cd2
SHA256:	3744807c95cb27f6e9c5ef01f2b5b32a78ceef7016fb54babe6a797977b72763
SHA512:	f59e194c95cf1bce01ac97ab989cc69aaa95e87a18e1c640bb0196fa479add9754d7ee77f26562b0cec0d66a4bee535703cafcda4f7359b546d785190a7cadca
SSDEEP:	12288:XaRN/cqUrIyKEiFzxpETMWMFUcl0qtxc1y:Xac9OEibSTMCcl09o
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..J..........Nh... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49684e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x8EA81DF5 [Sat Nov 4 04:26:29 2045 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x967fc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x5f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x967e0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x94854	0x94a00	False	0.889575339045	data	7.86754540187	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x5f8	0x600	False	0.440755208333	data	4.258989477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x98090	0x366	data
RT_MANIFEST	0x98408	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Integra Wealth
Assembly Version	1.8.9.10
InternalName	r.exe
FileVersion	1.9.1.0
CompanyName	Integra Wealth
LegalTrademarks
Comments
ProductName	ReplacementFallback
ProductVersion	1.9.1.0
FileDescription	ReplacementFallback
OriginalFilename	r.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 11:37:14.259453058 CEST	49716	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.321317911 CEST	80	49716	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.321487904 CEST	49716	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.322391987 CEST	49716	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.382623911 CEST	80	49716	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.382662058 CEST	80	49716	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.382684946 CEST	80	49716	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.382833004 CEST	49716	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.383936882 CEST	49716	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.444139004 CEST	80	49716	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.475239992 CEST	49717	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.536591053 CEST	80	49717	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.536684990 CEST	49717	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.537447929 CEST	49717	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.598752022 CEST	80	49717	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.598804951 CEST	80	49717	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.598855019 CEST	80	49717	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.599024057 CEST	49717	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.599848986 CEST	49717	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.661312103 CEST	80	49717	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:15.636893988 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.688484907 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.688607931 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.728559017 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.780066967 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.785190105 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.785211086 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.785406113 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.795664072 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.849005938 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.849282980 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.891508102 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.896435976 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.948019028 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:16.004017115 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:16.004048109 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:16.004134893 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:38:56.038856030 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:38:56.092046976 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:38:56.092129946 CEST	49718	443	192.168.2.3	172.67.188.154

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 11:37:02.075067043 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:02.123822927 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:02.197729111 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:02.272211075 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:02.481626987 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:02.535183907 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:02.751250029 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:02.811563969 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:03.355627060 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:03.405927896 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:04.256092072 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:04.304872036 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:05.209270954 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:05.262332916 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:06.623615026 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:06.672255993 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:07.755645990 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:07.804367065 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:08.631408930 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:08.682194948 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:09.757807970 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:09.808001041 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:10.705699921 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:10.761672974 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:11.649863958 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:11.698684931 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:14.106566906 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:14.158390999 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:14.180814028 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:14.229562044 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:15.572236061 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:15.634001017 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:15.944880009 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:15.996675014 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:16.948900938 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:17.006350040 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:18.056193113 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:18.108208895 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:19.183157921 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:19.232482910 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:21.441648006 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:21.490380049 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:22.368689060 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:22.417583942 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:37.004416943 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:37.053208113 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:37.394790888 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:37.457628012 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:37.914904118 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:37.966495991 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:39.009825945 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:39.069066048 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:46.512948036 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:46.572705984 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:03.394474983 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:03.510359049 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:04.072164059 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:04.129156113 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:04.483156919 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:04.548268080 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:04.703880072 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:04.761075974 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:05.216237068 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:05.276561975 CEST	53	61292	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:05.792805910 CEST	63619	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:05.941467047 CEST	53	63619	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:06.527621984 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:06.612879992 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:07.184705019 CEST	61946	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:07.293843031 CEST	53	61946	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:09.072093010 CEST	64910	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:09.121021032 CEST	53	64910	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:10.160310984 CEST	52123	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:10.218971968 CEST	53	52123	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:10.689018965 CEST	56130	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:10.747669935 CEST	53	56130	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:16.009843111 CEST	56338	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:16.070530891 CEST	53	56338	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:46.866910934 CEST	59420	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:47.476486921 CEST	53	59420	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:48.745969057 CEST	58784	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:48.803812027 CEST	53	58784	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 11:37:14.106566906 CEST	192.168.2.3	8.8.8.8	0x8dad	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.180814028 CEST	192.168.2.3	8.8.8.8	0x97e1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:15.572236061 CEST	192.168.2.3	8.8.8.8	0xe9dc	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:15.634001017 CEST	8.8.8.8	192.168.2.3	0xe9dc	No error (0)	freegeoip.app		172.67.188.154	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:15.634001017 CEST	8.8.8.8	192.168.2.3	0xe9dc	No error (0)	freegeoip.app		104.21.19.200	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49716	131.186.113.70	80	C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 11:37:14.322391987 CEST	1081	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 12, 2021 11:37:14.382662058 CEST	1081	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 102 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.3</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49717	131.186.113.70	80	C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 11:37:14.537447929 CEST	1082	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 12, 2021 11:37:14.598804951 CEST	1082	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 102 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.3</body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 12, 2021 11:37:15.785211086 CEST	172.67.188.154	443	192.168.2.3	49718	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Apr 12, 2021 11:37:15.785211086 CEST	172.67.188.154	443	192.168.2.3	49718	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584 Parent PID: 5776

General

Start time:	11:37:09
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe'
Imagebase:	0x870000
File size:	611328 bytes
MD5 hash:	229EFBBB09801172C9D35851A3CE484E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.473634820.0000000002CE8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.472526143.0000000002C11000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5992 Parent PID: 5584

General

Start time:	11:37:12
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'
Imagebase:	0x1190000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6004 Parent PID: 5992

General

Start time:	11:37:12
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584 Parent PID: 5776 RFQ No A'4762QHTECHNICAL DETAILS.exeCOMMON

Executed Functions

Function 05CC6377, Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

ANK`, xrefs: 05CC66CF
48R,, xrefs: 05CC66FE

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: 48R,$ANK`
API String ID: 0-873075115
Opcode ID: 05c5539a2181bd8c47b7fc202f9d092b41ae53cf13e51d2bfcacef66a7ccec6b
Instruction ID: ad57ab1bae1d0d575fed2f4526046be700803fb73f1d7a2edf467f8016254c04
Opcode Fuzzy Hash: 05c5539a2181bd8c47b7fc202f9d092b41ae53cf13e51d2bfcacef66a7ccec6b
Instruction Fuzzy Hash: 44D14DB1E15249DFC704CFA9C5859AEFFB2FF89300B648999D402AB255C734E982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05CC6453, Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

ANK`, xrefs: 05CC66CF
48R,, xrefs: 05CC66FE

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: 48R,$ANK`
API String ID: 0-873075115
Opcode ID: 62c1f8c99e9539a12143d4fbfcc23b457985012acb9cb8c6778e04c691408c5b
Instruction ID: e6718756c9aa191dba916332b67878dd0a83105b478b4d95ec947123cd5b71b2
Opcode Fuzzy Hash: 62c1f8c99e9539a12143d4fbfcc23b457985012acb9cb8c6778e04c691408c5b
Instruction Fuzzy Hash: 8CC130B4D14209DFCB04CF99C5859AEFFB2FF89304B248999D416AB255D734E982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05CC6490, Relevance: 2.8, Strings: 2, Instructions: 272COMMON

Download Yara Rule

Strings

ANK`, xrefs: 05CC66CF
48R,, xrefs: 05CC66FE

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: 48R,$ANK`
API String ID: 0-873075115
Opcode ID: f1dbbcf58842390fa9b35f02782a39fa52a33cd8e39fbda88db4c1474de66356
Instruction ID: 11f84d6d9500ec3aa7c998bd40294e6fe5112d6aa20cf6b1308aa43cdf155ac7
Opcode Fuzzy Hash: f1dbbcf58842390fa9b35f02782a39fa52a33cd8e39fbda88db4c1474de66356
Instruction Fuzzy Hash: FCC1EDB4E14209DFCB04CF9AC5859AEFFB2FF89300B248959D416AB255D734E982CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05CC6433, Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

ANK`, xrefs: 05CC66CF
48R,, xrefs: 05CC66FE

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: 48R,$ANK`
API String ID: 0-873075115
Opcode ID: 26c2aff20b70957656ee9bbc66961bba954757c2467c54e57dd1baf315e39fd9
Instruction ID: ad45a0ad0ff16505df17e59ed93451c23e3772e80016ec4d07dc51a702d34275
Opcode Fuzzy Hash: 26c2aff20b70957656ee9bbc66961bba954757c2467c54e57dd1baf315e39fd9
Instruction Fuzzy Hash: 44C10FB4D1420ADFCB04CF99C5858AEFFB2FF89304B248999D416AB255D734E982CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0BE4E010, Relevance: 1.9, APIs: 1, Instructions: 398COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(00000000), ref: 0BE4E51D

Memory Dump Source

Source File: 00000000.00000002.479569368.000000000BE40000.00000040.00000001.sdmp, Offset: 0BE40000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e924cd19cb89e75a6f25e09fbc6e8173b226fc764ee9893eb55a492f5ff76543
Instruction ID: 87e4f7e421e2d3505c095e9623040e7deae4c9f0670136e4e3ebee62904d22f4
Opcode Fuzzy Hash: e924cd19cb89e75a6f25e09fbc6e8173b226fc764ee9893eb55a492f5ff76543
Instruction Fuzzy Hash: 5BF15F74E002089FDB18DFA8D584BADBBF2BF84304F158568E415AB385DB74ED85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05CCDB50, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

(nu, xrefs: 05CCDD70

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: (nu
API String ID: 0-302910928
Opcode ID: f3c42a760c9e1e13945ed4fe413204c9b5e0ea87fb003afc3908a94235426904
Instruction ID: 673eb255bbaee2cb053390f124a8099375bf30aa2b289fd77e415c3c434a8e51
Opcode Fuzzy Hash: f3c42a760c9e1e13945ed4fe413204c9b5e0ea87fb003afc3908a94235426904
Instruction Fuzzy Hash: 2271F874E102499FDB04EFE5D9549AEBBB2FF88300F20842AE81AA7394DB745942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0BE44458, Relevance: .9, Instructions: 885COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479569368.000000000BE40000.00000040.00000001.sdmp, Offset: 0BE40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ff475d8783cae8ef666e86b187747ab593b3a6f891f66723aae4b7b9e9f1cb
Instruction ID: b67391b0cdee84b5b0daaf76ab0ebe9932758a71a7aa7a6036310c18556420a3
Opcode Fuzzy Hash: c6ff475d8783cae8ef666e86b187747ab593b3a6f891f66723aae4b7b9e9f1cb
Instruction Fuzzy Hash: B9727A70B001199FDB14DFA9D984BAEBBF6AF88308F158069E415AB3A1DF34DD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05CC2113, Relevance: .6, Instructions: 553COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dff81a2d07468376a942a1d46b77ebae3404917015dbe69f9e54587d3aeef29
Instruction ID: 7a0a66afa1a1835465a53a57244adb82163dda8fe9b82f985eeb5542d474214b
Opcode Fuzzy Hash: 3dff81a2d07468376a942a1d46b77ebae3404917015dbe69f9e54587d3aeef29
Instruction Fuzzy Hash: 4D52EC74A041189FDB64DF64C898ADDBBB6EF89304F1181D9E50AA7390DF34AE81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0BE4D2D0, Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479569368.000000000BE40000.00000040.00000001.sdmp, Offset: 0BE40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5654e0f71b56e66b74fff057b8e46638dd61410159777fedc227c831ba409304
Instruction ID: 1be8f485ce85e0de0e7e5ec285a6f8f5e2aab94d1f9095a5e927bb78d5029e6b
Opcode Fuzzy Hash: 5654e0f71b56e66b74fff057b8e46638dd61410159777fedc227c831ba409304
Instruction Fuzzy Hash: F3228330B002048FD764EBB9D8597AEBBF6AF88304F158429E50AEB791DF749C45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0BE4C880, Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479569368.000000000BE40000.00000040.00000001.sdmp, Offset: 0BE40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2958360d06f0719a2deead517607e04504a4744f6b31849916427d01bb5734e
Instruction ID: ed0ceb136a1bd139ec47824747b13e4a68cef0be641e0d85ab69b5cf2a87a7fc
Opcode Fuzzy Hash: f2958360d06f0719a2deead517607e04504a4744f6b31849916427d01bb5734e
Instruction Fuzzy Hash: E2F17E31E012148FDB24EFB9E9456ADB7B2EF88304F259469E509E7391EF34D891CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0BE4D2CB, Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479569368.000000000BE40000.00000040.00000001.sdmp, Offset: 0BE40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846906202815177babc55b0c5a98682a1e8b9c970f7f45ae377c569e02989de1
Instruction ID: 4116ae72ef0dde248bef613436cc91e2fe4f78947744765b342acbdcc16e7612
Opcode Fuzzy Hash: 846906202815177babc55b0c5a98682a1e8b9c970f7f45ae377c569e02989de1
Instruction Fuzzy Hash: 95D18130B002048FD764ABB9E85976E7AE6AFC9304F158439E506EBBD0DF749C45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05CC9749, Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004a65d50ba2252175a9a627e534e85ac0df3b7a519c400f277fd60af5825ef6
Instruction ID: 5bd6fbed11a65e0b30f171be26eb5b4a9127fa8e4a7327823acf2c5eb3b17fca
Opcode Fuzzy Hash: 004a65d50ba2252175a9a627e534e85ac0df3b7a519c400f277fd60af5825ef6
Instruction Fuzzy Hash: E3E15C71A10209DFDB04EFA9E585A8DFFF1FB49310F1488A9E416DB2A5DB34A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05CC97A8, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1b40f208770556a94dfc8e82c0fde47fc84e51df2b1a5e8c53238d2ce898ab
Instruction ID: 5adb1d8ec3686e616b0985e10fa317bf5a4248a4f79dcc51c209d50335e40e6b
Opcode Fuzzy Hash: 3a1b40f208770556a94dfc8e82c0fde47fc84e51df2b1a5e8c53238d2ce898ab
Instruction Fuzzy Hash: 08D12C71A10209DFDB44EFA9E584A8DFFF1FB49310B1488A9E419DB2A5DB34AD81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05CC3E7D, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af94db2fbaef2a7dc943421ac11ba66a0c430584b3fdfba2f30ef0e665ba1c5
Instruction ID: decdd0c7a6aebf97a83953ccb465fe89da999e27fc24792c9ea6e3fdecf793c1
Opcode Fuzzy Hash: 8af94db2fbaef2a7dc943421ac11ba66a0c430584b3fdfba2f30ef0e665ba1c5
Instruction Fuzzy Hash: 5FA136B5E142498FDB08CFAAD9816DEBFB2EF88300F14C86AD515AB754D7309946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05CCABA0, Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0167e4869cd28be9ca2f7a412328dbbd9f8b9cca9adfac36b27ea8e1ac8bf4f9
Instruction ID: 131a35b7ca4d37bd2448743755964fbcb1f6d1259f61ce653e084bee29f78961
Opcode Fuzzy Hash: 0167e4869cd28be9ca2f7a412328dbbd9f8b9cca9adfac36b27ea8e1ac8bf4f9
Instruction Fuzzy Hash: 44A126B0E0421D8BCB08DFEAC945ADEFBF2BF88300F14D96AD405AB255E7359941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05CCAB91, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812069cc3f48381f87c9d43c2566077a66b28a45bde96eb65aeb6990adfdff90
Instruction ID: 564e8f878e16e12017fac54eb63d45aa0333190a1f53bb0ad2109d2ed48ca228
Opcode Fuzzy Hash: 812069cc3f48381f87c9d43c2566077a66b28a45bde96eb65aeb6990adfdff90
Instruction Fuzzy Hash: D3A127B4E0121D8BCB08DFEAC945ADEFBF2BF88300F14C96AD405AB255D7359A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05CC3F28, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48e7b03a28ccfaf526afaebab890c652db5b859f6b4ccb151900893886b6c98
Instruction ID: 41f92cc1581d588ee45de9b6f0b4b07469581790bb0271f6d8e4b2468c78167d
Opcode Fuzzy Hash: c48e7b03a28ccfaf526afaebab890c652db5b859f6b4ccb151900893886b6c98
Instruction Fuzzy Hash: 7291D374E042198FDB08CFEAD984ADEFBB2AF89304F10986AD515BB354DB309945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05CC5318, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b725e3753bfd12ee6b875230e8aa6ecca36684e8cd8e340f5251116e6066b33
Instruction ID: ffcbf7e97ad0df9614712f4e37d209876bc36d4a019c43b6a84a55ada4e2093d
Opcode Fuzzy Hash: 9b725e3753bfd12ee6b875230e8aa6ecca36684e8cd8e340f5251116e6066b33
Instruction Fuzzy Hash: 1F614B74E1520ADFCB04CFA5D4809AEFBB2FF89310F15999AE505BB354D770AA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05CC46D0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ad65d851fcbf612e7f26a2cfec9eca8087fc9c391f0ad041a8b142352640ed
Instruction ID: 3919585e033351f1d2a7f6873c52ebb8a187868615ebd328d94581e997dddcc7
Opcode Fuzzy Hash: 38ad65d851fcbf612e7f26a2cfec9eca8087fc9c391f0ad041a8b142352640ed
Instruction Fuzzy Hash: 48512770E042199FDB08CFAAD8906AEFBF2FF89301F14C56AD419B7254D7349A41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05CC46E0, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9ae62a1009a8488e69b60364c30bff15f5da45a1a37633f8a630fd71176898
Instruction ID: a762a9595eea677fa0d05b97e24bf794bf6368a4659e34e0cd4c8b06076e63bd
Opcode Fuzzy Hash: 8c9ae62a1009a8488e69b60364c30bff15f5da45a1a37633f8a630fd71176898
Instruction Fuzzy Hash: B8510770E142199FDF08CFAAC9906AEFBF2FF89201F14C56AD419B7254D7345A41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05CCEB80, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051cee9e03c8c97448101fe90f99c1359be5bd2e170dbda79dadf5cfdfdbcfff
Instruction ID: 09341c1403effdb6302782167901199950f2cbec7e16c9f2976c2adcb5e4519a
Opcode Fuzzy Hash: 051cee9e03c8c97448101fe90f99c1359be5bd2e170dbda79dadf5cfdfdbcfff
Instruction Fuzzy Hash: F4513674E152088FDB08CFAAD8446EDFBB7FB8A300F10942AE406A7294DB3499468B54

Uniqueness

Uniqueness Score: -1.00%

Function 05CC54D8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32a793022bc12d7b2a30ba206d157ec5768d8f0af41801f72adf48edd87a1d5
Instruction ID: c2aced76f378dd9e579de2a296e4b8580c66d29e2b2f656426f3c72f020dee4b
Opcode Fuzzy Hash: d32a793022bc12d7b2a30ba206d157ec5768d8f0af41801f72adf48edd87a1d5
Instruction Fuzzy Hash: B221D4B1E006189BEB18CFAAD9447DEFBB3AFC8310F14C16AD909AA254DB351945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05CC54CA, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5249da5370c3c3d12d734d16a0cb7056d008d43e354892c54f46a119e4963bb7
Instruction ID: cdbb943fd5d92c13b6c8a13ba8d22d99b2ecba06c6dd19e90b5e3e09f4e0159f
Opcode Fuzzy Hash: 5249da5370c3c3d12d734d16a0cb7056d008d43e354892c54f46a119e4963bb7
Instruction Fuzzy Hash: 7521B5B1E006189BEB18CFAAC9457DEBFF3AFC8300F14C169D809AA254DB755A458F94

Uniqueness

Uniqueness Score: -1.00%

Function 012BB6C1, Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 012BB730
GetCurrentThread.KERNEL32 ref: 012BB76D
GetCurrentProcess.KERNEL32 ref: 012BB7AA
GetCurrentThreadId.KERNEL32 ref: 012BB803

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9d026e192bbb7704daae8c23e9b047318ef29b041df411bdad78e9d3bdcca494
Instruction ID: 099aa2740d80c8e217f6d9104ac4a0d7e4b6b37af696f37f664eb653dee8031a
Opcode Fuzzy Hash: 9d026e192bbb7704daae8c23e9b047318ef29b041df411bdad78e9d3bdcca494
Instruction Fuzzy Hash: F25163B09146499FEB14DFAAC988BDEBFF1BF48304F24805AE009A7391D7746884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 012BB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 012BB730
GetCurrentThread.KERNEL32 ref: 012BB76D
GetCurrentProcess.KERNEL32 ref: 012BB7AA
GetCurrentThreadId.KERNEL32 ref: 012BB803

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f56ce00e7dcb8dfb62c24098f932e8e23218ac837b4c95bcedd74f67fbdc9556
Instruction ID: db349265d38ecc6512e8238e7c66ccada8d8cec4688dd7ef77ecdda431b9ab56
Opcode Fuzzy Hash: f56ce00e7dcb8dfb62c24098f932e8e23218ac837b4c95bcedd74f67fbdc9556
Instruction Fuzzy Hash: 425163B09146499FEB14DFAAC988BDEBBF0BF48314F248059E009B7390DB746884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0BE4A6B9, Relevance: 1.8, APIs: 1, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479569368.000000000BE40000.00000040.00000001.sdmp, Offset: 0BE40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b8950f6d5b0c7f769b87b27bfbec6f89a4c1fdced419d9053a75600e5c90aa
Instruction ID: ab5d6658731bb05e3510b44428f009712e8e16843505fa4dbd2d5f4ea5053b61
Opcode Fuzzy Hash: d7b8950f6d5b0c7f769b87b27bfbec6f89a4c1fdced419d9053a75600e5c90aa
Instruction Fuzzy Hash: D7D10F30A41205CFD798AB28F91D7AD7BB6BB84316F149439E007EBAA1DF748C85DB50

Uniqueness

Uniqueness Score: -1.00%

Function 012BFD2F, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012BFE4A

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f08dfc9530a78134a7a448262c929ea351103ac83ba351200404205d1e9f70f4
Instruction ID: 242b50b302fc4ec41b65b902b859cc1a6a9d1bf7f3dd39e2049ad4327ce4af04
Opcode Fuzzy Hash: f08dfc9530a78134a7a448262c929ea351103ac83ba351200404205d1e9f70f4
Instruction Fuzzy Hash: 4E41DFB1D103099FDF14CFA9C984ADEBBB1FF88350F24822AE919AB211D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012BFD38, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 012BFE4A

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f45cd207fab7766a3c75a1cddb140e6943d9ec270662c5c325b48a666f11af23
Instruction ID: 0b6c01f4253ae9f150da2d2d1cbbc7b28637301eadb6a45a3d6945130cea573e
Opcode Fuzzy Hash: f45cd207fab7766a3c75a1cddb140e6943d9ec270662c5c325b48a666f11af23
Instruction Fuzzy Hash: 1B41D1B1D103099FDF14CF99C980ADEBFB5BF88350F24812AE519AB211D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012B3DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 012B5421

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e7090ad00ac76071defe3e17f8ae842ca04c6f99f79e8166567a042061162e38
Instruction ID: 6856f81d091287223903264630a7c73a71e009dc9a3c5d803146d6e02874fde9
Opcode Fuzzy Hash: e7090ad00ac76071defe3e17f8ae842ca04c6f99f79e8166567a042061162e38
Instruction Fuzzy Hash: CA41F370D04619CFDB24DFA9C8847CEBBB1FF48305F208059D508AB251DBB96945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012B5367, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 012B5421

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 49f33735951a1da70961d004b802cb05567a7a3f0f6331f64f6d34a0b17b3c1e
Instruction ID: 2d3f0b1cf8d5ae665e3e49cb41814754af68d84de1558733e0288c241dceff41
Opcode Fuzzy Hash: 49f33735951a1da70961d004b802cb05567a7a3f0f6331f64f6d34a0b17b3c1e
Instruction Fuzzy Hash: AC41F271D00219CEDB24DFA9C8847CEBBB1FF88309F20805AD508AB251DBB95949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0BE4AAB0, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0BE4AAC3

Memory Dump Source

Source File: 00000000.00000002.479569368.000000000BE40000.00000040.00000001.sdmp, Offset: 0BE40000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4119e9c3f5951374aeaa43efffd3df859b238f17a1ad0effc655d5388cc78c19
Instruction ID: f104d4fd414fc2e5d8396ab78e25c509a04806433c785eb7dc2c85680c1bbde8
Opcode Fuzzy Hash: 4119e9c3f5951374aeaa43efffd3df859b238f17a1ad0effc655d5388cc78c19
Instruction Fuzzy Hash: CD31CAB1211219CFDBD8AB29FA2E5583B79FB443137109221E117EA8B1DFA04886CF20

Uniqueness

Uniqueness Score: -1.00%

Function 0BE4AAA7, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0BE4AAC3

Memory Dump Source

Source File: 00000000.00000002.479569368.000000000BE40000.00000040.00000001.sdmp, Offset: 0BE40000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8fa99d4c6e2ee1275ffe1e41d07a3174374cc7183f683f20df8d61e97dd046db
Instruction ID: d5b3d3743226b72dbf7f06d15802471b94e26905fc6ebf5a310cf15c22f9ba5a
Opcode Fuzzy Hash: 8fa99d4c6e2ee1275ffe1e41d07a3174374cc7183f683f20df8d61e97dd046db
Instruction Fuzzy Hash: 1B31DAB1211219CFD7D8AB29FA2E5583B79FB44313B109231E017EA8B1DFB04886DF20

Uniqueness

Uniqueness Score: -1.00%

Function 012BB8F8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012BB97F

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b739c7db50a9416a4d09b4d39ad4ce01feac310eefa7ef6112fb6e722b56d6ab
Instruction ID: 823488c375673655a539b893324d8b07f01a9fc5d4b25cf7f5044bccdf989681
Opcode Fuzzy Hash: b739c7db50a9416a4d09b4d39ad4ce01feac310eefa7ef6112fb6e722b56d6ab
Instruction Fuzzy Hash: 6A21E4B59002089FDB10CFA9D884ADEBBF8EB48320F14801AE914A7310D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012BB8F0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012BB97F

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8b5818f0b0244f2b110e170093d708afe12c13d2ef34b2eca9d2e4a1fd51172b
Instruction ID: 74987f44b36f09cd2941dd3ef8d5b937dec74305b2c8893ea18883dd67e1aeba
Opcode Fuzzy Hash: 8b5818f0b0244f2b110e170093d708afe12c13d2ef34b2eca9d2e4a1fd51172b
Instruction Fuzzy Hash: C4211FB5900348DFDB10CFA9D984AEEBFF4EB48324F14841AE958A7311C378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012B9478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,012B9951,00000800,00000000,00000000), ref: 012B9B62

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4e3e4815eb868a73cd54b4908bc6b8b559f70dbc2ef38620d11b8ea9b637adf8
Instruction ID: 5ac5f3454b6c99b323e32d587f7feaefdb6b1175da50a596fb968c3173e95c54
Opcode Fuzzy Hash: 4e3e4815eb868a73cd54b4908bc6b8b559f70dbc2ef38620d11b8ea9b637adf8
Instruction Fuzzy Hash: A71106B29042098FDF10DF9AC484BDEFBF4EB48354F54852AE615A7300C3B5A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012B9AF0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,012B9951,00000800,00000000,00000000), ref: 012B9B62

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d2695c4aebd3ecae875fd3a6d27b995866e0cf252f7b18f04c996d46a0581c70
Instruction ID: d3d16aff3269a7f447259261686ff74b63a5cef5ffc3a587befff2a0fb7b3969
Opcode Fuzzy Hash: d2695c4aebd3ecae875fd3a6d27b995866e0cf252f7b18f04c996d46a0581c70
Instruction Fuzzy Hash: 111117B28002098FDF10CF9AC484ADEFBF4EB48354F14851AE515A7300D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012B9869, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 012B98D6

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 182a4ccb3f5ba4e2b80e25c1f3ce3acf1cf38a96804f8f5c7418439d604f7b51
Instruction ID: 9008a2bd3e5b3dad768d78a07d8c05885f7c3732cf8bf7ee1df81e656ac866a7
Opcode Fuzzy Hash: 182a4ccb3f5ba4e2b80e25c1f3ce3acf1cf38a96804f8f5c7418439d604f7b51
Instruction Fuzzy Hash: 9B11EFB1C006098BDB20DF9AD484BDEBBF8EF88324F14852AD519A7200D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012B9870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 012B98D6

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6bc90b1266fad9489f64d83e8970f786ea4db9525d55d285feb9ae40345923da
Instruction ID: 13c0f64eba85666081d1b85fe970e45721f99f929dcdedd18b407372283eaf84
Opcode Fuzzy Hash: 6bc90b1266fad9489f64d83e8970f786ea4db9525d55d285feb9ae40345923da
Instruction Fuzzy Hash: 8111DFB5C006498FDB20DF9AD484ADEFBF8EF88324F14852AD519A7700C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CC6E18, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

89C, xrefs: 05CC6EB8

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: 89C
API String ID: 0-138994588
Opcode ID: fbdf09700192fdb2dbe18c80a40ac5c8705a37efdad89422d199fd9d2900610d
Instruction ID: e28604a97f8511be49444f6d84f8b0fc13e3e78bdae48cea5f843894c4c21bdd
Opcode Fuzzy Hash: fbdf09700192fdb2dbe18c80a40ac5c8705a37efdad89422d199fd9d2900610d
Instruction Fuzzy Hash: 9F31EDB0E1410A9FCB04CFAAC541AAEFFB2FB89350F14C9AAD415A7355D73496828B91

Uniqueness

Uniqueness Score: -1.00%

Function 05CC6E28, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

89C, xrefs: 05CC6EB8

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: 89C
API String ID: 0-138994588
Opcode ID: 197e0115d6a129b6ddfb5eaf148e28e194e9f619f344525ce038a042787c4a81
Instruction ID: 8c79d6f3767b7bff0e43d2537923f9321f292502c7e1f967ca04494299685a2f
Opcode Fuzzy Hash: 197e0115d6a129b6ddfb5eaf148e28e194e9f619f344525ce038a042787c4a81
Instruction Fuzzy Hash: CF310DB4E14209DFCB04CFEAC5406AEFBB2FF49240F14C9AAD419A7355D7349A818B91

Uniqueness

Uniqueness Score: -1.00%

Function 05CCA8D7, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8aa93c562d8962b003faddd72b911d60e52d4f1d358ac91104723f5a2bfbdd
Instruction ID: 9dcb2661349cf9777210834e2272672a62949283a7d333c03fa4d1e5deab6d45
Opcode Fuzzy Hash: 8d8aa93c562d8962b003faddd72b911d60e52d4f1d358ac91104723f5a2bfbdd
Instruction Fuzzy Hash: 38315CB5E042098FCB04CFA9D84669EBFB2EB89200F04C46AD515F7354DB349946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CC48E8, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04506e536418ce01eccf30d66c4b8efa07504b65f7fd38d1d9dc3de3d0823a75
Instruction ID: de1da942bab2c069a4e2bec0d20a8ef64ca6e07a24902f87571c5766e6bd4c60
Opcode Fuzzy Hash: 04506e536418ce01eccf30d66c4b8efa07504b65f7fd38d1d9dc3de3d0823a75
Instruction Fuzzy Hash: 7731F7B4E01219AFCB44CFA9C581AAEBBF2FF88300F50C56AD815A7354D7349A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05CC48F8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6cb71c40a74c8514d68f442c21011133b0b6382fcb10a7d530d5674799f1c0
Instruction ID: 78ae4d4533b1dc95319f755cece21ec811dbada874a9e1b00048b5adf67e83aa
Opcode Fuzzy Hash: dd6cb71c40a74c8514d68f442c21011133b0b6382fcb10a7d530d5674799f1c0
Instruction Fuzzy Hash: 5831B7B4E042199FCB44CFAAC581AAEBBF6FB88311F10D5AAD815A7354D7349A41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471739538.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1a9a0ebcacc14be526fb3a99964c9c9a9015376559ad43e2d2d89a4c340de8
Instruction ID: 1e43649733cf652b810799ef632eab979fb82675d369dc8a0b4dfb313effc178
Opcode Fuzzy Hash: 1e1a9a0ebcacc14be526fb3a99964c9c9a9015376559ad43e2d2d89a4c340de8
Instruction Fuzzy Hash: DE216AB2904240DFCF20DF14C8C0B66BF65FB84328F28C569E8054B206D336D816EFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05CC6A40, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6046d0547464dbd2caf514268c801f7114537cea163aeddbe11858e8803f67
Instruction ID: 478d4bb85a24d2a05921ddcaca88f07b2581fbaa4331a483100fccc76390c8a1
Opcode Fuzzy Hash: 1f6046d0547464dbd2caf514268c801f7114537cea163aeddbe11858e8803f67
Instruction Fuzzy Hash: 5B310D74D09209EFCB44CFA9C6416AEFFF2EF89300F20D9A9D105E7264D7309A919B50

Uniqueness

Uniqueness Score: -1.00%

Function 05CC4A09, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8249a224a823f5a916243d541b8cff805af44f9f5c1ed59186d978b388efb8eb
Instruction ID: 66387eb47a9888eb58f0088fa637e018a354a9b8fe4768cce6d189faaf81b525
Opcode Fuzzy Hash: 8249a224a823f5a916243d541b8cff805af44f9f5c1ed59186d978b388efb8eb
Instruction Fuzzy Hash: 7631D874E04209DFDB48DFA9D981A9EBBF2FB88300F14C9A9D418A7314E7349A458F55

Uniqueness

Uniqueness Score: -1.00%

Function 05CC6A39, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4bbcb34818423280de8440ace302392357642300230c8f6ce6c0a7814d1b76
Instruction ID: 864264abaa880bc689d4a0c95283d85ef31d840adf0df05b5f3f0181c783c4bd
Opcode Fuzzy Hash: 3d4bbcb34818423280de8440ace302392357642300230c8f6ce6c0a7814d1b76
Instruction Fuzzy Hash: 6131FD74D05209EFCB44CFA9C6416AEFFF2EF88240F24D9AAD505E7264D7349B819B50

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471766126.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574cbe43ac15aa81670aba84d0e82e61f0eaddefe6a09c68972081e1c6652a8c
Instruction ID: c9eb17feac8aeb9d94319f05d32fb956fc525dcf81986e2aa99b6e60387a2e9f
Opcode Fuzzy Hash: 574cbe43ac15aa81670aba84d0e82e61f0eaddefe6a09c68972081e1c6652a8c
Instruction Fuzzy Hash: 5121D371544240DFCB14DF28DAC1F2ABB65FB84324F24C5BDE90A4B24AC336D847EA61

Uniqueness

Uniqueness Score: -1.00%

Function 05CC4A18, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d12bb9f0347ee9449bd7388026e7edc475d5e5cba2239795f28ed069923385
Instruction ID: 2d1e250d4114c928fe305c5f5400722edb5163c08577235a9782cb9fe5bb4c29
Opcode Fuzzy Hash: e7d12bb9f0347ee9449bd7388026e7edc475d5e5cba2239795f28ed069923385
Instruction Fuzzy Hash: 9D21E874E04209DFCB48CFA9C5819AEFBF2FB88301F11D9A9D418A7314E730AA458F55

Uniqueness

Uniqueness Score: -1.00%

Function 05CCA908, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf03bbd26d9945a10641f91f240294055dbbb3bc26cef87af45f113c55bf29c
Instruction ID: 5dd36513fedc6c33ae18e9c2dfad3719a91ed0f42c34bd5ad70d1b68ebab141b
Opcode Fuzzy Hash: bbf03bbd26d9945a10641f91f240294055dbbb3bc26cef87af45f113c55bf29c
Instruction Fuzzy Hash: EE210574E042098BCB04CFAAD84A6EEBBF6EB88210F10C56AD815B7354DB309941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05CC6B61, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422154d25247128933e5afd25da3b32ddda38f51cc4f656c146ada1d09d25d70
Instruction ID: 9f9b58f700f4c82ce791bb35f7dcf86a0f543ac977cd14f76e387a0cf7d2f0a0
Opcode Fuzzy Hash: 422154d25247128933e5afd25da3b32ddda38f51cc4f656c146ada1d09d25d70
Instruction Fuzzy Hash: C7212574E01208AFDB04DFA9CA85A9EBFF2EF88200F15C5A9D409A7355DB30DA408B40

Uniqueness

Uniqueness Score: -1.00%

Function 05CC5229, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c9288bee1518d60b6a916a0e8684a6ff2ed32e24dc372d5eb6d3249691c339
Instruction ID: c63a0279337b1b155c497de4d1f5b26ba3e5e5e464b6bb2d53eb0610c99f2d01
Opcode Fuzzy Hash: 07c9288bee1518d60b6a916a0e8684a6ff2ed32e24dc372d5eb6d3249691c339
Instruction Fuzzy Hash: CD214C74E04609AFDB08CFA9D541AAEBBF2FB89300F1485A9D415E7364E735AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05CC5238, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4fb988e6dfdd13fb4e998a96b090242193b86831b39eb9334b35ca4649fe22
Instruction ID: fd0cde45fa5b55ac46feddb8c186e2a5474d16013f36e1b6d2d826df56744ac9
Opcode Fuzzy Hash: 8f4fb988e6dfdd13fb4e998a96b090242193b86831b39eb9334b35ca4649fe22
Instruction Fuzzy Hash: D4214970E04209EFCB48CFA9D4406AEBBF2FB88300F1485A9D416E7354EB35AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05CC6B70, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e279be56cfc8b2800404979c5e6dacf700738e27e770c68f10f2d764307a67b
Instruction ID: 2b34660fae3ec16e8c97fad538f7d6e3216d3c66137f6b613315358aa72f6a95
Opcode Fuzzy Hash: 7e279be56cfc8b2800404979c5e6dacf700738e27e770c68f10f2d764307a67b
Instruction Fuzzy Hash: 5F212374E10208AFDB04DFA9C695A9EFFF2EF88200F15C4A9D409A7364DB709A809B40

Uniqueness

Uniqueness Score: -1.00%

Function 00FCD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471766126.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5eb7a60a23755d8b81d062049c8e6729f4779af5ff97d0a3fee63d054d21b10
Instruction ID: 1c796c08590af6af52a291264bf850ed03d177148fbf6e5f976d379d470855bb
Opcode Fuzzy Hash: f5eb7a60a23755d8b81d062049c8e6729f4779af5ff97d0a3fee63d054d21b10
Instruction Fuzzy Hash: 1C2192755493C08FCB02CF24D990B15BF71EB46324F28C5EED8498B697C33A980ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 05CCBC58, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0df4ccd6f40af030d7fa41c0c73d59d0761719c92375af98effc75c43bd2e3
Instruction ID: 7af34f2705bd91df9ee631fffe1c2a652c2cc08314ecb820001c5e8706f4a472
Opcode Fuzzy Hash: fd0df4ccd6f40af030d7fa41c0c73d59d0761719c92375af98effc75c43bd2e3
Instruction Fuzzy Hash: 48119134B001158BDB24ABBA88526BF7AA7BB84358F4489BDE90687380EF74CD4087D1

Uniqueness

Uniqueness Score: -1.00%

Function 05CCDDF0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5feb8733914567150b2bb8f141d2f39c5ee3395674dd6884dd20d77a150ce3c5
Instruction ID: cb15a888b2a9556d8c92dc7ef15d688dcd09eee600a4abd70c9e3b002bc58360
Opcode Fuzzy Hash: 5feb8733914567150b2bb8f141d2f39c5ee3395674dd6884dd20d77a150ce3c5
Instruction Fuzzy Hash: B02138B4E05209EFCB44DFA9D5452AEBFF2FB89200F20C5AED506E3344E7309A419B80

Uniqueness

Uniqueness Score: -1.00%

Function 05CC3220, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98da5606ae402ec0f4b5ecd9272eed7dba1398d5a2565b65c0739565c21d183
Instruction ID: c6d9028ed3777fe1c7a71503ea8e506288c5dbb69846ea5a44a596a11bdbe6ba
Opcode Fuzzy Hash: a98da5606ae402ec0f4b5ecd9272eed7dba1398d5a2565b65c0739565c21d183
Instruction Fuzzy Hash: 61115170915208EFCB00FFA4E949B9DBBB5FF41304F5089A8E0089B665EB359E45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05CCFB90, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61a0c54e432c515a67e145e975f83933871bd54b4975d0e05adbfa043307148
Instruction ID: ac519f98aeda02092ed8ac09734bbb1bba8434ede35bd5962895acdacff96a0f
Opcode Fuzzy Hash: a61a0c54e432c515a67e145e975f83933871bd54b4975d0e05adbfa043307148
Instruction Fuzzy Hash: FA21177947910CDBE3102BA4F90F64A7F75BE5468E3514620B10AC00A48E241DCBBFD8

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471739538.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db75533cb9b6fa6099b867bfc3a53cb548d3d4cf5ca75b8a66c096981064a356
Instruction ID: 5547349fffb8a02f94266183febfde0089fbc1065b5af2ea2c8223a2498b46fe
Opcode Fuzzy Hash: db75533cb9b6fa6099b867bfc3a53cb548d3d4cf5ca75b8a66c096981064a356
Instruction Fuzzy Hash: AA11D376804280CFCB15CF14D9C4B56BF71FB84324F28C6A9D8450B616C33AD85ADFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471739538.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056e5914b8e2a75525569debdb0526c4572e0f2baac1a8dac84501520f727da4
Instruction ID: 782c6cfe073f61c2d00f2b60c3806a5decb5d4d76a66b961a2457bdb308a3a8d
Opcode Fuzzy Hash: 056e5914b8e2a75525569debdb0526c4572e0f2baac1a8dac84501520f727da4
Instruction Fuzzy Hash: 3E01A7724083449AEB205B27CC847E6BB98EF41378F38C559ED045B246EB799C44DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00FBD730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471739538.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bb8e490523c3255f0c0b77356bd168aa90a05f82b2e3d0ef2b11b025f1908d
Instruction ID: fc483de4940705fd25ecad405156bd62535892e6b95287dfa75d5b695839a499
Opcode Fuzzy Hash: 09bb8e490523c3255f0c0b77356bd168aa90a05f82b2e3d0ef2b11b025f1908d
Instruction Fuzzy Hash: 5BF06271408284ABEB108A16CC84BE2FF98EB91734F28C55AED085F286D7799C44DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05CC3721, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ecba42db04bc6be4835b0ae03a311cf5a48fd5935f55cbdb98ce84df61be71
Instruction ID: 25e09ef5ee4ccbdd30a1fd26cef56563a9f0c6631068a39484311c9be00d370c
Opcode Fuzzy Hash: a5ecba42db04bc6be4835b0ae03a311cf5a48fd5935f55cbdb98ce84df61be71
Instruction Fuzzy Hash: EC01C870A052189FDB64EF65DD90B9DB7B1BF49204F4085D9D00DB7364DB30AD458F21

Uniqueness

Uniqueness Score: -1.00%

Function 05CC4B10, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fdd9d506cdb49766aeba4a1aa7865799f8fa07367ae0e02e1433064c3c6eda
Instruction ID: d8f7874c96d2c2eb19fd032e7dce1b37f95c3ddf6bb2432330836e899ab63d4b
Opcode Fuzzy Hash: 93fdd9d506cdb49766aeba4a1aa7865799f8fa07367ae0e02e1433064c3c6eda
Instruction Fuzzy Hash: 2EF0BE70800208DFCB15CFA8C945B9DBFB1FB05315F4046A9E81457392C7365651DB80

Uniqueness

Uniqueness Score: -1.00%

Function 05CCB012, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f41a7772b92c9f157b2aa5af8e67bdb36d18f1b33439fb5b93f04d5a4e5a6a0
Instruction ID: f22692f5207bc1fa6da6ed834fd37126f650ec7f7c217ae945d1eaa2a224b280
Opcode Fuzzy Hash: 9f41a7772b92c9f157b2aa5af8e67bdb36d18f1b33439fb5b93f04d5a4e5a6a0
Instruction Fuzzy Hash: 59F0A574D112089FDB40EFA8D9467ADBBF4FB44304F5046A9D418A3380E7745A51CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05CC59D4, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a999ee4a44870632098cc72365e9f6c6c9bfb7dea072069d4ceb66b13f2f794a
Instruction ID: 48a8216bb567355f587b03451b489ea8824819b7962566a9af54a2503cd4be8a
Opcode Fuzzy Hash: a999ee4a44870632098cc72365e9f6c6c9bfb7dea072069d4ceb66b13f2f794a
Instruction Fuzzy Hash: B6F0A070615345DFCB24CFA4C140489BFB2FF85301B5018EAE4069B6A5C735E980CB01

Uniqueness

Uniqueness Score: -1.00%

Function 05CC4B20, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35af276877a9dd703adc39ba81775f5e275938ff3a2948c47f9de6e3fd739f70
Instruction ID: e0f44933ad779b796cd37124a779cb5d952cb36d6bbf9ba7c43a866af5d03d6f
Opcode Fuzzy Hash: 35af276877a9dd703adc39ba81775f5e275938ff3a2948c47f9de6e3fd739f70
Instruction Fuzzy Hash: 21F0AC74D00218EFDB44DFA8D545AADBBB5FB08301F1086AAD81497350D7719A51DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05CCBC08, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2970b15d4004bd9e6a26e165d392ed7d3fbcf4e6949fee8096a097786396679d
Instruction ID: 3f42b032549b04904c24ebedf0e3b9277ed19f20a98ae50a7d3af243d3aedcac
Opcode Fuzzy Hash: 2970b15d4004bd9e6a26e165d392ed7d3fbcf4e6949fee8096a097786396679d
Instruction Fuzzy Hash: 78E0C974D0021CEFCB44EFE8D8056ADBFB4FB48300F0086A9E858A3350EB705A50DB81

Uniqueness

Uniqueness Score: -1.00%

Function 05CC5805, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708652cb22bde3667677239b40e5a163ad3da71ce56c3976c4757b98c30fc390
Instruction ID: 5ef7b165ed2cda58c7f51ad76731256bd51f4d767af2db693f5ba2bd9e43a791
Opcode Fuzzy Hash: 708652cb22bde3667677239b40e5a163ad3da71ce56c3976c4757b98c30fc390
Instruction Fuzzy Hash: 36F05A74912668CFDBA0CF64C884ADCBBB1FB49312F1000DAE409AB350DB30AA81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05CCFB40, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f41605c19d42b26d5a4e4d891c22b72585ec117bd1070616839cf4b0d586f10
Instruction ID: 5a988fb2c3c80e4926ead41130841cc672f83d9cc5364987666eaf7646026c55
Opcode Fuzzy Hash: 6f41605c19d42b26d5a4e4d891c22b72585ec117bd1070616839cf4b0d586f10
Instruction Fuzzy Hash: 51E0ED74D0021CEFCB44DFE8D8016ADBBB5FB44300F1086ADD814A7340E7719651DB94

Uniqueness

Uniqueness Score: -1.00%

Function 05CC9B1D, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950c53630084c0807aa774220a52d34d7220278566fcd1f52e12bc4512be5c98
Instruction ID: 3716ccd08aab401de12aa921446be2b71158704ba8a911fc6e6ca5aeb6878871
Opcode Fuzzy Hash: 950c53630084c0807aa774220a52d34d7220278566fcd1f52e12bc4512be5c98
Instruction Fuzzy Hash: 81F0F230A142499FDB04EF94D49569CBBB2FB89310F20892AA812EB79CD6345E428F00

Uniqueness

Uniqueness Score: -1.00%

Function 05CCEDD0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7aa715ed1e12b589f5217ce018cc51b940b798545df5993ecd11c8e2721c2e
Instruction ID: 9ac5d9144ce16f88858cfc3dda7284aebf8459ce268a36cf69450284d235aa53
Opcode Fuzzy Hash: cf7aa715ed1e12b589f5217ce018cc51b940b798545df5993ecd11c8e2721c2e
Instruction Fuzzy Hash: E7E09A74D10208AFC780DFB9D449A9CBBF4FB08214F1081EAD818D7351E7359A44CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05CCB020, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f04218e6be553034d23e6eaffc6012887c552e450e90b85106ee729a2b4604
Instruction ID: 2b756a910f21916230c807ce73abb402799be8ffb4bc0ce459de5307c06fe93c
Opcode Fuzzy Hash: 26f04218e6be553034d23e6eaffc6012887c552e450e90b85106ee729a2b4604
Instruction Fuzzy Hash: 59E07574D1421C9FDB44EFE8E9466ADBBF4FB48304F5046AAD818A3340EBB05A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05CC5F65, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00a362e6aa2218a531367b70694fdf543bbddd54f89d0025fd629afac0652ee
Instruction ID: f8803089a5bef0ebdd1f2608cafb69109ec30d6d215b499eca96b2d2cb6b8504
Opcode Fuzzy Hash: e00a362e6aa2218a531367b70694fdf543bbddd54f89d0025fd629afac0652ee
Instruction Fuzzy Hash: CEF02B78A012188FDB14CF95CA809DDBBF2EB48311F6451A9E805B7354D736AE85CE14

Uniqueness

Uniqueness Score: -1.00%

Function 05CCE228, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca679d7ac60a06997e3976883ba8e1becc6f6087ea8786d265cdf29d0b172643
Instruction ID: 7d6bc748dcebcf610c198660a0b03373524e11f60899beeef40b730ac7d6306c
Opcode Fuzzy Hash: ca679d7ac60a06997e3976883ba8e1becc6f6087ea8786d265cdf29d0b172643
Instruction Fuzzy Hash: D6E07E74E10208AFCB40DFA8D445A9CBBB8EB09204F1081AAD919D7360EB35AA44CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05CCED88, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff37a11dbd44a51794b64c1bc0bed281687ce214761eef84b4ee47f2531391f
Instruction ID: b091f0eef6a3143d10c467be2ea0d15b7f9ce894161d741340d2c61fcab63e10
Opcode Fuzzy Hash: dff37a11dbd44a51794b64c1bc0bed281687ce214761eef84b4ee47f2531391f
Instruction Fuzzy Hash: DFE0BD70D1820CAFDB80EFE8980579CBBB8EB04204F0081AAC818A3380EB355A858B81

Uniqueness

Uniqueness Score: -1.00%

Function 05CCE990, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2056b366d2a1081877733e95f0f2c0fbfe05cfffb18dfb260639bf3ec573aeca
Instruction ID: d1f3f34c29e76d4275c136a46a52f5f02684c9b7e0dcba455e30bcc68bffbee9
Opcode Fuzzy Hash: 2056b366d2a1081877733e95f0f2c0fbfe05cfffb18dfb260639bf3ec573aeca
Instruction Fuzzy Hash: 95D01730D0520CAFCB44EFF8E80579DBBB8FB44204F1086AAC80CA3390EB341A85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05CCD9A0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6508b605da9a1a36703ad15da94ff2b72d4d509a9e953bf1d9a120441704b657
Instruction ID: c8278f18d3dd61f542abe42ef8f3609800823559abf3dc905bffa40e89239171
Opcode Fuzzy Hash: 6508b605da9a1a36703ad15da94ff2b72d4d509a9e953bf1d9a120441704b657
Instruction Fuzzy Hash: 7BE0BD74E21208AFCB90EFE8944579DBBF4EB04208F0085AA8819E7280EB355A449B81

Uniqueness

Uniqueness Score: -1.00%

Function 05CCDB10, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c465a7ae428c4c053a5930640b9317db1058b33ef02d391f6422b653380a142f
Instruction ID: 0dfbcaac3d4357403381220d696794cf4f250a56b7221a492cb1ac406d8313fe
Opcode Fuzzy Hash: c465a7ae428c4c053a5930640b9317db1058b33ef02d391f6422b653380a142f
Instruction Fuzzy Hash: 35D01234D0520CABC754DFF9E80579DBFB4FB44204F1086A9D40993250DB701A55CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05CCEAB8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda37f89778b8407b677a69d076aace3ec9cbce77b8b5edebcda2eda84b60a9d
Instruction ID: 3d0b0109d585436ac4d1ba418a6cb9991da8b369d40f6610aa6d82f77bbfd3ac
Opcode Fuzzy Hash: bda37f89778b8407b677a69d076aace3ec9cbce77b8b5edebcda2eda84b60a9d
Instruction Fuzzy Hash: 44E0BD70D10208AFCB44EFF8940579CBBB8EB44204F0085AA9908A3290EB345A45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05CCEB40, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f79a2db4e9ac241c02f91a6122d5c52e2846ef006498ed89101e928962697d
Instruction ID: 79460431e341fb301ac73257551f6694ad9b67d3a884295b0f1889ebc8b79ac7
Opcode Fuzzy Hash: 13f79a2db4e9ac241c02f91a6122d5c52e2846ef006498ed89101e928962697d
Instruction Fuzzy Hash: 03D0A73081110C9BC704EFF8985579D7FB8E700105F0001A9C80893380FB311A49C781

Uniqueness

Uniqueness Score: -1.00%

Function 05CC5A58, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ba2529028e150a5cd2cb1b8094a424412596267104bdcb18d10bbddebeac415
Instruction ID: 5c1f721bf860828fc53896071c4901e05b780752c6679c39ccf125df37a8f287
Opcode Fuzzy Hash: 8ba2529028e150a5cd2cb1b8094a424412596267104bdcb18d10bbddebeac415
Instruction Fuzzy Hash: 05E0EC74612314DFD768CFA4D145898BBB2FF89305F505499F4069B294CB35DD80CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05CC9284, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7189c3c76fee9c7e9b80ada492536572a9721ae8439fa986efd7a1034403c851
Instruction ID: 38850d5b007ced7ba5ed76ca6e2588796c24fc53aa7b24e24187efcf507279af
Opcode Fuzzy Hash: 7189c3c76fee9c7e9b80ada492536572a9721ae8439fa986efd7a1034403c851
Instruction Fuzzy Hash: 56D01730A02209CFDB50EF25ED81B8CB7B2FB44200F009EA9D009E7264DB309E42CF00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05CC7EE8, Relevance: 11.4, Strings: 9, Instructions: 162COMMON

Download Yara Rule

Strings

0!|Q, xrefs: 05CC7F89
jIy, xrefs: 05CC7FFC
VG)T, xrefs: 05CC7FAF
0!|Q, xrefs: 05CC7F82
5y>s, xrefs: 05CC7F6A
0!|Q, xrefs: 05CC7FA0
VG)T, xrefs: 05CC7FB6
Mf, xrefs: 05CC80AB
Mf, xrefs: 05CC80A4

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: 0!|Q$0!|Q$0!|Q$5y>s$VG)T$VG)T$jIy$Mf$Mf
API String ID: 0-1985276762
Opcode ID: a582365cbb3068f70e1489896a06ee5cad7fb7be1fa47d7848412eade07c0a7e
Instruction ID: b0b1125d934c52ab18f29ac27be90e6419fd72b5de4140bfbd8217cf8105bbfe
Opcode Fuzzy Hash: a582365cbb3068f70e1489896a06ee5cad7fb7be1fa47d7848412eade07c0a7e
Instruction Fuzzy Hash: E071C274D1521A9FCB04CFAAD4819AEFFB2FF48350F14895AD415A7314D7349982CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05CC7ED8, Relevance: 10.2, Strings: 8, Instructions: 154COMMON

Download Yara Rule

Strings

0!|Q, xrefs: 05CC7F89
jIy, xrefs: 05CC7FFC
VG)T, xrefs: 05CC7FAF
0!|Q, xrefs: 05CC7F82
5y>s, xrefs: 05CC7F6A
0!|Q, xrefs: 05CC7FA0
VG)T, xrefs: 05CC7FB6
Mf, xrefs: 05CC80AB

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: 0!|Q$0!|Q$0!|Q$5y>s$VG)T$VG)T$jIy$Mf
API String ID: 0-1719893646
Opcode ID: 1107725f7db03dfcc2952a5dff913dd71aa3a5c1c27fe7427538726f1f65f4f6
Instruction ID: c47db615a8f64556499d7e71e0364d2a34a1beb9db27d8aca22dc2294d2483b9
Opcode Fuzzy Hash: 1107725f7db03dfcc2952a5dff913dd71aa3a5c1c27fe7427538726f1f65f4f6
Instruction Fuzzy Hash: EB61C474E1520A9FCB04CFA9C5809AEFFF2FF48250F14899AD515A7215D734A982CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05CC7300, Relevance: 3.9, Strings: 3, Instructions: 178COMMON

Download Yara Rule

Strings

HHMm, xrefs: 05CC74AB
HHMm, xrefs: 05CC74D0
HHMm, xrefs: 05CC74B2

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: HHMm$HHMm$HHMm
API String ID: 0-1540842996
Opcode ID: 1a8bb27dfa1916477e03d127bdd6e71d61e3149f48f9bbd3dc64a9c20478900d
Instruction ID: 694a2d665e3c5efde60992d4e4765775c35ed01f9c6b3f952ffa8dd1c252e4c0
Opcode Fuzzy Hash: 1a8bb27dfa1916477e03d127bdd6e71d61e3149f48f9bbd3dc64a9c20478900d
Instruction Fuzzy Hash: DA81B574E1421ADFCB44CF9AC58499EFBF2FF48250F189569E419AB320D334AA42CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05CC72F0, Relevance: 3.9, Strings: 3, Instructions: 172COMMON

Download Yara Rule

Strings

HHMm, xrefs: 05CC74AB
HHMm, xrefs: 05CC74D0
HHMm, xrefs: 05CC74B2

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: HHMm$HHMm$HHMm
API String ID: 0-1540842996
Opcode ID: e137ddae69aec2c039ed82703ab255b966677f1d285f139e566a3436dd1efb33
Instruction ID: e93ab44eb575160bcb79960f7f6a2ecb7d94e02a01b898299d4b37b39b5c6885
Opcode Fuzzy Hash: e137ddae69aec2c039ed82703ab255b966677f1d285f139e566a3436dd1efb33
Instruction Fuzzy Hash: FA71D574E14219DFCB44CFA9C98499EFBF2FF88250F189569E419AB324D334AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05CCE2B0, Relevance: 3.9, Strings: 3, Instructions: 116COMMON

Download Yara Rule

Strings

uZ$K, xrefs: 05CCE3FE
b5ln, xrefs: 05CCE330
uZ$K, xrefs: 05CCE3F4

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: b5ln$uZ$K$uZ$K
API String ID: 0-4139832932
Opcode ID: 1eac6957d132c374e5af8a72a1a5b8852b4c2daa1806e030be52508b559a51ce
Instruction ID: 36941be02fddc90ff2d2eab262953bf71643631d77e1b3bdee015b3fd94a91fc
Opcode Fuzzy Hash: 1eac6957d132c374e5af8a72a1a5b8852b4c2daa1806e030be52508b559a51ce
Instruction Fuzzy Hash: 94413A70E11619DFCB18CFAAD980B9EBBB6FF89200F14C4AAD509A7354DB305A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05CCDED8, Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

96m, xrefs: 05CCE05D
t!W7, xrefs: 05CCDFD9

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: t!W7$96m
API String ID: 0-739402109
Opcode ID: 1ef719d494643f71d2af1256f99a3651a20c3639f8905c017e0cdd80263562d2
Instruction ID: 455cb28591e19011f81097d0c518a8ae2fc90d8f02b46d8326d7b1249812693c
Opcode Fuzzy Hash: 1ef719d494643f71d2af1256f99a3651a20c3639f8905c017e0cdd80263562d2
Instruction Fuzzy Hash: 9D414474D15209DFDB04DFA6D8406AEBBF2FF89300F1088AAD116E7268E7349A01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05CC4F78, Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

DVwf, xrefs: 05CC517C

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: DVwf
API String ID: 0-2578213160
Opcode ID: 4adc6c6b583449cc39084a41b5e983b6a6a9701c6cff4659307255b8722378bd
Instruction ID: 61ed5affe0e90c3ed9bba309881d74d17ea2cb01d957d1d94227be3bffd8c93b
Opcode Fuzzy Hash: 4adc6c6b583449cc39084a41b5e983b6a6a9701c6cff4659307255b8722378bd
Instruction Fuzzy Hash: 5D61E574E0520A9FCB04CF9AD4809EEFBB2FB88351F108969E515AB314D774AA81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05CC4F68, Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

DVwf, xrefs: 05CC517C

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: DVwf
API String ID: 0-2578213160
Opcode ID: a6331d254d35797ba39476175adea519baf417ed24851d15bcdce9deb50ea39a
Instruction ID: 66fd731b43949a1e62b719c0fcf7ca25573b301571bdddc29918d7026a3182b1
Opcode Fuzzy Hash: a6331d254d35797ba39476175adea519baf417ed24851d15bcdce9deb50ea39a
Instruction Fuzzy Hash: C9510674E0520ADFCB04CF99D581AAEFFB2FB88351F14896AE415A7354D374AA81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8590, Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

Wazr, xrefs: 05CC865B

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: Wazr
API String ID: 0-1431357564
Opcode ID: 69a95890bcbf8db31f30030090f182fc42eaf72cc3c525e13e1cedad5a8dcdbd
Instruction ID: 5a0026dfbcd587ed11b7e889c28549494e73d4eea8f16419bad69f2bdaff664f
Opcode Fuzzy Hash: 69a95890bcbf8db31f30030090f182fc42eaf72cc3c525e13e1cedad5a8dcdbd
Instruction Fuzzy Hash: 3941E8B4E0560ADBDB44CFAAC5415AFFFF2FB88300F14C4AAC915A7254D7349A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8581, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

Wazr, xrefs: 05CC865B

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: Wazr
API String ID: 0-1431357564
Opcode ID: febc776aee06392c689345a121a2bf44e5e6a2b553fa20e747bc230b04f44d7a
Instruction ID: 1fa1b3c8b0ff88d48678531434dcd7f3b892ef30b4ec6d6bb7fb4f1d9c9f7f0b
Opcode Fuzzy Hash: febc776aee06392c689345a121a2bf44e5e6a2b553fa20e747bc230b04f44d7a
Instruction Fuzzy Hash: E04129B0E0560A9BDB04CFAAC5405AFFFF2FF88300F24C5AAC915A7254D7349A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 05CC9CC0, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

b&h~, xrefs: 05CC9D46

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: b&h~
API String ID: 0-2519885650
Opcode ID: 0a80605000773bb7eadf55fffb2c0052540f6c53b36c0fbc12b20a220c498b40
Instruction ID: f58ac15e6c5d8d68758ff0ec400bc91b3e1626e7b430f6024f1cd1b10f66a7ab
Opcode Fuzzy Hash: 0a80605000773bb7eadf55fffb2c0052540f6c53b36c0fbc12b20a220c498b40
Instruction Fuzzy Hash: 66316B70E156189BDB08CFAAD94169EFAF3AFC9200F14C56ED418A72A4EB345A018B51

Uniqueness

Uniqueness Score: -1.00%

Function 05CC9CE0, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

b&h~, xrefs: 05CC9D46

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID: b&h~
API String ID: 0-2519885650
Opcode ID: 1671497730fb2be35a6e74c881ba83690e491be628164a9a75747189bd2b4c9e
Instruction ID: ae71b515278639c2a5edd0cb4b38b129de56e3fdbd82b322a69e5f3814692e6c
Opcode Fuzzy Hash: 1671497730fb2be35a6e74c881ba83690e491be628164a9a75747189bd2b4c9e
Instruction Fuzzy Hash: E0215971E116189BDB08CFAAD9406AEFBF7FBC8210F24C57AD418B7264EB345A018B50

Uniqueness

Uniqueness Score: -1.00%

Function 0087929D, Relevance: 1.3, Instructions: 1260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.469140045.0000000000872000.00000002.00020000.sdmp, Offset: 00870000, based on PE: true

Associated: 00000000.00000002.469073081.0000000000870000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.469874287.0000000000908000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d130e4039257e19cf6b4e07c18674340f6a204158ab5fe77ddab0cbbdef0dc2f
Instruction ID: e72f49c37fd065877be61863824881cf98b01a9a88ddcc69d92cbc484982adf1
Opcode Fuzzy Hash: d130e4039257e19cf6b4e07c18674340f6a204158ab5fe77ddab0cbbdef0dc2f
Instruction Fuzzy Hash: 4FA2E09280F7C59FDB178B785DB12A1BFB1AD6321871E84C7C0C4CF0ABE109995AD726

Uniqueness

Uniqueness Score: -1.00%

Function 05CC2C30, Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aad86f41931226a3d5d10fb4f847f9e85c55f0f6eb6c2dd23488b48364b7c62
Instruction ID: 381ce241e990ae23f6d6a06d54390ac555a3d527c5a513bc179cd3f004aa507b
Opcode Fuzzy Hash: 3aad86f41931226a3d5d10fb4f847f9e85c55f0f6eb6c2dd23488b48364b7c62
Instruction Fuzzy Hash: CB020F397042518FCB29DB29D484A3D7BA3BF85604B1A8CEDE446DB7A1CB31DD41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05CCB068, Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1032859c0e387573ac0adabea9070ff4f00a61413ef3bee2b642c08c42c6f170
Instruction ID: c3cc69896fb974639062d4f04a060d1de759a3dbbecb005c35071c291f79ed58
Opcode Fuzzy Hash: 1032859c0e387573ac0adabea9070ff4f00a61413ef3bee2b642c08c42c6f170
Instruction Fuzzy Hash: B7D19171E0420A8BCB04CFF9D5466AEFFB2EF88218F5089ADD516B7355DB349E418B90

Uniqueness

Uniqueness Score: -1.00%

Function 012BE5B0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da659b6dad9bc76248654bd0f81b061b2bd10d76e9dbe5976d30b52dcd527da
Instruction ID: ba310f70165ddd486052ff64bba2f43af3ad34debc413163bc2a5c168d33a144
Opcode Fuzzy Hash: 8da659b6dad9bc76248654bd0f81b061b2bd10d76e9dbe5976d30b52dcd527da
Instruction Fuzzy Hash: A812B2F1411B468BE334CF65F99C1893BA1BB45338F91422CD2622BAD9D7B8116ECF94

Uniqueness

Uniqueness Score: -1.00%

Function 0BE422A0, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.479569368.000000000BE40000.00000040.00000001.sdmp, Offset: 0BE40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af93e3dc365f812d250cc358c4a874678ff92edb92e73901ac5d758008c27d52
Instruction ID: f24e9ba195bd60d1bd132905a99699c7c7685c88b0cf5f025bd2e5ee00520142
Opcode Fuzzy Hash: af93e3dc365f812d250cc358c4a874678ff92edb92e73901ac5d758008c27d52
Instruction Fuzzy Hash: 1491B234B141188BCB08EF7498642AE7BB7AFC8704F05852EE516E7388DF35C8569B92

Uniqueness

Uniqueness Score: -1.00%

Function 012BC164, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f62dfe4c8773ba6a30f91554e6e4310ba4b77b2008ca3504403f66b140e62d7
Instruction ID: 7d5d3222a69d15d70b7ffcb6b10f352241af522b58d5c248af743d46b4c96a71
Opcode Fuzzy Hash: 9f62dfe4c8773ba6a30f91554e6e4310ba4b77b2008ca3504403f66b140e62d7
Instruction Fuzzy Hash: D8A1AF32E2020A8FCF15DFF5C8845EEBBB2FF84344B15856AE905BB261DB31A955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 012BE5AB, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.471886393.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ef43dc94e38d2182710e0854596cef125ea18e5321f841c88bc1e7cacda01d
Instruction ID: 89ec53db6c54e306e31172846b09267e4ae6589a7047a244616ec704f2541c7c
Opcode Fuzzy Hash: 14ef43dc94e38d2182710e0854596cef125ea18e5321f841c88bc1e7cacda01d
Instruction Fuzzy Hash: 31C139B1811B4A8BD724DF65F98C1893BB1BB85338F51432CD2616BAD8E7B4106ECF94

Uniqueness

Uniqueness Score: -1.00%

Function 05CC87A0, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d12a12a0f78dece870617fe2f74868fbb79beeeada976cfbe679392e3224ef
Instruction ID: a88e4d5bc0cd81d123aef9453cedbdcd8b7cb63eeb809a197db522db1d5982b3
Opcode Fuzzy Hash: 96d12a12a0f78dece870617fe2f74868fbb79beeeada976cfbe679392e3224ef
Instruction Fuzzy Hash: 7681F575E15209DFCB04CFAAC5849DEFBF2FB88210F24996AD415B7324D3349A428B64

Uniqueness

Uniqueness Score: -1.00%

Function 05CC87B0, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1203e5b1677e1088e74dd99a508e60afc00e12ebf8fa986c1612645b8474da23
Instruction ID: 662782791b23abbb4756081af57bfb2f9e3168470428ae2aeb89f3480b818922
Opcode Fuzzy Hash: 1203e5b1677e1088e74dd99a508e60afc00e12ebf8fa986c1612645b8474da23
Instruction Fuzzy Hash: 2C71E574E15609DFCB04CFAAC5858DEFBF2FF88310F24986AD415BB224D7349A428B64

Uniqueness

Uniqueness Score: -1.00%

Function 05CC81E8, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b86d44f15a39ac74c0718342bdc0b49ba1bcf705a56dd166d819c4516d20a16
Instruction ID: 756584430eb99cdb59cd98b6c1e8a93342cb855328bb1cd2e022dd5a30a6544f
Opcode Fuzzy Hash: 9b86d44f15a39ac74c0718342bdc0b49ba1bcf705a56dd166d819c4516d20a16
Instruction Fuzzy Hash: 876116B0E05619DBCB04CFA6C5849EEFFB6EF88340F1498A9D515B7204D7349A42CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 05CC81D8, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ed9e20e0e6b77bc2815243bf061669780bd7386b4a1d99d48d2097b325cf7c
Instruction ID: 3c5fe4f26d3ff656cb17fa0306f2a78f11672cd852a0dda9d88c7a3f81bba80f
Opcode Fuzzy Hash: 36ed9e20e0e6b77bc2815243bf061669780bd7386b4a1d99d48d2097b325cf7c
Instruction Fuzzy Hash: CF5128B0E0460A9BCB04CFA6C9849EEFFF6EF88340F14946AD515B7204D7349A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8A60, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e65e3130fff157e0fab0188e50074655eed426f0577c9540dc12215f0f59b5
Instruction ID: f46b0754e6b8219231ad3860c305c8000c65b8606d31a4cfce8751f795f90095
Opcode Fuzzy Hash: d5e65e3130fff157e0fab0188e50074655eed426f0577c9540dc12215f0f59b5
Instruction Fuzzy Hash: AF41E4B0E1560ADFCB44CFAAC5815AFFBF2FB88300F24C5AAC405A7354D7349A418B94

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8A51, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6cb6b80a743671fa944840a8326751837f7a0aa366022943e32f2a1b5a1afc1
Instruction ID: 122c9f048a79e70e57274e3161fc564131d0d0b359371a809a0a4ed6bccb6717
Opcode Fuzzy Hash: f6cb6b80a743671fa944840a8326751837f7a0aa366022943e32f2a1b5a1afc1
Instruction Fuzzy Hash: 5E41F6B5E0560ADBCB44CFAAC9815AEFBF2FB88300F24C5AAC515A7354D7349A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8C40, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5846fee9d71c7f9c8fe0cee4d219f869337390de64fc32a82a45d3a58f2e4d24
Instruction ID: f860aa566adcd306d14402fc792574f54ac1f844811ed6067b30eafd635b7a10
Opcode Fuzzy Hash: 5846fee9d71c7f9c8fe0cee4d219f869337390de64fc32a82a45d3a58f2e4d24
Instruction Fuzzy Hash: 4321C571E056189BEB18CFABD94069EFAF7EFC8300F14C0BAD508A6254EB345A468F51

Uniqueness

Uniqueness Score: -1.00%

Function 05CC8C32, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7b8fa778b3a3a1464ff698cd8ba536b436851c45eb93e48b0e005f2ec4f124
Instruction ID: 247d75451ca1dff2ea1af706ff083fa019cfd7bd36c50d284c5f162e2990ed55
Opcode Fuzzy Hash: ef7b8fa778b3a3a1464ff698cd8ba536b436851c45eb93e48b0e005f2ec4f124
Instruction Fuzzy Hash: 9621B871E056189BEB18CFABD94079EFAF3AFC8300F14C17AD518A6254EB345A468F51

Uniqueness

Uniqueness Score: -1.00%

Function 05CC32F8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5eb004941b1cf8b4ca9374374bf32d07877a7fa2af62f7e82df4f61600fe03
Instruction ID: b32ae77a0b1a122f6760708e84f034a195eb6d1d94f96834ce0a3e9a24e97387
Opcode Fuzzy Hash: df5eb004941b1cf8b4ca9374374bf32d07877a7fa2af62f7e82df4f61600fe03
Instruction Fuzzy Hash: 7611BC71E006189BEB18CFABD8406DEFAF7BFC9200F08C57AD918A6258EB3415568F51

Uniqueness

Uniqueness Score: -1.00%

Function 05CC32EA, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.478495233.0000000005CC0000.00000040.00000001.sdmp, Offset: 05CC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65056f14b7bf2ff210b403c65cc8a5831b7c8ef809672a9b0e984dc409b96092
Instruction ID: 3866490162b9ba2a43fdfa1632c04ec983fe05f866523137f1c25a6d6efd5c74
Opcode Fuzzy Hash: 65056f14b7bf2ff210b403c65cc8a5831b7c8ef809672a9b0e984dc409b96092
Instruction Fuzzy Hash: 8111B271E006149BEB18CFABD8017DEFAF3AFC8200F48C57AD518A6254DB3405468F51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFQ No A'4762QHTECHNICAL DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Snake Keylogger

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre