Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FqjWpTMVBm

Overview

General Information

Sample Name:FqjWpTMVBm (renamed file extension from none to exe)
Analysis ID:679161
MD5:f8b75a887b9774203f7d77de434f40ea
SHA1:e19add1ef9b87ef54de6870b229cfbcaaeddb0fa
SHA256:de373cb42386f956133546049fa24b0ec459a78c7e667c9d05c366c198b680b3
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • FqjWpTMVBm.exe (PID: 5068 cmdline: "C:\Users\user\Desktop\FqjWpTMVBm.exe" MD5: F8B75A887B9774203F7D77DE434F40EA)
    • cvtres.exe (PID: 2980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "contacto@tycautomotriz.cl", "Password": "tycautomotriz2020", "Host": "mail.tycautomotriz.cl"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.373575216.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.373575216.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000000.373575216.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x2fcaa:$a13: get_DnsResolver
      • 0x2e4ca:$a20: get_LastAccessed
      • 0x30628:$a27: set_InternalServerPort
      • 0x30960:$a30: set_GuidMasterKey
      • 0x2e5d1:$a33: get_Clipboard
      • 0x2e5df:$a34: get_Keyboard
      • 0x2f8dd:$a35: get_ShiftKeyDown
      • 0x2f8ee:$a36: get_AltKeyDown
      • 0x2e5ec:$a37: get_Password
      • 0x2f08d:$a38: get_PasswordHash
      • 0x300aa:$a39: get_DefaultCredentials
      00000002.00000000.372648537.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000000.372648537.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 21 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.0.cvtres.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            2.0.cvtres.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              2.0.cvtres.exe.400000.4.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x3277a:$s10: logins
              • 0x321e1:$s11: credential
              • 0x2e7d1:$g1: get_Clipboard
              • 0x2e7df:$g2: get_Keyboard
              • 0x2e7ec:$g3: get_Password
              • 0x2facd:$g4: get_CtrlKeyDown
              • 0x2fadd:$g5: get_ShiftKeyDown
              • 0x2faee:$g6: get_AltKeyDown
              2.0.cvtres.exe.400000.4.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2feaa:$a13: get_DnsResolver
              • 0x2e6ca:$a20: get_LastAccessed
              • 0x30828:$a27: set_InternalServerPort
              • 0x30b60:$a30: set_GuidMasterKey
              • 0x2e7d1:$a33: get_Clipboard
              • 0x2e7df:$a34: get_Keyboard
              • 0x2fadd:$a35: get_ShiftKeyDown
              • 0x2faee:$a36: get_AltKeyDown
              • 0x2e7ec:$a37: get_Password
              • 0x2f28d:$a38: get_PasswordHash
              • 0x302aa:$a39: get_DefaultCredentials
              2.2.cvtres.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 27 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: FqjWpTMVBm.exeVirustotal: Detection: 56%Perma Link
                Source: FqjWpTMVBm.exeMetadefender: Detection: 34%Perma Link
                Source: FqjWpTMVBm.exeReversingLabs: Detection: 53%
                Antivirus / Scanner detection for submitted sample
                Source: FqjWpTMVBm.exeAvira: detected
                Machine Learning detection for sample
                Source: FqjWpTMVBm.exeJoe Sandbox ML: detected
                Source: 2.2.cvtres.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 2.0.cvtres.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 2.0.cvtres.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                Source: 2.0.cvtres.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                Source: 2.0.cvtres.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                Source: 2.0.cvtres.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                Source: 2.2.cvtres.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "contacto@tycautomotriz.cl", "Password": "tycautomotriz2020", "Host": "mail.tycautomotriz.cl"}
                Source: FqjWpTMVBm.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: FqjWpTMVBm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: ZZSSACVSDFDHDJJHDG335.pdb source: FqjWpTMVBm.exe
                Source: Joe Sandbox ViewIP Address: 131.72.236.163 131.72.236.163
                Source: global trafficTCP traffic: 192.168.2.6:49767 -> 131.72.236.163:587
                Source: global trafficTCP traffic: 192.168.2.6:49767 -> 131.72.236.163:587
                Source: cvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: cvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: cvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://VMDVyE.com
                Source: cvtres.exe, 00000002.00000002.635170682.0000000007096000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.tycautomotriz.cl
                Source: cvtres.exe, 00000002.00000002.635170682.0000000007096000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tycautomotriz.cl
                Source: cvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: cvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                Source: cvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: mail.tycautomotriz.cl
                Source: FqjWpTMVBm.exe, 00000001.00000002.375993429.00000000010CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 2.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 2.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 2.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 2.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 2.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 2.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 2.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 2.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 2.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000002.00000000.373575216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000002.00000000.372648537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000002.00000000.373105695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000002.00000002.632455150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000002.00000000.374189805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.378242847.00000000048E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: FqjWpTMVBm.exe PID: 5068, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: cvtres.exe PID: 2980, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 2.2.cvtres.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b711C5A71u002dF4E1u002d45E1u002d90D5u002d4B8A252BB8A6u007d/u0038B73B275u002d9749u002d4406u002d994Cu002dB871A74003B2.csLarge array initialization: .cctor: array initializer size 11651
                Source: 2.0.cvtres.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b711C5A71u002dF4E1u002d45E1u002d90D5u002d4B8A252BB8A6u007d/u0038B73B275u002d9749u002d4406u002d994Cu002dB871A74003B2.csLarge array initialization: .cctor: array initializer size 11651
                Source: 2.0.cvtres.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b711C5A71u002dF4E1u002d45E1u002d90D5u002d4B8A252BB8A6u007d/u0038B73B275u002d9749u002d4406u002d994Cu002dB871A74003B2.csLarge array initialization: .cctor: array initializer size 11651
                Source: FqjWpTMVBm.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 2.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 2.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 2.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 2.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 2.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 2.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 2.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 2.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 2.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 2.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000002.00000000.373575216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000002.00000000.372648537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000002.00000000.373105695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000002.00000002.632455150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000002.00000000.374189805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.378242847.00000000048E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: FqjWpTMVBm.exe PID: 5068, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: cvtres.exe PID: 2980, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010931281_2_01093128
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_01091D701_2_01091D70
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010918D81_2_010918D8
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_01097F701_2_01097F70
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_01090F981_2_01090F98
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010922781_2_01092278
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010992E81_2_010992E8
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010951B01_2_010951B0
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010951C01_2_010951C0
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010940091_2_01094009
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010940181_2_01094018
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010904271_2_01090427
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010904481_2_01090448
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010930481_2_01093048
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010930411_2_01093041
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_01097C701_2_01097C70
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_01097CB81_2_01097CB8
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010997161_2_01099716
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_0109972F1_2_0109972F
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_01090F4C1_2_01090F4C
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010997521_2_01099752
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_0109976B1_2_0109976B
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_01097F601_2_01097F60
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010997841_2_01099784
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_01095BF91_2_01095BF9
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010992D81_2_010992D8
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_010996DF1_2_010996DF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06F4F3C82_2_06F4F3C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_06F4F0802_2_06F4F080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_0A6E51C82_2_0A6E51C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_0A6EC9D02_2_0A6EC9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_0A6E97002_2_0A6E9700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_0A6EF7D82_2_0A6EF7D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_0A6EB5902_2_0A6EB590
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_0A6E32A82_2_0A6E32A8
                Source: FqjWpTMVBm.exe, 00000001.00000002.377328903.0000000002EFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDTsBTsBtRBqOtEoXvXxcmxLWqLx.exe4 vs FqjWpTMVBm.exe
                Source: FqjWpTMVBm.exe, 00000001.00000000.366808060.0000000000A02000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameZZSSACVSDFDHDJJHDG335.exeL vs FqjWpTMVBm.exe
                Source: FqjWpTMVBm.exe, 00000001.00000002.376697949.0000000002E89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs FqjWpTMVBm.exe
                Source: FqjWpTMVBm.exe, 00000001.00000002.378242847.00000000048E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDTsBTsBtRBqOtEoXvXxcmxLWqLx.exe4 vs FqjWpTMVBm.exe
                Source: FqjWpTMVBm.exe, 00000001.00000002.377522791.0000000004685000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs FqjWpTMVBm.exe
                Source: FqjWpTMVBm.exeBinary or memory string: OriginalFilenameZZSSACVSDFDHDJJHDG335.exeL vs FqjWpTMVBm.exe
                Source: FqjWpTMVBm.exeStatic PE information: invalid certificate
                Source: FqjWpTMVBm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: FqjWpTMVBm.exeVirustotal: Detection: 56%
                Source: FqjWpTMVBm.exeMetadefender: Detection: 34%
                Source: FqjWpTMVBm.exeReversingLabs: Detection: 53%
                Source: FqjWpTMVBm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\FqjWpTMVBm.exe "C:\Users\user\Desktop\FqjWpTMVBm.exe"
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FqjWpTMVBm.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                Source: FqjWpTMVBm.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: 2.2.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 2.2.cvtres.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 2.0.cvtres.exe.400000.2.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 2.0.cvtres.exe.400000.2.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 2.0.cvtres.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 2.0.cvtres.exe.400000.4.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: FqjWpTMVBm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: FqjWpTMVBm.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: FqjWpTMVBm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: ZZSSACVSDFDHDJJHDG335.pdb source: FqjWpTMVBm.exe
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_0109646E push ebp; retf 1_2_0109646F
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeCode function: 1_2_01096478 push ebp; retf 1_2_01096479
                Source: FqjWpTMVBm.exeStatic PE information: real checksum: 0x395ac should be: 0x3a6a6
                Source: initial sampleStatic PE information: section name: .text entropy: 7.818885892211126

                Hooking and other Techniques for Hiding and Protection

                barindex
                Icon mismatch, binary includes an icon from a different legit application in order to fool users
                Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (15).png
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exe TID: 5576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 3776Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2060Thread sleep count: 9568 > 30Jump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 9568Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: cvtres.exe, 00000002.00000002.636689520.000000000A370000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000002.00000003.407748576.000000000A39E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 2_2_0A6EF100 LdrInitializeThunk,2_2_0A6EF100
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000Jump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 436000Jump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 438000Jump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 4ED2008Jump to behavior
                .NET source code references suspicious native API functions
                Source: FqjWpTMVBm.exe, MJCKVKLUIOR/MJCKVKLUIOR.csReference to suspicious API methods: ('\\x13', 'GetProcAddress@kernel32'), ('\\x10', 'LoadLibraryA@kernel32')
                Source: 1.0.FqjWpTMVBm.exe.a00000.0.unpack, MJCKVKLUIOR/MJCKVKLUIOR.csReference to suspicious API methods: ('\\x13', 'GetProcAddress@kernel32'), ('\\x10', 'LoadLibraryA@kernel32')
                Source: 2.2.cvtres.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Source: 2.0.cvtres.exe.400000.2.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Source: 2.0.cvtres.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeQueries volume information: C:\Users\user\Desktop\FqjWpTMVBm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FqjWpTMVBm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 2.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.373575216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000000.372648537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000000.373105695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.632455150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000000.374189805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.378242847.00000000048E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.634629489.0000000006FFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: FqjWpTMVBm.exe PID: 5068, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 2980, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: Yara matchFile source: 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 2980, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 2.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.FqjWpTMVBm.exe.4dcb7a8.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.373575216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000000.372648537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000000.373105695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.632455150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000000.374189805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.378242847.00000000048E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.634629489.0000000006FFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: FqjWpTMVBm.exe PID: 5068, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 2980, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception311
                Process Injection                		11
                Masquerading                		1
                OS Credential Dumping                		111
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Native API                		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		1
                Input Capture                		1
                Process Discovery                		Remote Desktop Protocol1
                Input Capture                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares11
                Archive Collected Data                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model1
                Data from Local System                		Scheduled Transfer11
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Obfuscated Files or Information                		Cached Domain Credentials114
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                FqjWpTMVBm.exe56%VirustotalBrowse
                FqjWpTMVBm.exe34%MetadefenderBrowse
                FqjWpTMVBm.exe54%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                FqjWpTMVBm.exe100%AviraTR/AD.AgentTesla.tstiz
                FqjWpTMVBm.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                2.2.cvtres.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                2.0.cvtres.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                2.0.cvtres.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                2.0.cvtres.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                2.0.cvtres.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File
                2.0.cvtres.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                tycautomotriz.cl0%VirustotalBrowse
                mail.tycautomotriz.cl1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://mail.tycautomotriz.cl0%Avira URL Cloudsafe
                http://VMDVyE.com0%Avira URL Cloudsafe
                https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                http://tycautomotriz.cl0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                tycautomotriz.cl
                		131.72.236.163
                		truefalseunknown
                mail.tycautomotriz.cl
                		unknown
                		unknowntrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1cvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://mail.tycautomotriz.clcvtres.exe, 00000002.00000002.635170682.0000000007096000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://VMDVyE.comcvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://api.ipify.org%%startupfolder%cvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		low
                https://api.ipify.org%cvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		low
                http://tycautomotriz.clcvtres.exe, 00000002.00000002.635170682.0000000007096000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwcvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://DynDns.comDynDNSnamejidpasswordPsi/Psicvtres.exe, 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                131.72.236.163
                		tycautomotriz.clChile
                		263753GONZALEZULLOAJUANCARLOSCLfalse

                General Information

                Joe Sandbox Version:35.0.0 Citrine
                Analysis ID:679161
                Start date and time: 05/08/202211:06:212022-08-05 11:06:21 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 8m 52s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:FqjWpTMVBm (renamed file extension from none to exe)
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:19
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 46
                • Number of non-executed functions: 9
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                • Excluded IPs from analysis (whitelisted): 23.211.6.115
                • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                11:07:34API Interceptor1x Sleep call for process: FqjWpTMVBm.exe modified
                11:07:39API Interceptor757x Sleep call for process: cvtres.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                131.72.236.163rgvtCFNUvb.exeGet hashmaliciousBrowse
                  Sat#U0131nalma sipari#U015fi -01 0652022 Temmuz 2022,pdf.exeGet hashmaliciousBrowse
                    Sat#U0131nalma Sipari#U015fi -20 0652022 _July 2022,pdf.exeGet hashmaliciousBrowse
                      Sat#U0131nalma Sipari#U015fi -20 0652022 _July 2022,pdf.exeGet hashmaliciousBrowse
                        SecuriteInfo.com.W32.MSIL_Troj.BGP.genEldorado.20875.exeGet hashmaliciousBrowse
                          SecuriteInfo.com.Trojan.Crypt.MSIL.4239.exeGet hashmaliciousBrowse
                            SecuriteInfo.com.Trojan005944ac1.13009.exeGet hashmaliciousBrowse
                              ORDEN DE COMPRA-34002174,pdf.exeGet hashmaliciousBrowse
                                Bestellungen -06 0652022 _July 2022,pdf.exeGet hashmaliciousBrowse
                                  GTV3285776_06172022.exeGet hashmaliciousBrowse
                                    vbc.exeGet hashmaliciousBrowse
                                      ldzOp71fAH.exeGet hashmaliciousBrowse
                                        Research Report Scripp lab.pdfGet hashmaliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          GONZALEZULLOAJUANCARLOSCLrgvtCFNUvb.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          Sat#U0131nalma sipari#U015fi -01 0652022 Temmuz 2022,pdf.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          Sat#U0131nalma Sipari#U015fi -20 0652022 _July 2022,pdf.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          Sat#U0131nalma Sipari#U015fi -20 0652022 _July 2022,pdf.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          SecuriteInfo.com.W32.MSIL_Troj.BGP.genEldorado.20875.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          SecuriteInfo.com.Trojan.Crypt.MSIL.4239.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          SecuriteInfo.com.Trojan005944ac1.13009.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          ORDEN DE COMPRA-34002174,pdf.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          Bestellungen -06 0652022 _July 2022,pdf.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          GTV3285776_06172022.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          vbc.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          ldzOp71fAH.exeGet hashmaliciousBrowse
                                          • 131.72.236.163
                                          Re_ PO PO2203.0685 - AU206751.docGet hashmaliciousBrowse
                                          • 131.72.236.28
                                          Bank_report.docGet hashmaliciousBrowse
                                          • 131.72.236.28
                                          MR-HLG-21665Project No S02E110101415.docGet hashmaliciousBrowse
                                          • 131.72.236.28
                                          http://whfabv.7pagl.lilianariquelme.cl/.aihljj6.aHR0cDovL2FtZXRla3dhdGVyLmNvbS9jY2doaS9lam9obnNvbkBoeWNpdGUuY29tGet hashmaliciousBrowse
                                          • 131.72.236.173
                                          https://indd.adobe.com/view/ab1ee201-beeb-459f-9d8f-ae1330bbae41Get hashmaliciousBrowse
                                          • 131.72.236.123
                                          Draft_shipping_document.vbsGet hashmaliciousBrowse
                                          • 131.72.236.123
                                          REF ID 379334327993.htmlGet hashmaliciousBrowse
                                          • 131.72.236.73
                                          REF ID 365357119662.htmlGet hashmaliciousBrowse
                                          • 131.72.236.73

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FqjWpTMVBm.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\FqjWpTMVBm.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):226
                                          Entropy (8bit):5.3467126928258955
                                          Encrypted:false
                                          SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
                                          MD5:DD8B7A943A5D834CEEAB90A6BBBF4781
                                          SHA1:2BED8D47DF1C0FF76B40811E5F11298BD2D06389
                                          SHA-256:E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
                                          SHA-512:24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.791868867879629
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:FqjWpTMVBm.exe
                                          File size:227744
                                          MD5:f8b75a887b9774203f7d77de434f40ea
                                          SHA1:e19add1ef9b87ef54de6870b229cfbcaaeddb0fa
                                          SHA256:de373cb42386f956133546049fa24b0ec459a78c7e667c9d05c366c198b680b3
                                          SHA512:d147d34dfa0e4e2544dc1971e490e6242e3ec43410d6ce8e80edbaeb1c112dc2ebb586ff265e56f2f96b177fc538362d3d38ee6d98ea3a5297174fd3e05667b6
                                          SSDEEP:6144:9ozPrnXx5dQkZdis9lWV8TSGjF/A/iepoUPNzHnt4V:9OPLhldis9YV8mGjF/8RpVVzHnt4V
                                          TLSH:EB24CF8CB690749FC41BCA728AA45C20AB706676530BD203A473B2AC9D4D7DBCF15DF2
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .b..............0..6...........U... ...`....@.. ....................................`................................

                                          File Icon

                                          Icon Hash:4f050d0d0d054f90

                                          Static PE Info

                                          General

                                          Entrypoint:0x4355ae
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x62D92020 [Thu Jul 21 09:45:04 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Authenticode Signature

                                          Signature Valid:false
                                          Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                          Signature Validation Error:The digital signature of the object did not verify
                                          Error Number:-2146869232
                                          Not Before, Not After
                                          • 9/2/2021 11:33:02 AM 9/1/2022 11:33:02 AM
                                          Subject Chain
                                          • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                          Version:3
                                          Thumbprint MD5:550C27BE6F1184B6CC93B4B4E2EA9D58
                                          Thumbprint SHA-1:C9CAEDC2CECF953E812C6446D41927B9864BB880
                                          Thumbprint SHA-256:63E8D95BCEE4522E6380E7F9305A676C0880AD93AD3BA9CB53FE43D6081A1025
                                          Serial:3300000255181DA42EE086FC15000000000255

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x355600x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x176a.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x352000x27a0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x380000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x355100x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x335b40x33600False0.8921361770072993data7.818885892211126IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x360000x176a0x1800False0.3414713541666667data5.485078903544396IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x380000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x361480x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294440951, next used block 4294440951
                                          RT_GROUP_ICON0x371f00x14data
                                          RT_VERSION0x372040x37cdata
                                          RT_MANIFEST0x375800x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 5, 2022 11:07:46.565253973 CEST49767587192.168.2.6131.72.236.163
                                          Aug 5, 2022 11:07:46.793812990 CEST58749767131.72.236.163192.168.2.6
                                          Aug 5, 2022 11:07:46.794018030 CEST49767587192.168.2.6131.72.236.163
                                          Aug 5, 2022 11:07:47.626421928 CEST58749767131.72.236.163192.168.2.6
                                          Aug 5, 2022 11:07:47.627425909 CEST49767587192.168.2.6131.72.236.163
                                          Aug 5, 2022 11:07:47.855689049 CEST58749767131.72.236.163192.168.2.6
                                          Aug 5, 2022 11:07:47.906838894 CEST49767587192.168.2.6131.72.236.163
                                          Aug 5, 2022 11:07:48.135126114 CEST58749767131.72.236.163192.168.2.6
                                          Aug 5, 2022 11:07:48.135590076 CEST49767587192.168.2.6131.72.236.163
                                          Aug 5, 2022 11:07:48.403573990 CEST58749767131.72.236.163192.168.2.6
                                          Aug 5, 2022 11:07:50.377939939 CEST58749767131.72.236.163192.168.2.6
                                          Aug 5, 2022 11:07:50.619076967 CEST49767587192.168.2.6131.72.236.163
                                          Aug 5, 2022 11:07:51.005968094 CEST49767587192.168.2.6131.72.236.163
                                          Aug 5, 2022 11:07:51.234277964 CEST58749767131.72.236.163192.168.2.6
                                          Aug 5, 2022 11:07:51.234656096 CEST58749767131.72.236.163192.168.2.6
                                          Aug 5, 2022 11:07:51.235804081 CEST58749767131.72.236.163192.168.2.6
                                          Aug 5, 2022 11:07:51.235888958 CEST49767587192.168.2.6131.72.236.163
                                          Aug 5, 2022 11:07:51.333825111 CEST49767587192.168.2.6131.72.236.163
                                          Aug 5, 2022 11:07:51.561659098 CEST58749767131.72.236.163192.168.2.6

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Aug 5, 2022 11:07:46.036142111 CEST5872353192.168.2.68.8.8.8
                                          Aug 5, 2022 11:07:46.268486977 CEST53587238.8.8.8192.168.2.6
                                          Aug 5, 2022 11:07:46.309483051 CEST5197153192.168.2.68.8.8.8
                                          Aug 5, 2022 11:07:46.552295923 CEST53519718.8.8.8192.168.2.6

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Aug 5, 2022 11:07:46.036142111 CEST192.168.2.68.8.8.80xae4cStandard query (0)mail.tycautomotriz.clA (IP address)IN (0x0001)
                                          Aug 5, 2022 11:07:46.309483051 CEST192.168.2.68.8.8.80x4b5Standard query (0)mail.tycautomotriz.clA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Aug 5, 2022 11:07:46.268486977 CEST8.8.8.8192.168.2.60xae4cNo error (0)mail.tycautomotriz.cltycautomotriz.clCNAME (Canonical name)IN (0x0001)
                                          Aug 5, 2022 11:07:46.268486977 CEST8.8.8.8192.168.2.60xae4cNo error (0)tycautomotriz.cl131.72.236.163A (IP address)IN (0x0001)
                                          Aug 5, 2022 11:07:46.552295923 CEST8.8.8.8192.168.2.60x4b5No error (0)mail.tycautomotriz.cltycautomotriz.clCNAME (Canonical name)IN (0x0001)
                                          Aug 5, 2022 11:07:46.552295923 CEST8.8.8.8192.168.2.60x4b5No error (0)tycautomotriz.cl131.72.236.163A (IP address)IN (0x0001)

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Aug 5, 2022 11:07:47.626421928 CEST58749767131.72.236.163192.168.2.6220-srv35.benzahosting.cl ESMTP Exim 4.95 #2 Fri, 05 Aug 2022 05:07:47 -0400
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Aug 5, 2022 11:07:47.627425909 CEST49767587192.168.2.6131.72.236.163EHLO 506013
                                          Aug 5, 2022 11:07:47.855689049 CEST58749767131.72.236.163192.168.2.6250-srv35.benzahosting.cl Hello 506013 [102.129.143.3]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPE_CONNECT
                                          250-AUTH PLAIN LOGIN
                                          250-STARTTLS
                                          250 HELP
                                          Aug 5, 2022 11:07:47.906838894 CEST49767587192.168.2.6131.72.236.163AUTH login Y29udGFjdG9AdHljYXV0b21vdHJpei5jbA==
                                          Aug 5, 2022 11:07:48.135126114 CEST58749767131.72.236.163192.168.2.6334 UGFzc3dvcmQ6
                                          Aug 5, 2022 11:07:50.377939939 CEST58749767131.72.236.163192.168.2.6535 Incorrect authentication data
                                          Aug 5, 2022 11:07:51.005968094 CEST49767587192.168.2.6131.72.236.163MAIL FROM:<contacto@tycautomotriz.cl>
                                          Aug 5, 2022 11:07:51.234656096 CEST58749767131.72.236.163192.168.2.6550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:1
                                          Start time:11:07:32
                                          Start date:05/08/2022
                                          Path:C:\Users\user\Desktop\FqjWpTMVBm.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\FqjWpTMVBm.exe"
                                          Imagebase:0xa00000
                                          File size:227744 bytes
                                          MD5 hash:F8B75A887B9774203F7D77DE434F40EA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.378242847.00000000048E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.378242847.00000000048E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000002.378242847.00000000048E2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low

                                          General

                                          Target ID:2
                                          Start time:11:07:34
                                          Start date:05/08/2022
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                          Imagebase:0x3a0000
                                          File size:43176 bytes
                                          MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.373575216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.373575216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000000.373575216.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.372648537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.372648537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000000.372648537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.634341164.0000000006FB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.373105695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.373105695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000000.373105695.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.632455150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.632455150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000002.632455150.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.634629489.0000000006FFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.374189805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.374189805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000002.00000000.374189805.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          Reputation:moderate

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:24.9%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:73
                                            Total number of Limit Nodes:0
                                            execution_graph 3673 109a028 3677 1098ac8 3673->3677 3681 1098ad0 3673->3681 3674 109a049 3678 1098ad0 WriteProcessMemory 3677->3678 3680 1098bb5 3678->3680 3680->3674 3682 1098b1c WriteProcessMemory 3681->3682 3684 1098bb5 3682->3684 3684->3674 3737 109a65d 3738 109a667 3737->3738 3742 1098e58 3738->3742 3746 1098e4d 3738->3746 3743 1098edf CreateProcessA 3742->3743 3745 1099134 3743->3745 3747 1098edf CreateProcessA 3746->3747 3749 1099134 3747->3749 3750 109aa5d 3752 1098888 SetThreadContext 3750->3752 3753 1098880 SetThreadContext 3750->3753 3751 109aa77 3752->3751 3753->3751 3754 109a0dd 3755 109a109 3754->3755 3759 10989a8 3755->3759 3763 10989b0 3755->3763 3756 109a14c 3760 10989f4 VirtualAllocEx 3759->3760 3762 1098a6c 3760->3762 3762->3756 3764 10989f4 VirtualAllocEx 3763->3764 3766 1098a6c 3764->3766 3766->3756 3685 109a760 3686 109a76a 3685->3686 3690 1098c28 3686->3690 3694 1098c21 3686->3694 3687 109a85e 3691 1098c74 ReadProcessMemory 3690->3691 3693 1098cec 3691->3693 3693->3687 3695 1098c28 ReadProcessMemory 3694->3695 3697 1098cec 3695->3697 3697->3687 3698 109a5a7 3702 1098888 3698->3702 3706 1098880 3698->3706 3699 109a5c1 3703 10988d1 SetThreadContext 3702->3703 3705 1098949 3703->3705 3705->3699 3707 10988d1 SetThreadContext 3706->3707 3709 1098949 3707->3709 3709->3699 3767 109a8b7 3769 1098ac8 WriteProcessMemory 3767->3769 3770 1098ad0 WriteProcessMemory 3767->3770 3768 109a8e5 3769->3768 3770->3768 3710 1099ba6 3717 1098798 3710->3717 3721 1098614 3710->3721 3725 1098620 3710->3725 3729 1098790 3710->3729 3733 1098750 3710->3733 3711 1099bbb 3718 10987dc ResumeThread 3717->3718 3720 1098828 3718->3720 3720->3711 3722 109861f ResumeThread 3721->3722 3724 1098828 3722->3724 3724->3711 3726 1098670 ResumeThread 3725->3726 3728 1098828 3726->3728 3728->3711 3731 1098716 3729->3731 3730 10987f5 ResumeThread 3732 1098828 3730->3732 3731->3729 3731->3730 3732->3711 3734 1098716 ResumeThread 3733->3734 3736 1098828 3734->3736 3736->3711 3771 109aaf6 3772 109aafe 3771->3772 3774 1098ac8 WriteProcessMemory 3772->3774 3775 1098ad0 WriteProcessMemory 3772->3775 3773 109ab98 3774->3773 3775->3773

                                            Executed Functions

                                            Function 01090F4C Relevance: 2.8, Strings: 2, Instructions: 273COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 1090f4c-1090fbb 2 1090fbd 0->2 3 1090fc2-109100e 0->3 2->3 6 1091011 3->6 7 1091018-1091034 6->7 8 109103d-109103e 7->8 9 1091036 7->9 10 109125f-10912dd 8->10 11 1091043-1091077 8->11 9->6 9->10 9->11 12 109120a-109123e 9->12 13 10910ad-10910b1 9->13 14 1091180-109119e 9->14 15 10911a3-10911b5 9->15 16 1091243-109125a 9->16 17 1091079-10910a8 9->17 18 109115b-1091163 call 10918d8 9->18 19 10911da-10911de 9->19 20 10911ba-10911d5 9->20 21 10910dd-10910ed call 1091330 9->21 22 1091110-1091128 9->22 47 10912df call 1092278 10->47 48 10912df call 10929e8 10->48 49 10912df call 10923eb 10->49 50 10912df call 1092a13 10->50 51 10912df call 1092ff6 10->51 11->7 12->7 23 10910b3-10910c2 13->23 24 10910c4-10910cb 13->24 14->7 15->7 16->7 17->7 33 1091169-109117b 18->33 25 10911f1-10911f8 19->25 26 10911e0-10911ef 19->26 20->7 41 10910f3-109110b 21->41 38 109113b-1091142 22->38 39 109112a-1091139 22->39 29 10910d2-10910d8 23->29 24->29 31 10911ff-1091205 25->31 26->31 29->7 31->7 33->7 42 1091149-1091156 38->42 39->42 41->7 42->7 45 10912e5-10912ef 47->45 48->45 49->45 50->45 51->45
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8kn+$8kn+
                                            • API String ID: 0-1511901926
                                            • Opcode ID: 723235960f9d2a4f1815113ef9b61b051b325c5f41eaaf9041658d74d4b14d0b
                                            • Instruction ID: dae366dfc6c69f244789db9624da30427736ff399db974619c756faf1303c55d
                                            • Opcode Fuzzy Hash: 723235960f9d2a4f1815113ef9b61b051b325c5f41eaaf9041658d74d4b14d0b
                                            • Instruction Fuzzy Hash: C9B126B4E05219DFCB08CFA9C8919AEBBF2FF89314F20812AE405AB365D7755902CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01090F98 Relevance: 2.8, Strings: 2, Instructions: 251COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 53 1090f98-1090fbb 54 1090fbd 53->54 55 1090fc2-109100e 53->55 54->55 58 1091011 55->58 59 1091018-1091034 58->59 60 109103d-109103e 59->60 61 1091036 59->61 62 109125f-10912dd 60->62 63 1091043-1091077 60->63 61->58 61->62 61->63 64 109120a-109123e 61->64 65 10910ad-10910b1 61->65 66 1091180-109119e 61->66 67 10911a3-10911b5 61->67 68 1091243-109125a 61->68 69 1091079-10910a8 61->69 70 109115b-1091163 call 10918d8 61->70 71 10911da-10911de 61->71 72 10911ba-10911d5 61->72 73 10910dd-10910ed call 1091330 61->73 74 1091110-1091128 61->74 98 10912df call 1092278 62->98 99 10912df call 10929e8 62->99 100 10912df call 10923eb 62->100 101 10912df call 1092a13 62->101 102 10912df call 1092ff6 62->102 63->59 64->59 75 10910b3-10910c2 65->75 76 10910c4-10910cb 65->76 66->59 67->59 68->59 69->59 85 1091169-109117b 70->85 77 10911f1-10911f8 71->77 78 10911e0-10911ef 71->78 72->59 93 10910f3-109110b 73->93 90 109113b-1091142 74->90 91 109112a-1091139 74->91 81 10910d2-10910d8 75->81 76->81 83 10911ff-1091205 77->83 78->83 81->59 83->59 85->59 94 1091149-1091156 90->94 91->94 93->59 94->59 97 10912e5-10912ef 98->97 99->97 100->97 101->97 102->97
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8kn+$8kn+
                                            • API String ID: 0-1511901926
                                            • Opcode ID: 1f17a43a245a6247bc449f7458ebd41c63077f208a801a27d7c215694f37be4c
                                            • Instruction ID: 82d48f9e5fba2339aa0f0c44d25083f632836be33cce44bcf1ca3cc66c878760
                                            • Opcode Fuzzy Hash: 1f17a43a245a6247bc449f7458ebd41c63077f208a801a27d7c215694f37be4c
                                            • Instruction Fuzzy Hash: 51B1E2B4E0521A9FCF04CFA9C9909AEBBB2BF89310F20852AE405BB354D7759A05CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01091D70 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 105 1091d70-1091da5 106 1091dac-1091dc2 105->106 107 1091da7 105->107 108 1091dc4 106->108 109 1091df6-1091e07 106->109 107->106 110 1091dcb-1091de7 108->110 109->110 111 1091de9 110->111 112 1091df0-1091df1 110->112 111->108 111->109 111->112 113 1091f69-1091fb9 111->113 114 1091e09-1091e15 111->114 115 1091f4d-1091f64 111->115 116 1091e47-1091e4d 111->116 117 1091e79-1091e82 111->117 118 1091ebf-1091ed1 111->118 119 1091fbe-1091fc5 111->119 120 1091e30-1091e45 111->120 121 1091f12-1091f48 111->121 122 1091eb5-1091ebc 111->122 123 1091ed6-1091edf 111->123 112->119 113->110 126 1091e1c 114->126 127 1091e17 114->127 115->110 130 1091e4f-1091e5e 116->130 131 1091e60-1091e67 116->131 124 1091e95-1091e9c 117->124 125 1091e84-1091e93 117->125 118->110 120->110 121->110 128 1091ee1-1091ef0 123->128 129 1091ef2-1091ef9 123->129 133 1091ea3-1091eb0 124->133 125->133 136 1091e26-1091e2e 126->136 127->126 134 1091f00-1091f0d 128->134 129->134 132 1091e6e-1091e74 130->132 131->132 132->110 133->110 134->110 136->110
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: '6A]$M
                                            • API String ID: 0-994281275
                                            • Opcode ID: 2a4fd4a8191c11ef8da589da04958714ef165f36f06a4fbcc30facb2119d6b41
                                            • Instruction ID: 5d1b810a42cacbc8a76ff623897d3aeb5fde77061932e8ed561131e822af72a2
                                            • Opcode Fuzzy Hash: 2a4fd4a8191c11ef8da589da04958714ef165f36f06a4fbcc30facb2119d6b41
                                            • Instruction Fuzzy Hash: 7C7124B4E0520ADFCB04DFA9D4909AEFBB2FF89360F14846AD555AB314D3349A42CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01093048 Relevance: .4, Instructions: 374COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c4c90c78c1fed1a0eececa3d751c5385e972bf0cf4b1d8eb1d5a5d2cbc0ef367
                                            • Instruction ID: 4fb72d5586afe399925ebc7795cdc8d4ade12d6e1869588426a423b176a16cb9
                                            • Opcode Fuzzy Hash: c4c90c78c1fed1a0eececa3d751c5385e972bf0cf4b1d8eb1d5a5d2cbc0ef367
                                            • Instruction Fuzzy Hash: BAF1ADB0D05206DFCB09CFB5D4955AEFBB2FF89310B2484A9C496EB264D7359A42CF84
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01093041 Relevance: .4, Instructions: 367COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 97c23b5eaa187ba24b0276c3194dc8ad93a27f1890c97ed45fd26067f16026a2
                                            • Instruction ID: f8d5a6c9d4d558ac6f86dcd2757597befa5d7fe33a76e4eeca0c10a65de3868b
                                            • Opcode Fuzzy Hash: 97c23b5eaa187ba24b0276c3194dc8ad93a27f1890c97ed45fd26067f16026a2
                                            • Instruction Fuzzy Hash: DDF1AF70D0520ADFCB09CFB5D4955AEFBB2FF89310B2484A9C456EB264D7359A42CF84
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01093128 Relevance: .3, Instructions: 296COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54708bfe484ffe011502af1dfa6bb245e33516979de6da3050c18c547169562a
                                            • Instruction ID: 05213c5ade44086d61165c73476abb84168338ed27ad631ce3d5284bf8ce83a9
                                            • Opcode Fuzzy Hash: 54708bfe484ffe011502af1dfa6bb245e33516979de6da3050c18c547169562a
                                            • Instruction Fuzzy Hash: 94D17DB4E0420ADFCB08CFA6D4948AEFBB2FF89301F25C555C555AB254D734AA42CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010992E8 Relevance: .3, Instructions: 293COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a7b78c60de9ab1a1850ea2b228d28c7848b0099cc004d8041f296dbc537bee94
                                            • Instruction ID: fe772149fc54a3249743fb0c846404fd1b5d3386fd355ae0e53b047450899952
                                            • Opcode Fuzzy Hash: a7b78c60de9ab1a1850ea2b228d28c7848b0099cc004d8041f296dbc537bee94
                                            • Instruction Fuzzy Hash: FBD101B0E18229CBDF69CF65C8507DEB6B6BF89300F10D1EA954DA7244EB345B819F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010992D8 Relevance: .3, Instructions: 290COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e4c5182976b409d5cb55300cdddafeb6ea6a92196e837c4180bd28f690b3053
                                            • Instruction ID: 3e31e4bad7bec19aec951c4113457dc508a434c51742a82a53be1ec7db480fbc
                                            • Opcode Fuzzy Hash: 5e4c5182976b409d5cb55300cdddafeb6ea6a92196e837c4180bd28f690b3053
                                            • Instruction Fuzzy Hash: DDD12FB0E04229CBCF69CF25C850BDEBBB6BF89304F10D1EA9549A7244EB345B818F10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010996DF Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 50583d2761caf2cf7540ead8783593bd708a584fecf20a063b948394a0f9643f
                                            • Instruction ID: fb55363b8891d687d697ed5da88a73486a56fcfd1cff376fad57aecb81f649df
                                            • Opcode Fuzzy Hash: 50583d2761caf2cf7540ead8783593bd708a584fecf20a063b948394a0f9643f
                                            • Instruction Fuzzy Hash: 9FC1F1B4E14229CBCF69CF24C850BDEB7B6AF99304F1095EA954AB7244EB345F818F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0109972F Relevance: .3, Instructions: 258COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 49f76da8cc4b89b0276735c6dff4a27045eb24f5d4e59b181e033529209dd8d1
                                            • Instruction ID: 4534056b253dc35d0dd53300c91c0def0de36deb0615afdccb315f9e8baba197
                                            • Opcode Fuzzy Hash: 49f76da8cc4b89b0276735c6dff4a27045eb24f5d4e59b181e033529209dd8d1
                                            • Instruction Fuzzy Hash: 76C1F3B4E14229CBCF69CF24C850BDEB7B6AF99304F1095EA954AB7244EB345F818F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01099716 Relevance: .3, Instructions: 256COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f58c6a41474e963a41134d2f98e9a4aa6262437450b02732aa814fd0631c086
                                            • Instruction ID: 6925e72c268338d46d60492767cf8b2b2b4ac3c016ee8e07addecdb5a41b5170
                                            • Opcode Fuzzy Hash: 2f58c6a41474e963a41134d2f98e9a4aa6262437450b02732aa814fd0631c086
                                            • Instruction Fuzzy Hash: ECC111B4E14229CBCF69CF24C850BDEB7B6AF89304F1091EA954AB7244EB345F808F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01099752 Relevance: .3, Instructions: 256COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e71a83259c1af91227fc430fd281ac6f15eb79ad7ac4c36e360d7a9f43ebf720
                                            • Instruction ID: 7267ef6417722275307a4725b93bb54d8ae7e3361d3733736b10fbfaac0f2a3b
                                            • Opcode Fuzzy Hash: e71a83259c1af91227fc430fd281ac6f15eb79ad7ac4c36e360d7a9f43ebf720
                                            • Instruction Fuzzy Hash: 08C111B4E14229CBCF69CF24C850BDEB7B6AF99304F1095EA954AB7244EB345F818F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0109976B Relevance: .3, Instructions: 256COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 11c9199adcb6b89708db3c7ee2eef1ab258f7e88a90d9d1569d3e0944bf13f90
                                            • Instruction ID: 808a8abf61a4799eb141efe1fb4adb100b3c2cad5cba2b293143aef704fdadd0
                                            • Opcode Fuzzy Hash: 11c9199adcb6b89708db3c7ee2eef1ab258f7e88a90d9d1569d3e0944bf13f90
                                            • Instruction Fuzzy Hash: 7CC100B4E14229CBCF69CF24C850BDEB7B6AF99304F1095EA954AB7244EB345F818F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01099784 Relevance: .3, Instructions: 256COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 074d9772aabe2826c8834ce24e4372101171ce304f91d30221f2be48655587e8
                                            • Instruction ID: 5a651dfb89f69c5a0dfde01251d5aa5779b9835b60ef7727a97603a254b26472
                                            • Opcode Fuzzy Hash: 074d9772aabe2826c8834ce24e4372101171ce304f91d30221f2be48655587e8
                                            • Instruction Fuzzy Hash: 2AC111B4E14229CBCF69CF24C850BDEB7B6AF89304F1095EA954AB7244EB345F819F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01097F70 Relevance: .3, Instructions: 255COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 219cb2787fee57cc2e22200f61380c8369d80ed7c66103c42dc9370c6f4b7a15
                                            • Instruction ID: a3bfe6290c6cd2437c10c02d24b89aea82a4a3b8322d3fe6ca62040833099fe4
                                            • Opcode Fuzzy Hash: 219cb2787fee57cc2e22200f61380c8369d80ed7c66103c42dc9370c6f4b7a15
                                            • Instruction Fuzzy Hash: 02B147B4E1421ADFCF04CFA9C9919AEFBB2FB89300F148696D555BB215D3309A41DFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01097F60 Relevance: .3, Instructions: 254COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb1b82d840d574ea094efb93750adf888fd33d93f87834e602e0deb84b065dba
                                            • Instruction ID: 15cb9512ff413730e70522c725d6678759c1d136ec80b78eaafa6cc068256b44
                                            • Opcode Fuzzy Hash: cb1b82d840d574ea094efb93750adf888fd33d93f87834e602e0deb84b065dba
                                            • Instruction Fuzzy Hash: CEB168B4D1420ADFCF04CFA9C5919AEFBB2FF86300B248696D595EB255D3309A41DBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010918D8 Relevance: .2, Instructions: 152COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 03caa43aeeee031593aca6d25e28fee3042a79e6ce4492d27483f648fe78f967
                                            • Instruction ID: 5cde2d4b4c6c26b21df91e678dcbc65e35ccbabf99addb46220259939b07a80e
                                            • Opcode Fuzzy Hash: 03caa43aeeee031593aca6d25e28fee3042a79e6ce4492d27483f648fe78f967
                                            • Instruction Fuzzy Hash: 1A511870E0520ADFDB09CFAAD8506AEFBF2BF89310F14C06AD459B7255D3389A418F94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01092278 Relevance: .1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 12563260dabf5ed93152c95f836be6fc186d4781a52ed7f8ec383153a772666b
                                            • Instruction ID: 088d8c034575d54cef19f65e467279702745970a0c077a2b58566cc189aadc32
                                            • Opcode Fuzzy Hash: 12563260dabf5ed93152c95f836be6fc186d4781a52ed7f8ec383153a772666b
                                            • Instruction Fuzzy Hash: 67312771E006189BDB19CFAAD8546DEFBB2FFC9300F14C0AAD509AB268DB355A45CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01098E4D Relevance: 1.8, APIs: 1, Instructions: 326processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 167 1098e4d-1098ef1 169 1098f3a-1098f62 167->169 170 1098ef3-1098f0a 167->170 174 1098fa8-1098ffe 169->174 175 1098f64-1098f78 169->175 170->169 173 1098f0c-1098f11 170->173 176 1098f13-1098f1d 173->176 177 1098f34-1098f37 173->177 183 1099000-1099014 174->183 184 1099044-1099132 CreateProcessA 174->184 175->174 185 1098f7a-1098f7f 175->185 178 1098f1f 176->178 179 1098f21-1098f30 176->179 177->169 178->179 179->179 182 1098f32 179->182 182->177 183->184 193 1099016-109901b 183->193 203 109913b-1099200 184->203 204 1099134-109913a 184->204 186 1098f81-1098f8b 185->186 187 1098fa2-1098fa5 185->187 188 1098f8d 186->188 189 1098f8f-1098f9e 186->189 187->174 188->189 189->189 192 1098fa0 189->192 192->187 195 109901d-1099027 193->195 196 109903e-1099041 193->196 197 1099029 195->197 198 109902b-109903a 195->198 196->184 197->198 198->198 200 109903c 198->200 200->196 215 109921c-109921d 203->215 204->203 216 109921f-1099220 215->216 217 10991f7-1099200 215->217 218 1099230-1099234 216->218 219 1099222-1099226 216->219 217->215 221 1099244-1099248 218->221 222 1099236-109923a 218->222 219->218 220 1099228 219->220 220->218 224 1099258-109925c 221->224 225 109924a-109924e 221->225 222->221 223 109923c 222->223 223->221 227 109925e-1099287 224->227 228 1099292-109929d 224->228 225->224 226 1099250 225->226 226->224 227->228 231 109929e 228->231 231->231
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0109911F
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: b3be062570cb24b8e91ac17fff10938987b2569efc6244fad898c11280138f92
                                            • Instruction ID: cee41759c7e9a92a002b6367ff12fcd9571f835111a5b6355e6b145fd6946d34
                                            • Opcode Fuzzy Hash: b3be062570cb24b8e91ac17fff10938987b2569efc6244fad898c11280138f92
                                            • Instruction Fuzzy Hash: 38C12470D0022D8FDF20CFA4C851BEDBBB1BB49304F0095AAE559B7250EB749A89DF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01098E58 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 233 1098e58-1098ef1 235 1098f3a-1098f62 233->235 236 1098ef3-1098f0a 233->236 240 1098fa8-1098ffe 235->240 241 1098f64-1098f78 235->241 236->235 239 1098f0c-1098f11 236->239 242 1098f13-1098f1d 239->242 243 1098f34-1098f37 239->243 249 1099000-1099014 240->249 250 1099044-1099132 CreateProcessA 240->250 241->240 251 1098f7a-1098f7f 241->251 244 1098f1f 242->244 245 1098f21-1098f30 242->245 243->235 244->245 245->245 248 1098f32 245->248 248->243 249->250 259 1099016-109901b 249->259 269 109913b-1099200 250->269 270 1099134-109913a 250->270 252 1098f81-1098f8b 251->252 253 1098fa2-1098fa5 251->253 254 1098f8d 252->254 255 1098f8f-1098f9e 252->255 253->240 254->255 255->255 258 1098fa0 255->258 258->253 261 109901d-1099027 259->261 262 109903e-1099041 259->262 263 1099029 261->263 264 109902b-109903a 261->264 262->250 263->264 264->264 266 109903c 264->266 266->262 281 109921c-109921d 269->281 270->269 282 109921f-1099220 281->282 283 10991f7-1099200 281->283 284 1099230-1099234 282->284 285 1099222-1099226 282->285 283->281 287 1099244-1099248 284->287 288 1099236-109923a 284->288 285->284 286 1099228 285->286 286->284 290 1099258-109925c 287->290 291 109924a-109924e 287->291 288->287 289 109923c 288->289 289->287 293 109925e-1099287 290->293 294 1099292-109929d 290->294 291->290 292 1099250 291->292 292->290 293->294 297 109929e 294->297 297->297
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0109911F
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 2b814cfa08777547d77d2b9fc981339a4439acedec02f3b51daaf873c4d2cf7a
                                            • Instruction ID: cda35d134e47b84bbbc788ee030b615449e67c6911667593778d4d284d5a0a67
                                            • Opcode Fuzzy Hash: 2b814cfa08777547d77d2b9fc981339a4439acedec02f3b51daaf873c4d2cf7a
                                            • Instruction Fuzzy Hash: 6EC13670D0022D8FDF20CFA8C851BEDBBB1BB49304F0095A9E559B7250EB749A89DF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01098AC8 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 354 1098ac8-1098b3b 357 1098b3d-1098b4f 354->357 358 1098b52-1098bb3 WriteProcessMemory 354->358 357->358 360 1098bbc-1098c0e 358->360 361 1098bb5-1098bbb 358->361 361->360
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01098BA3
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: cf7aa1c3554cdff1591e5a82379f3af1d95f3bea6f84635bd7a377966320fef0
                                            • Instruction ID: 3e57462179151d4e2c1f72a4db45d9da04e68187882189a6d0be4059d8e60c06
                                            • Opcode Fuzzy Hash: cf7aa1c3554cdff1591e5a82379f3af1d95f3bea6f84635bd7a377966320fef0
                                            • Instruction Fuzzy Hash: A641A8B4D012589FCF00CFA9D984AEEFBF1BB49314F14942AE818B7250D779AA45CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01098AD0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 366 1098ad0-1098b3b 368 1098b3d-1098b4f 366->368 369 1098b52-1098bb3 WriteProcessMemory 366->369 368->369 371 1098bbc-1098c0e 369->371 372 1098bb5-1098bbb 369->372 372->371
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01098BA3
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: f3a65a9d782ceca58be946c33c26986d7df070dec936222f9dfd1d47be37ef87
                                            • Instruction ID: 1292bd25468aa5a096fe19634ede7b46829b456efcec332dfbe81171d144f0f6
                                            • Opcode Fuzzy Hash: f3a65a9d782ceca58be946c33c26986d7df070dec936222f9dfd1d47be37ef87
                                            • Instruction Fuzzy Hash: 0A4197B5D012589FCF00CFA9D984AEEFBF1BB49314F14942AE819B7310D738AA45CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01098C21 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 377 1098c21-1098cea ReadProcessMemory 381 1098cec-1098cf2 377->381 382 1098cf3-1098d45 377->382 381->382
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01098CDA
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: b06dd1965ba25e044d1c45ede0483c8215a92cf484bad9788a3d55217c0ddfea
                                            • Instruction ID: ad58cdc328b3b001bed5521321d6401cb5945960688442795796066112f2e982
                                            • Opcode Fuzzy Hash: b06dd1965ba25e044d1c45ede0483c8215a92cf484bad9788a3d55217c0ddfea
                                            • Instruction Fuzzy Hash: A541A7B9D002589FCF00CFA9D880AEEFBB1BB09314F14942AE814B7310D735A946CF64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01098C28 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 387 1098c28-1098cea ReadProcessMemory 390 1098cec-1098cf2 387->390 391 1098cf3-1098d45 387->391 390->391
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01098CDA
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 6562bba487c9c78a13f9a40159b6fb5063464a3e11a950f4ab27b66021e94f2e
                                            • Instruction ID: b23da3dc26b99912d12335ed5d20e07bd076ca4b35855d386fd762f5b213bc2b
                                            • Opcode Fuzzy Hash: 6562bba487c9c78a13f9a40159b6fb5063464a3e11a950f4ab27b66021e94f2e
                                            • Instruction Fuzzy Hash: 4C4198B5D002589FCF00DFA9D880AEEFBB5BB09314F14942AE815B7310D735A956CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010989A8 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 396 10989a8-1098a6a VirtualAllocEx 399 1098a6c-1098a72 396->399 400 1098a73-1098abd 396->400 399->400
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01098A5A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 79d386d7804b2ff4ab18bcba0cacb6eb2b20ea3268f450ca9e2d4aad2617e7fb
                                            • Instruction ID: c1ce7f89cf4649fe0bff5b2d89c208a5a70b664cdee7a1d3bf8537a0571ad184
                                            • Opcode Fuzzy Hash: 79d386d7804b2ff4ab18bcba0cacb6eb2b20ea3268f450ca9e2d4aad2617e7fb
                                            • Instruction Fuzzy Hash: 564196B8D00258DFCF00CFA9D980ADEBBB1BB49314F10942AE815BB310D739A946CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010989B0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 405 10989b0-1098a6a VirtualAllocEx 408 1098a6c-1098a72 405->408 409 1098a73-1098abd 405->409 408->409
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01098A5A
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 9f7c06c254b06079a45e8e3084675cec385af838248e87971d741c24a28772c4
                                            • Instruction ID: ba48d774e39bbdfed78acf94f7228fc39caa353bc816f5f664808dff3e50710c
                                            • Opcode Fuzzy Hash: 9f7c06c254b06079a45e8e3084675cec385af838248e87971d741c24a28772c4
                                            • Instruction Fuzzy Hash: 893187B9D002589FCF10CFA9D880ADEFBB5BB49314F10942AE815B7310D735A956CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01098880 Relevance: 1.6, APIs: 1, Instructions: 96threadinjectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 414 1098880-10988e8 416 10988ea-10988fc 414->416 417 10988ff-1098947 SetThreadContext 414->417 416->417 419 1098949-109894f 417->419 420 1098950-109899c 417->420 419->420
                                            APIs
                                            • SetThreadContext.KERNELBASE(?,?), ref: 01098937
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 50c3d0fcde24cfdaeaa26a33f271e3269dc9816689ea76dfa2cd7bf486fc26d8
                                            • Instruction ID: 71ec70f805dfdfb5986bb9f96ea7cb062413342d16f3480bb71aaaf3a087ce9d
                                            • Opcode Fuzzy Hash: 50c3d0fcde24cfdaeaa26a33f271e3269dc9816689ea76dfa2cd7bf486fc26d8
                                            • Instruction Fuzzy Hash: E541AAB5D002589FCB10CFA9D884AEEBBF1BF49314F14842AE455B7340D739A94ACF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01098790 Relevance: 1.6, APIs: 1, Instructions: 95threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 425 1098790-1098794 426 1098716-1098755 425->426 427 1098796-10987ee 425->427 434 109875f-1098760 426->434 435 1098757 426->435 432 10987f5-1098826 ResumeThread 427->432 436 1098828-109882e 432->436 437 109882f-1098871 432->437 434->425 435->434 436->437
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 01098816
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 4a22892a842f99ab70124de9664f166fe39939fc403bf31d6921e1a17d08fae9
                                            • Instruction ID: 455dc95c3ade5f9833d0bcd2a1afe2a56b431bd6097f6f04312f16d37adbf75a
                                            • Opcode Fuzzy Hash: 4a22892a842f99ab70124de9664f166fe39939fc403bf31d6921e1a17d08fae9
                                            • Instruction Fuzzy Hash: D231DCB4D002489FCF10CFA9D490AEEFBB4AB49314F10842AE414B7710C735A845CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01098888 Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetThreadContext.KERNELBASE(?,?), ref: 01098937
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: ContextThread
                                            • String ID:
                                            • API String ID: 1591575202-0
                                            • Opcode ID: 6477e34cfaea7b55bb437806ec5c8ece0a220ff19f8bb18a11541f14368a2aed
                                            • Instruction ID: 590b751c85f8405ebd38b307f6cd8298c88f4468a610dcb55afcfc8a1672e905
                                            • Opcode Fuzzy Hash: 6477e34cfaea7b55bb437806ec5c8ece0a220ff19f8bb18a11541f14368a2aed
                                            • Instruction Fuzzy Hash: 0431A9B5D002589FCB10DFA9D884AEEFBF1BB49314F14842AE454B7300D738A989CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01098798 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 01098816
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: fe91f5e80b5681fa525a86a917abc61bbf1e8c45f3ac0a3294c02f87775b11c6
                                            • Instruction ID: 1fe8de166fdac8a522d3e08c90f483b66947994d3ef97ba9442908fe5f833c4f
                                            • Opcode Fuzzy Hash: fe91f5e80b5681fa525a86a917abc61bbf1e8c45f3ac0a3294c02f87775b11c6
                                            • Instruction Fuzzy Hash: E531ABB4D002589FCF14CFA9E885ADEFBB4BB49314F14842AE815B7700DB35A945CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 01090427 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $B{R
                                            • API String ID: 0-2114189307
                                            • Opcode ID: 42de3603f284831efd78db86567a5957e8e80be2afcd429445726cde24a548d6
                                            • Instruction ID: 1312fd1ca967ce7882aa73ff8aaa7a481bd61c5ce5c3014ff2e567c5ef77bae1
                                            • Opcode Fuzzy Hash: 42de3603f284831efd78db86567a5957e8e80be2afcd429445726cde24a548d6
                                            • Instruction Fuzzy Hash: 0C21EE71E057459FEB49CF67985069ABBF3AFC9200F08C0BAD548A6265DB3405468F15
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01090448 Relevance: 2.6, Strings: 2, Instructions: 61COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $B{R
                                            • API String ID: 0-2114189307
                                            • Opcode ID: 057f44f1afb79b6c1b9047ea3252222f485e8b5100a7eb9bd008379a9be25e1c
                                            • Instruction ID: c0dc76bd467602d5eb4d6aabf7d954a7dd5fc6c24537ba88dc6e0183317094ac
                                            • Opcode Fuzzy Hash: 057f44f1afb79b6c1b9047ea3252222f485e8b5100a7eb9bd008379a9be25e1c
                                            • Instruction Fuzzy Hash: 7D11DAB1E046189BEB18CFABD85069EFAF7BFC8300F04C07AD918A6228EB3545458F55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01094018 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: |wn:
                                            • API String ID: 0-1818304886
                                            • Opcode ID: b271d193d0a6a8105def3fc82785743c7411d2a692b42135e8326e5df9ded5b3
                                            • Instruction ID: f7be432b7646b452765fd43e8ae06da8cb86308096ebb0decbcd6de9085dba3a
                                            • Opcode Fuzzy Hash: b271d193d0a6a8105def3fc82785743c7411d2a692b42135e8326e5df9ded5b3
                                            • Instruction Fuzzy Hash: 1081CE74E142099FCB04CFA9D6809AEFBF1FF88310F258569E455EB224D334AA42CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01094009 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: |wn:
                                            • API String ID: 0-1818304886
                                            • Opcode ID: 051112422b30bfca32da6e81e9edabf2c858ce2255785f5e98cc24ee93baee76
                                            • Instruction ID: 8ee126fc42b9f1b89b720a68ba9f729c95706594b41e1beee1ee7c092a4f3ba0
                                            • Opcode Fuzzy Hash: 051112422b30bfca32da6e81e9edabf2c858ce2255785f5e98cc24ee93baee76
                                            • Instruction Fuzzy Hash: E481E274A14209DFCB44CFA9D6849AEFBF1FF88310F248569E455EB264D334AA42CF54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01097C70 Relevance: .2, Instructions: 210COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a2be1c703c7765c22c749163d37bdcca967b9c93aeee257eb07c3839451c613
                                            • Instruction ID: 5831723a4381198707952cc0bfcf35fe75685e4d903bc859c746715cc754949c
                                            • Opcode Fuzzy Hash: 6a2be1c703c7765c22c749163d37bdcca967b9c93aeee257eb07c3839451c613
                                            • Instruction Fuzzy Hash: 9C81ADB6E26209CFCF15CFA9D8505EEBBB1FF45300F24846AD545AB210E3319A42DF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01097CB8 Relevance: .2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 28d9440e85de1538d7145056fb0b368d09b399cc7338cae682097ac2b6c34fd9
                                            • Instruction ID: 5184f2454113ff4d5399e83266ffe53aecb3f20c65eba8278a5f936e0c1391cb
                                            • Opcode Fuzzy Hash: 28d9440e85de1538d7145056fb0b368d09b399cc7338cae682097ac2b6c34fd9
                                            • Instruction Fuzzy Hash: EA7146B6E16209CBCF04CFA9D9905EEBBB2FB88300F24942AD545B7354D7309A42DF95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010951B0 Relevance: .1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1d8fa0c438064b2258a15a15d1e513fa4e92e3f52969c317c2b8a765b2658f19
                                            • Instruction ID: ca34ab79a2d6e949b47a0d86e9356dc86b1d6797d7286f1ab7aae1c1eb5c6d72
                                            • Opcode Fuzzy Hash: 1d8fa0c438064b2258a15a15d1e513fa4e92e3f52969c317c2b8a765b2658f19
                                            • Instruction Fuzzy Hash: 70512770E0520ADFCB05CFAAC8915AEFBF2EF89300F24D56AD455BB254E33496428F94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010951C0 Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 33db21381315d459570649dfeddf71dfe48e15decaed20c21f4899fc75b087f4
                                            • Instruction ID: aadfc8b472b57a90801e675cdf3db333e028abbdd70977948edf8c901826414f
                                            • Opcode Fuzzy Hash: 33db21381315d459570649dfeddf71dfe48e15decaed20c21f4899fc75b087f4
                                            • Instruction Fuzzy Hash: 7551F770E0520ADBCF04CFAAC9915AEFBF2BB89300F24D46AD555B7254D33496418F94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01095BF9 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.375931405.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_1090000_FqjWpTMVBm.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eeed62454668bf1c4516dff96084e9e935b8ef6959631ab6ebdec691f4509d09
                                            • Instruction ID: bd489fe1616b400501112abe9d71f8aec6532ddda98de3b0c120f5176e3ee0ee
                                            • Opcode Fuzzy Hash: eeed62454668bf1c4516dff96084e9e935b8ef6959631ab6ebdec691f4509d09
                                            • Instruction Fuzzy Hash: 3741B571E056589BDB69CF6B9C502CEBBF3AFC9300F14C1AA844CAA265EB3149858F50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:11.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:6.8%
                                            Total number of Nodes:59
                                            Total number of Limit Nodes:3
                                            execution_graph 22010 6f4add0 22011 6f4adee 22010->22011 22014 6f49dc0 22011->22014 22013 6f4ae25 22015 6f4c8f0 LoadLibraryA 22014->22015 22017 6f4c9cc 22015->22017 22048 6f44540 22049 6f44554 22048->22049 22052 6f4478a 22049->22052 22050 6f4455d 22053 6f44793 22052->22053 22058 6f44986 22052->22058 22062 6f4485f 22052->22062 22066 6f4496c 22052->22066 22070 6f44870 22052->22070 22053->22050 22059 6f44999 22058->22059 22060 6f449ab 22058->22060 22074 6f44c78 22059->22074 22063 6f448b4 22062->22063 22064 6f449ab 22063->22064 22065 6f44c78 RtlEncodePointer 22063->22065 22065->22064 22067 6f4491f 22066->22067 22068 6f449ab 22067->22068 22069 6f44c78 RtlEncodePointer 22067->22069 22069->22068 22071 6f448b4 22070->22071 22072 6f449ab 22071->22072 22073 6f44c78 RtlEncodePointer 22071->22073 22073->22072 22075 6f44c86 22074->22075 22078 6f44cc8 22075->22078 22076 6f44c96 22076->22060 22079 6f44d02 22078->22079 22080 6f44d2c RtlEncodePointer 22079->22080 22081 6f44d55 22079->22081 22080->22081 22081->22076 22018 6f4fc98 GetCurrentProcess 22019 6f4fd12 GetCurrentThread 22018->22019 22020 6f4fd0b 22018->22020 22021 6f4fd4f GetCurrentProcess 22019->22021 22022 6f4fd48 22019->22022 22020->22019 22023 6f4fd85 22021->22023 22022->22021 22028 6f4fe53 22023->22028 22032 6f4fe58 22023->22032 22024 6f4fdad GetCurrentThreadId 22025 6f4fdde 22024->22025 22036 6f4fec0 DuplicateHandle 22028->22036 22038 6f4feb8 DuplicateHandle 22028->22038 22029 6f4fe86 22029->22024 22033 6f4fe86 22032->22033 22034 6f4fec0 DuplicateHandle 22032->22034 22035 6f4feb8 DuplicateHandle 22032->22035 22033->22024 22034->22033 22035->22033 22037 6f4ff56 22036->22037 22037->22029 22039 6f4ff56 22038->22039 22039->22029 22040 a6e9700 22043 a6e9725 22040->22043 22041 a6e989f 22042 a6e9e84 LdrInitializeThunk 22042->22043 22043->22041 22043->22042 22044 a6ef100 22045 a6ef11f 22044->22045 22046 a6ef153 LdrInitializeThunk 22045->22046 22047 a6ef170 22046->22047

                                            Executed Functions

                                            Function 0A6E9700 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 760libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 41 a6e9700-a6e9740 247 a6e9743 call a6ea298 41->247 248 a6e9743 call a6ea287 41->248 44 a6e9749-a6e9806 call 6f42de0 58 a6e985d-a6e9867 44->58 59 a6e9808-a6e9849 44->59 62 a6e986d-a6e989d call a6e689c call a6e44f8 58->62 59->58 64 a6e984b-a6e985b 59->64 71 a6e989f-a6e98a8 62->71 72 a6e98ad-a6e9c5a 62->72 64->62 73 a6ea278-a6ea285 71->73 111 a6ea245-a6ea268 72->111 112 a6e9c60-a6e9c6d 72->112 113 a6ea26d-a6ea277 111->113 112->113 114 a6e9c73-a6e9cde 112->114 113->73 114->111 125 a6e9ce4-a6e9d19 114->125 128 a6e9d1b-a6e9d40 125->128 129 a6e9d42-a6e9d4a 125->129 132 a6e9d4d-a6e9d96 call a6e68a8 128->132 129->132 138 a6ea22c-a6ea232 132->138 139 a6e9d9c-a6e9df4 call a6e68b4 132->139 138->111 140 a6ea234-a6ea23d 138->140 139->138 147 a6e9dfa-a6e9e04 139->147 140->114 141 a6ea243 140->141 141->113 147->138 148 a6e9e0a-a6e9e1d 147->148 148->138 149 a6e9e23-a6e9e4a 148->149 153 a6ea1ed-a6ea210 149->153 154 a6e9e50-a6e9e53 149->154 162 a6ea215-a6ea21b 153->162 154->153 155 a6e9e59-a6e9e93 LdrInitializeThunk 154->155 165 a6e9e99-a6e9ee8 155->165 162->111 164 a6ea21d-a6ea226 162->164 164->138 164->149 173 a6e9eee-a6e9f27 165->173 174 a6ea02d-a6ea033 165->174 178 a6ea049-a6ea04f 173->178 191 a6e9f2d-a6e9f63 173->191 175 a6ea035-a6ea037 174->175 176 a6ea041 174->176 175->176 176->178 179 a6ea05d-a6ea060 178->179 180 a6ea051-a6ea053 178->180 182 a6ea06b-a6ea071 179->182 180->179 184 a6ea07f-a6ea082 182->184 185 a6ea073-a6ea075 182->185 187 a6e9fd1-a6ea001 call a6e68c0 184->187 185->184 193 a6ea003-a6ea022 187->193 197 a6e9f69-a6e9f8c 191->197 198 a6ea087-a6ea0b5 call a6e68cc 191->198 201 a6ea0ba-a6ea10c 193->201 202 a6ea028 193->202 197->198 208 a6e9f92-a6e9fc5 197->208 198->193 221 a6ea10e-a6ea114 201->221 222 a6ea116-a6ea11c 201->222 202->162 208->182 219 a6e9fcb 208->219 219->187 223 a6ea12d-a6ea14b 221->223 224 a6ea11e-a6ea120 222->224 225 a6ea12a 222->225 229 a6ea16f-a6ea1eb 223->229 230 a6ea14d-a6ea15d 223->230 224->225 225->223 229->162 230->229 233 a6ea15f-a6ea168 230->233 233->229 247->44 248->44
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.637110407.000000000A6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_a6e0000_cvtres.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: XK$|L
                                            • API String ID: 2994545307-843644893
                                            • Opcode ID: 1cc055994b3542b45606116c83ab0898ead953617192c7418fc4df6008ad31e2
                                            • Instruction ID: 278cce63073224d8d7b7a3a784f0f3205e10fa9e908fe49b202af1b553f47d91
                                            • Opcode Fuzzy Hash: 1cc055994b3542b45606116c83ab0898ead953617192c7418fc4df6008ad31e2
                                            • Instruction Fuzzy Hash: 0E623C31E106198FCB24EFB8C85469DB7F2AF89340F1085A9D55AAB350EF349E85CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0A6EF100 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1046 a6ef100-a6ef16a call a6e91e8 call a6e9300 LdrInitializeThunk 1057 a6ef2b3-a6ef2d0 1046->1057 1058 a6ef170-a6ef18a 1046->1058 1069 a6ef2d5-a6ef2de 1057->1069 1058->1057 1061 a6ef190-a6ef1aa 1058->1061 1065 a6ef1ac-a6ef1ae 1061->1065 1066 a6ef1b0 1061->1066 1067 a6ef1b3-a6ef20e call a6e69c4 1065->1067 1066->1067 1077 a6ef214 1067->1077 1078 a6ef210-a6ef212 1067->1078 1079 a6ef217-a6ef2b1 call a6e69c4 1077->1079 1078->1079 1079->1069
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.637110407.000000000A6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_a6e0000_cvtres.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b791a170c2e680c8b4125b2a8b931ea7b46101ba335c82e5531e444b3def814c
                                            • Instruction ID: e1c5c34f831992fe1dcf262c253d99cd1723cfa31d6faef8f60c510c08362614
                                            • Opcode Fuzzy Hash: b791a170c2e680c8b4125b2a8b931ea7b46101ba335c82e5531e444b3def814c
                                            • Instruction Fuzzy Hash: 2E51A371B102099FCB04EFB4D895AAEB7B6BF84304F048929D5169B391EF74D905CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06F4FC88 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 06F4FCF8
                                            • GetCurrentThread.KERNEL32 ref: 06F4FD35
                                            • GetCurrentProcess.KERNEL32 ref: 06F4FD72
                                            • GetCurrentThreadId.KERNEL32 ref: 06F4FDCB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.633993918.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6f40000_cvtres.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: H?
                                            • API String ID: 2063062207-1960071062
                                            • Opcode ID: 195971c72ceaab5ed8f2f5d9d99f5adc594d981c2231ec74433039ec8cf4317a
                                            • Instruction ID: 70d2de4e8b2214b5cfb12f3069be4165ee0db2a888e4d20fc3bb1edd2ea6bb9d
                                            • Opcode Fuzzy Hash: 195971c72ceaab5ed8f2f5d9d99f5adc594d981c2231ec74433039ec8cf4317a
                                            • Instruction Fuzzy Hash: 035163B0D016498FDB54DFA9D848BDEBBF1EF88304F248459E019A7790D7386888CB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06F4FC98 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 06F4FCF8
                                            • GetCurrentThread.KERNEL32 ref: 06F4FD35
                                            • GetCurrentProcess.KERNEL32 ref: 06F4FD72
                                            • GetCurrentThreadId.KERNEL32 ref: 06F4FDCB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.633993918.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6f40000_cvtres.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID: H?
                                            • API String ID: 2063062207-1960071062
                                            • Opcode ID: f65036c44bbf8fe18a098c0b208c76ae23886e3b1fffea83507cf4c8c441844a
                                            • Instruction ID: 2ac3717f5f5a2d10e22c1f8941c4b05c29b90a00a40f34bdee00107f08aaf205
                                            • Opcode Fuzzy Hash: f65036c44bbf8fe18a098c0b208c76ae23886e3b1fffea83507cf4c8c441844a
                                            • Instruction Fuzzy Hash: BE5183B0D016098FDB50DFA9D848BDEBBF1EF88304F248059E019A7790D7386888CF66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0A6EF0A0 Relevance: 1.7, APIs: 1, Instructions: 176libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 988 a6ef0a0-a6ef0bf 989 a6ef0e4-a6ef0f0 988->989 990 a6ef0c1-a6ef0cb 988->990 995 a6ef139 989->995 996 a6ef0f2-a6ef137 call a6e91e8 call a6e9300 989->996 991 a6ef0cd-a6ef0de 990->991 992 a6ef0e0-a6ef0e3 990->992 991->992 997 a6ef13f-a6ef145 995->997 996->995 1000 a6ef14c 997->1000 1003 a6ef153-a6ef16a LdrInitializeThunk 1000->1003 1005 a6ef2b3-a6ef2d0 1003->1005 1006 a6ef170-a6ef18a 1003->1006 1018 a6ef2d5-a6ef2de 1005->1018 1006->1005 1010 a6ef190-a6ef1aa 1006->1010 1014 a6ef1ac-a6ef1ae 1010->1014 1015 a6ef1b0 1010->1015 1016 a6ef1b3-a6ef20e call a6e69c4 1014->1016 1015->1016 1026 a6ef214 1016->1026 1027 a6ef210-a6ef212 1016->1027 1028 a6ef217-a6ef2b1 call a6e69c4 1026->1028 1027->1028 1028->1018
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.637110407.000000000A6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A6E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_a6e0000_cvtres.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 4899bd663ee522d8d3eaded3843710dc4f496a7022e4d36fd21598a3c31dfde4
                                            • Instruction ID: 0be955619157806cfe1046347d79f1d71a4d49872d6cf4a6ef4b96b58480f22f
                                            • Opcode Fuzzy Hash: 4899bd663ee522d8d3eaded3843710dc4f496a7022e4d36fd21598a3c31dfde4
                                            • Instruction Fuzzy Hash: 4D51F330B112459FCB04EFB4D859AAEBBB6BF85304F14896AD416DB391EF34D805CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06F4C8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNELBASE(?), ref: 06F4C9BA
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.633993918.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6f40000_cvtres.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: f274fecbbe623501d2ccf854de3fe99ee799442a8e57d366280cf3feeef8aaca
                                            • Instruction ID: 5a6fe5f9bbc8e143137a45f0b195fb9eeb445ff872195cfbb0ec6e3fa310f563
                                            • Opcode Fuzzy Hash: f274fecbbe623501d2ccf854de3fe99ee799442a8e57d366280cf3feeef8aaca
                                            • Instruction Fuzzy Hash: 2E3153B0D01259AFCB54DFA8C88579EBFB1BF08718F04852AE816AB784D7758485CF92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06F49DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNELBASE(?), ref: 06F4C9BA
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.633993918.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6f40000_cvtres.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: d2b66ffce617eb2581ab0797d8a89de176fba8738c678f918ba13488b4254d8a
                                            • Instruction ID: 72ef4b6c675a38208540099ecbca1105bd017cc4019464b35416dbfc004f9a5b
                                            • Opcode Fuzzy Hash: d2b66ffce617eb2581ab0797d8a89de176fba8738c678f918ba13488b4254d8a
                                            • Instruction Fuzzy Hash: D83166B0D01248AFCB54EFA8C84579EBFF1BF08704F148129E815A7784D7759481CF92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06F4FEB8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F4FF47
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.633993918.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6f40000_cvtres.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: f15dca03627b64c911cbe67f55468bcfd6db80e3e9340026febe958e16d25399
                                            • Instruction ID: e498d5106c8e96d8cabedfe0d86b574cb3974f613446245fdfc6b78cc1de399a
                                            • Opcode Fuzzy Hash: f15dca03627b64c911cbe67f55468bcfd6db80e3e9340026febe958e16d25399
                                            • Instruction Fuzzy Hash: A32114B5D01248AFDB10DFAAD484AEEBFF4EF49320F14811AE918A3710D374A944CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06F4FEC0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F4FF47
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.633993918.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6f40000_cvtres.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 85634c9fe0194c974925cabb1bbaf8a41a4fa43efaee99250c70a4a7200f7112
                                            • Instruction ID: b1aea971feb9be158bfd63a9d24473a1fb21a9a80967dd3e58244fcb0dd525bf
                                            • Opcode Fuzzy Hash: 85634c9fe0194c974925cabb1bbaf8a41a4fa43efaee99250c70a4a7200f7112
                                            • Instruction Fuzzy Hash: 0421E6B5D012089FDB10CF9AD484ADEBBF4EB48320F14801AE918A3710D374A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06F44CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 06F44D42
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.633993918.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_6f40000_cvtres.jbxd
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 98dcdffc5f752356fc6b51f5b13c66a35ee3904678f8c88b7dea08d88a8b852e
                                            • Instruction ID: 88a6f46a78b207ccaa687f524a9164bce2db211430f34cead2ae782d803beba0
                                            • Opcode Fuzzy Hash: 98dcdffc5f752356fc6b51f5b13c66a35ee3904678f8c88b7dea08d88a8b852e
                                            • Instruction Fuzzy Hash: CC11A970D007498FDBA0EFA9C50879EBFF4EB48314F548029D405B3A00D778A945CFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0530DA00 Relevance: 1.1, Instructions: 1101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.632946640.000000000530D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0530D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_530d000_cvtres.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a992b75448523aab0794c90931e9f0ef540f7000f68fb09d2d4d974de8908bd
                                            • Instruction ID: 45cde4847dec6d9935e8620ad04685ed483bf2c26b2ed3b0e5d96b42372d4555
                                            • Opcode Fuzzy Hash: 5a992b75448523aab0794c90931e9f0ef540f7000f68fb09d2d4d974de8908bd
                                            • Instruction Fuzzy Hash: 7552A23054F3C6AFC34B8B3488A25967FB1AE4325572A85EFC0C5CE0B7D26E445AC75A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FD3EC Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.632864237.00000000052FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 052FD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52fd000_cvtres.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1de44de6c013fc9d026a0119c1757e72185a30d00d709f00690cd1e9c5ac3a9b
                                            • Instruction ID: 8c82841bc71d5cda30b7fd340d312ebb4bd2240d1606649dcf96638dd9b30db7
                                            • Opcode Fuzzy Hash: 1de44de6c013fc9d026a0119c1757e72185a30d00d709f00690cd1e9c5ac3a9b
                                            • Instruction Fuzzy Hash: 8B21B072514244EFDB05DF14E9C0B26FB66FF84224F248679EA090F646C33AE456C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FD4D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.632864237.00000000052FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 052FD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52fd000_cvtres.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4acca9cc0d905ed844def01e4e61449d7a8213e7cf68fbb5606f4db314d4bfb2
                                            • Instruction ID: 4d8354763025d591eb8d9ebbdde2bec13f606c337bd921807d4b85d8b4960d01
                                            • Opcode Fuzzy Hash: 4acca9cc0d905ed844def01e4e61449d7a8213e7cf68fbb5606f4db314d4bfb2
                                            • Instruction Fuzzy Hash: 9F212871514204DFCB05CF14E9C0F26FB66FF88328F248579D9090B606C33AD85ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0530E3DC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.632946640.000000000530D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0530D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_530d000_cvtres.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16f09d7b7dbef25f137cc929f9d62bc11207e74ef68cd1708d94c38ecb4c0e3a
                                            • Instruction ID: dc14dc37eae101d6cffa5603ecca39dac617ee12c71c1a6b7b398273d0830c44
                                            • Opcode Fuzzy Hash: 16f09d7b7dbef25f137cc929f9d62bc11207e74ef68cd1708d94c38ecb4c0e3a
                                            • Instruction Fuzzy Hash: D9210771704300DFDB44DF10D5D0B26BB6AFB84324F24C96DD8094B786C77AD856DAA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FD3E7 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.632864237.00000000052FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 052FD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52fd000_cvtres.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3373a815c6da60f27a5ed81c02a9ec0c57579f65a424d543760c9f870216945e
                                            • Instruction ID: c66bf207bd35e6203802648bdc3658e736a3f5556e78b0bcfdda26bdfa8c1522
                                            • Opcode Fuzzy Hash: 3373a815c6da60f27a5ed81c02a9ec0c57579f65a424d543760c9f870216945e
                                            • Instruction Fuzzy Hash: AD119D76404280DFCB12CF10E5C4B26BF72FB84320F24C6A9D9090A656C33AE456CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FD4D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.632864237.00000000052FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 052FD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52fd000_cvtres.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3373a815c6da60f27a5ed81c02a9ec0c57579f65a424d543760c9f870216945e
                                            • Instruction ID: 719109e30a132dd4e67f42c237c7d72f823de67d93ca1853a073a42ec25d49b7
                                            • Opcode Fuzzy Hash: 3373a815c6da60f27a5ed81c02a9ec0c57579f65a424d543760c9f870216945e
                                            • Instruction Fuzzy Hash: D011D376404280DFCB12CF10D5C4B16FF72FF84324F2486A9D9090B616C33AD45ACBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%