Edit tour

Windows Analysis Report
BANK COPY.exe

Overview

General Information

Sample Name:	BANK COPY.exe
Analysis ID:	680551
MD5:	0197c423eddeb8a0ed293e96a152f5a2
SHA1:	068261f9991202b0a75d813f0c25267d28e4fb51
SHA256:	54877cf2e0d27d13a5e94fcfb0eae5749bfc56e0e2f548f6410e6e4d56f3ea3f
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Modifies the hosts file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

.NET source code contains very large strings

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

BANK COPY.exe (PID: 5724 cmdline: "C:\Users\user\Desktop\BANK COPY.exe" MD5: 0197C423EDDEB8A0ED293E96A152F5A2)

schtasks.exe (PID: 5308 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 4692 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

yqWDN.exe (PID: 4264 cmdline: "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

yqWDN.exe (PID: 5672 cmdline: "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 3768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "emin.gasimov@absheron-sharab.az", "Password": "emin077", "Host": "mail.absheron-sharab.az"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3017e:$a13: get_DnsResolver 0x2e978:$a20: get_LastAccessed 0x30afc:$a27: set_InternalServerPort 0x30e18:$a30: set_GuidMasterKey 0x2ea7f:$a33: get_Clipboard 0x2ea8d:$a34: get_Keyboard 0x2fd96:$a35: get_ShiftKeyDown 0x2fda7:$a36: get_AltKeyDown 0x2ea9a:$a37: get_Password 0x2f546:$a38: get_PasswordHash 0x3057e:$a39: get_DefaultCredentials
00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x155d56:$a13: get_DnsResolver 0x18a376:$a13: get_DnsResolver 0x154550:$a20: get_LastAccessed 0x188b70:$a20: get_LastAccessed 0x1566d4:$a27: set_InternalServerPort 0x18acf4:$a27: set_InternalServerPort 0x1569f0:$a30: set_GuidMasterKey 0x18b010:$a30: set_GuidMasterKey 0x154657:$a33: get_Clipboard 0x188c77:$a33: get_Clipboard 0x154665:$a34: get_Keyboard 0x188c85:$a34: get_Keyboard 0x15596e:$a35: get_ShiftKeyDown 0x189f8e:$a35: get_ShiftKeyDown 0x15597f:$a36: get_AltKeyDown 0x189f9f:$a36: get_AltKeyDown 0x154672:$a37: get_Password 0x188c92:$a37: get_Password 0x15511e:$a38: get_PasswordHash 0x18973e:$a38: get_PasswordHash 0x156156:$a39: get_DefaultCredentials
00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BANK COPY.exe PID: 5724	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x4dbb4:$s5: AEAAAAMAAQqVT 0x4db25:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: BANK COPY.exe PID: 5724	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: BANK COPY.exe PID: 5724	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: BANK COPY.exe PID: 5724	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x7870f:$a13: get_DnsResolver 0x77166:$a20: get_LastAccessed 0x7903c:$a27: set_InternalServerPort 0x79298:$a30: set_GuidMasterKey 0x77259:$a33: get_Clipboard 0x77267:$a34: get_Keyboard 0x783c3:$a35: get_ShiftKeyDown 0x783d4:$a36: get_AltKeyDown 0x77274:$a37: get_Password 0x77c7c:$a38: get_PasswordHash 0x78ae3:$a39: get_DefaultCredentials
Process Memory Space: RegSvcs.exe PID: 4692	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4692	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4692	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x11f4f:$a13: get_DnsResolver 0x109a6:$a20: get_LastAccessed 0x1287c:$a27: set_InternalServerPort 0x12ad8:$a30: set_GuidMasterKey 0x10a99:$a33: get_Clipboard 0x10aa7:$a34: get_Keyboard 0x11c03:$a35: get_ShiftKeyDown 0x11c14:$a36: get_AltKeyDown 0x10ab4:$a37: get_Password 0x114bc:$a38: get_PasswordHash 0x12323:$a39: get_DefaultCredentials
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.BANK COPY.exe.3d1e9d8.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BANK COPY.exe.3d1e9d8.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
7.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
7.0.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c58:$s10: logins 0x326bf:$s11: credential 0x2ec7f:$g1: get_Clipboard 0x2ec8d:$g2: get_Keyboard 0x2ec9a:$g3: get_Password 0x2ff86:$g4: get_CtrlKeyDown 0x2ff96:$g5: get_ShiftKeyDown 0x2ffa7:$g6: get_AltKeyDown
7.0.RegSvcs.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3037e:$a13: get_DnsResolver 0x2eb78:$a20: get_LastAccessed 0x30cfc:$a27: set_InternalServerPort 0x31018:$a30: set_GuidMasterKey 0x2ec7f:$a33: get_Clipboard 0x2ec8d:$a34: get_Keyboard 0x2ff96:$a35: get_ShiftKeyDown 0x2ffa7:$a36: get_AltKeyDown 0x2ec9a:$a37: get_Password 0x2f746:$a38: get_PasswordHash 0x3077e:$a39: get_DefaultCredentials
0.2.BANK COPY.exe.3d1e9d8.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30e58:$s10: logins 0x308bf:$s11: credential 0x2ce7f:$g1: get_Clipboard 0x2ce8d:$g2: get_Keyboard 0x2ce9a:$g3: get_Password 0x2e186:$g4: get_CtrlKeyDown 0x2e196:$g5: get_ShiftKeyDown 0x2e1a7:$g6: get_AltKeyDown
0.2.BANK COPY.exe.3d1e9d8.1.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e57e:$a13: get_DnsResolver 0x2cd78:$a20: get_LastAccessed 0x2eefc:$a27: set_InternalServerPort 0x2f218:$a30: set_GuidMasterKey 0x2ce7f:$a33: get_Clipboard 0x2ce8d:$a34: get_Keyboard 0x2e196:$a35: get_ShiftKeyDown 0x2e1a7:$a36: get_AltKeyDown 0x2ce9a:$a37: get_Password 0x2d946:$a38: get_PasswordHash 0x2e97e:$a39: get_DefaultCredentials
0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c58:$s10: logins 0x67278:$s10: logins 0x326bf:$s11: credential 0x66cdf:$s11: credential 0x2ec7f:$g1: get_Clipboard 0x6329f:$g1: get_Clipboard 0x2ec8d:$g2: get_Keyboard 0x632ad:$g2: get_Keyboard 0x2ec9a:$g3: get_Password 0x632ba:$g3: get_Password 0x2ff86:$g4: get_CtrlKeyDown 0x645a6:$g4: get_CtrlKeyDown 0x2ff96:$g5: get_ShiftKeyDown 0x645b6:$g5: get_ShiftKeyDown 0x2ffa7:$g6: get_AltKeyDown 0x645c7:$g6: get_AltKeyDown
0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3037e:$a13: get_DnsResolver 0x6499e:$a13: get_DnsResolver 0x2eb78:$a20: get_LastAccessed 0x63198:$a20: get_LastAccessed 0x30cfc:$a27: set_InternalServerPort 0x6531c:$a27: set_InternalServerPort 0x31018:$a30: set_GuidMasterKey 0x65638:$a30: set_GuidMasterKey 0x2ec7f:$a33: get_Clipboard 0x6329f:$a33: get_Clipboard 0x2ec8d:$a34: get_Keyboard 0x632ad:$a34: get_Keyboard 0x2ff96:$a35: get_ShiftKeyDown 0x645b6:$a35: get_ShiftKeyDown 0x2ffa7:$a36: get_AltKeyDown 0x645c7:$a36: get_AltKeyDown 0x2ec9a:$a37: get_Password 0x632ba:$a37: get_Password 0x2f746:$a38: get_PasswordHash 0x63d66:$a38: get_PasswordHash 0x3077e:$a39: get_DefaultCredentials
0.2.BANK COPY.exe.2c36370.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0xce2c:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0xce70:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0xceb8:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0xd144:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0xd1a8:$s2: Set-MpPreference -DisableArchiveScanning $true 0xd200:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0xd258:$s4: Set-MpPreference -DisableScriptScanning $true 0xd2a4:$s5: Set-MpPreference -SubmitSamplesConsent 2 0xd2e4:$s6: Set-MpPreference -MAPSReporting 0 0xd330:$s7: Set-MpPreference -HighThreatDefaultAction 6 0xd388:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0xd3d8:$s9: Set-MpPreference -LowThreatDefaultAction 6 0xd428:$s10: Set-MpPreference -SevereThreatDefaultAction 6
Click to see the 8 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: BANK COPY.exe	Virustotal: Detection: 54%			Perma Link
Source: BANK COPY.exe	ReversingLabs: Detection: 39%

Antivirus / Scanner detection for submitted sample

Source: BANK COPY.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\gPxsznxm.exe

Avira: detection malicious, Label: HEUR/AGEN.1235476

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gPxsznxm.exe

ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: BANK COPY.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gPxsznxm.exe

Joe Sandbox ML: detected

Source: 7.0.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "emin.gasimov@absheron-sharab.az", "Password": "emin077", "Host": "mail.absheron-sharab.az"}

Source: BANK COPY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: BANK COPY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: yqWDN.exe, 0000000E.00000000.307818676.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, yqWDN.exe.7.dr
Source:	Binary string: RegSvcs.pdb source: yqWDN.exe, 0000000E.00000000.307818676.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, yqWDN.exe.7.dr

Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_080244B8
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_080244A8
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0802456C

Source: Joe Sandbox View

IP Address: 162.241.217.198 162.241.217.198

Source: global traffic

TCP traffic: 192.168.2.3:49752 -> 162.241.217.198:587

Source: global traffic

TCP traffic: 192.168.2.3:49752 -> 162.241.217.198:587

Source: RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://CqUOsT.com
Source: RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lzmd6XB2MFu.net
Source: RegSvcs.exe, 00000007.00000002.517926898.000000000353A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.absheron-sharab.az
Source: BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BANK COPY.exe, 00000000.00000003.254135945.0000000005B75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: BANK COPY.exe, 00000000.00000003.246868723.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.247238905.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.247092273.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: BANK COPY.exe, 00000000.00000003.250261634.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.251054745.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250645734.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.251128359.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250676479.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/de
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: BANK COPY.exe, 00000000.00000003.250092163.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com;z
Source: BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsFny
Source: BANK COPY.exe, 00000000.00000002.297152512.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.282184712.0000000005B60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comany
Source: BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comedta
Source: BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: BANK COPY.exe, 00000000.00000002.297152512.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.282184712.0000000005B60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgritogy
Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comitu
Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comouyn
Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comueed
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242269007.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com-uH
Source: BANK COPY.exe, 00000000.00000003.242308012.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comY
Source: BANK COPY.exe, 00000000.00000003.242234514.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comcY
Source: BANK COPY.exe, 00000000.00000003.242351755.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242269007.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242234514.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242308012.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comick
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245247770.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245400300.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.244727394.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245237254.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.244817743.0000000005B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: BANK COPY.exe, 00000000.00000003.245237254.0000000005B64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: BANK COPY.exe, 00000000.00000003.244727394.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt-p
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: BANK COPY.exe, 00000000.00000003.253812232.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253923382.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253743728.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253982107.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242051970.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242292859.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242005445.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242191863.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242028008.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: BANK COPY.exe, 00000000.00000003.242005445.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242028008.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.coma-dt
Source: BANK COPY.exe, 00000000.00000003.242051970.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242330356.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242361494.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.coms
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: BANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr0t
Source: BANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.krK
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242721047.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242814661.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: BANK COPY.exe, 00000000.00000003.242764767.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242745354.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comP
Source: BANK COPY.exe, 00000000.00000003.242764767.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comk
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deF
Source: BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.dec
Source: BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.absheron-sharab.az

Source: BANK COPY.exe, 00000000.00000002.282858977.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.BANK COPY.exe.2c36370.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4692, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 7.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bBA0C495Cu002dB6A6u002d4174u002d8102u002d6CC97287D619u007d/u0037EDAF7E5u002dACABu002d4CCFu002dA998u002d63BF57EC015A.cs

Large array initialization: .cctor: array initializer size 11625

.NET source code contains very large strings

Source: BANK COPY.exe, AddCompanyForm.cs	Long String: Length: 20037
Source: gPxsznxm.exe.0.dr, AddCompanyForm.cs	Long String: Length: 20037
Source: 0.0.BANK COPY.exe.780000.0.unpack, AddCompanyForm.cs	Long String: Length: 20037

Source: BANK COPY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.BANK COPY.exe.2c36370.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: RegSvcs.exe PID: 4692, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_02ADE820	0_2_02ADE820
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_02ADE810	0_2_02ADE810
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_02ADBF54	0_2_02ADBF54
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B3FA0	0_2_075B3FA0
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B5630	0_2_075B5630
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B2D00	0_2_075B2D00
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075BD468	0_2_075BD468
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B4C10	0_2_075B4C10
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B63F8	0_2_075B63F8
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075BC070	0_2_075BC070
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B9770	0_2_075B9770
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B9726	0_2_075B9726
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B5623	0_2_075B5623
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B5620	0_2_075B5620
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B7ED0	0_2_075B7ED0
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B3EE1	0_2_075B3EE1
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B7EE0	0_2_075B7EE0
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075BC540	0_2_075BC540
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B85C0	0_2_075B85C0
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B85B0	0_2_075B85B0
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B8C40	0_2_075B8C40
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B4C00	0_2_075B4C00
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B8C30	0_2_075B8C30
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B3340	0_2_075B3340
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B3330	0_2_075B3330
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B6330	0_2_075B6330
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B6389	0_2_075B6389
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B8A52	0_2_075B8A52
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B8A60	0_2_075B8A60
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B8200	0_2_075B8200
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075BD938	0_2_075BD938
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B81F0	0_2_075B81F0
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B8818	0_2_075B8818
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_075B8808	0_2_075B8808
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_08020040	0_2_08020040
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_08020006	0_2_08020006
Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_08020283	0_2_08020283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626BB18	7_2_0626BB18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626C878	7_2_0626C878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06261FF8	7_2_06261FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06260040	7_2_06260040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069022E8	7_2_069022E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06904D00	7_2_06904D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06901180	7_2_06901180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0697C7C0	7_2_0697C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06979338	7_2_06979338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06974C68	7_2_06974C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06972DE0	7_2_06972DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06976D18	7_2_06976D18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0697E950	7_2_0697E950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06974418	7_2_06974418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069792D4	7_2_069792D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06972D80	7_2_06972D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06976BC8	7_2_06976BC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069AC7E8	7_2_069AC7E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069A65F0	7_2_069A65F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069A721A	7_2_069A721A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069A1D28	7_2_069A1D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ADBD8	7_2_069ADBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069A3330	7_2_069A3330

Source: BANK COPY.exe, 00000000.00000000.238693241.0000000000844000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEKbM.exe6 vs BANK COPY.exe
Source: BANK COPY.exe, 00000000.00000003.265022832.0000000003248000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BANK COPY.exe
Source: BANK COPY.exe, 00000000.00000002.308217029.00000000074B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BANK COPY.exe
Source: BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs BANK COPY.exe
Source: BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemqWKvSGkaDYLcvnhfrECeVwbtwhMnIPPYdRhIA.exe4 vs BANK COPY.exe
Source: BANK COPY.exe, 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemqWKvSGkaDYLcvnhfrECeVwbtwhMnIPPYdRhIA.exe4 vs BANK COPY.exe
Source: BANK COPY.exe, 00000000.00000002.282858977.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs BANK COPY.exe
Source: BANK COPY.exe, 00000000.00000002.292700104.0000000003DD4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs BANK COPY.exe
Source: BANK COPY.exe, 00000000.00000002.292700104.0000000003DD4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEKbM.exe6 vs BANK COPY.exe
Source: BANK COPY.exe	Binary or memory string: OriginalFilenameEKbM.exe6 vs BANK COPY.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Source: BANK COPY.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gPxsznxm.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: BANK COPY.exe	Virustotal: Detection: 54%
Source: BANK COPY.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\BANK COPY.exe

File read: C:\Users\user\Desktop\BANK COPY.exe

Jump to behavior

Source: BANK COPY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BANK COPY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\BANK COPY.exe "C:\Users\user\Desktop\BANK COPY.exe"
Source: C:\Users\user\Desktop\BANK COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BANK COPY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe "C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BANK COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\BANK COPY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BANK COPY.exe

File created: C:\Users\user\AppData\Roaming\gPxsznxm.exe

Jump to behavior

Source: C:\Users\user\Desktop\BANK COPY.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1205.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@10/8@1/1

Source: C:\Users\user\Desktop\BANK COPY.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: BANK COPY.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\BANK COPY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_01
Source: C:\Users\user\Desktop\BANK COPY.exe	Mutant created: \Sessions\1\BaseNamedObjects\VvtJSeKnwrzeyitZ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3768:120:WilError_01

Source: BANK COPY.exe	String found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel
Source: BANK COPY.exe	String found in binary or memory: Address:/AddressToolStripTextBox-AddressToolStripButton'ToolStripSeparator3'PhoneToolStripLabel

Source: 7.0.RegSvcs.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.RegSvcs.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\BANK COPY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: BANK COPY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: BANK COPY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: yqWDN.exe, 0000000E.00000000.307818676.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, yqWDN.exe.7.dr
Source:	Binary string: RegSvcs.pdb source: yqWDN.exe, 0000000E.00000000.307818676.00000000006E2000.00000002.00000001.01000000.00000009.sdmp, yqWDN.exe.7.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: BANK COPY.exe, AddCompanyForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Source: gPxsznxm.exe.0.dr, AddCompanyForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)
Source: 0.0.BANK COPY.exe.780000.0.unpack, AddCompanyForm.cs	.Net Code: NewLateBinding.LateCall(dax, null, "Invoke", stackVariable4, null, null, stackVariable13, true)

Source: C:\Users\user\Desktop\BANK COPY.exe	Code function: 0_2_08025045 push FFFFFF8Bh; iretd	0_2_08025047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE26 push es; retf	7_2_0626AE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE22 push es; retf	7_2_0626AE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE2E push es; retf	7_2_0626AE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE2A push es; retf	7_2_0626AE2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE36 push es; retf	7_2_0626AE38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE32 push es; retf	7_2_0626AE34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE3A push es; retf	7_2_0626AE3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE16 push es; retf	7_2_0626AE18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE1E push es; retf	7_2_0626AE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE1A push es; retf	7_2_0626AE1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AE5D push es; retf	7_2_0626AE84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AC41 push es; retf	7_2_0626ACBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626ACBE push es; retf	7_2_0626AD54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AD56 push es; retf	7_2_0626AE14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0626AA09 push es; retf	7_2_0626AC24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_06263139 push es; iretd	7_2_0626313C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069A6ED4 push ss; retf	7_2_069A6ED7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069A165F push es; ret	7_2_069A18C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069A166A push es; ret	7_2_069A18C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABC59 push es; iretd	7_2_069ABC5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABC5D push es; iretd	7_2_069ABC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABC51 push es; iretd	7_2_069ABC54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABC55 push es; iretd	7_2_069ABC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABC4D push es; iretd	7_2_069ABC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABC71 push es; iretd	7_2_069ABC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABC69 push es; iretd	7_2_069ABC6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABC6D push es; iretd	7_2_069ABC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABC61 push es; iretd	7_2_069ABC64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABC65 push es; iretd	7_2_069ABC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_069ABBE2 push es; iretd	7_2_069ABC4C

Source: initial sample	Static PE information: section name: .text entropy: 7.749151091847694
Source: initial sample	Static PE information: section name: .text entropy: 7.749151091847694

Source: C:\Users\user\Desktop\BANK COPY.exe	File created: C:\Users\user\AppData\Roaming\gPxsznxm.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\BANK COPY.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yqWDN			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yqWDN			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\BANK COPY.exe TID: 5664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 5240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe TID: 3400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BANK COPY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Window / User API: threadDelayed 9787

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\BANK COPY.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\BANK COPY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: RegSvcs.exe, 00000007.00000003.329884668.000000000665A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.521575260.000000000665A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000003.328729259.000000000664C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllbooleanMappingStrings
Source: BANK COPY.exe, 00000000.00000002.289223085.000000000312B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\BANK COPY.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_069764D0 LdrInitializeThunk,

7_2_069764D0

Source: C:\Users\user\Desktop\BANK COPY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\BANK COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 436000	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FF7008	Jump to behavior

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BANK COPY.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\BANK COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp			Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}			Jump to behavior

Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Users\user\Desktop\BANK COPY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\BANK COPY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Queries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Queries volume information: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\BANK COPY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4692, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4692, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.BANK COPY.exe.3d1e9d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.BANK COPY.exe.3d1e9d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BANK COPY.exe PID: 5724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4692, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	1 File and Directory Permissions Modification	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	1 Input Capture	114 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	13 Software Packing	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BANK COPY.exe	55%	Virustotal		Browse
BANK COPY.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
BANK COPY.exe	100%	Avira	HEUR/AGEN.1235476
BANK COPY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gPxsznxm.exe	100%	Avira	HEUR/AGEN.1235476
C:\Users\user\AppData\Roaming\gPxsznxm.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gPxsznxm.exe	39%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File
0.0.BANK COPY.exe.780000.0.unpack	100%	Avira	HEUR/AGEN.1235476		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.fonts.comick	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://CqUOsT.com	0%	Avira URL Cloud	safe
http://mail.absheron-sharab.az	0%	Avira URL Cloud	safe
http://www.fontbureau.comgritogy	0%	Avira URL Cloud	safe
http://lzmd6XB2MFu.net	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr0t	0%	Avira URL Cloud	safe
http://www.fontbureau.comedta	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.comessed	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.fontbureau.comany	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.krK	0%	Avira URL Cloud	safe
http://www.fontbureau.com;z	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnt-p	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.fontbureau.comueed	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comouyn	0%	Avira URL Cloud	safe
http://www.agfamonotype.	0%	URL Reputation	safe
http://www.sajatypeworks.coms	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.urwpp.deF	0%	URL Reputation	safe
http://www.fonts.com-uH	0%	Avira URL Cloud	safe
http://www.fonts.comY	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fonts.comcY	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.tiro.comP	0%	URL Reputation	safe
http://www.tiro.comk	0%	URL Reputation	safe
http://www.fontbureau.comitu	0%	URL Reputation	safe
http://www.sajatypeworks.coma-dt	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsFny	0%	Avira URL Cloud	safe
http://www.urwpp.dec	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.absheron-sharab.az	162.241.217.198	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.comick	BANK COPY.exe, 00000000.00000003.242351755.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242269007.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242234514.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242308012.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://CqUOsT.com	RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.absheron-sharab.az	RegSvcs.exe, 00000007.00000002.517926898.000000000353A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comgritogy	BANK COPY.exe, 00000000.00000002.297152512.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.282184712.0000000005B60000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://lzmd6XB2MFu.net	RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.kr0t	BANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comedta	BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242721047.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242814661.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comessed	BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	BANK COPY.exe, 00000000.00000003.246868723.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.247238905.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.247092273.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242051970.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242292859.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242005445.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242191863.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242028008.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/	BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comany	BANK COPY.exe, 00000000.00000002.297152512.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.282184712.0000000005B60000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.krK	BANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com;z	BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cnt-p	BANK COPY.exe, 00000000.00000003.244727394.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242269007.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.243969163.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	BANK COPY.exe, 00000000.00000002.284491796.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com.TTF	BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comueed	BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/de	BANK COPY.exe, 00000000.00000003.250261634.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.251054745.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250645734.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.251128359.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250676479.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comF	BANK COPY.exe, 00000000.00000003.249576412.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.249860644.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comouyn	BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agfamonotype.	BANK COPY.exe, 00000000.00000003.254135945.0000000005B75000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.coms	BANK COPY.exe, 00000000.00000003.242051970.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242330356.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242361494.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242252206.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	RegSvcs.exe, 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deF	BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com-uH	BANK COPY.exe, 00000000.00000003.242276187.0000000005B84000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comY	BANK COPY.exe, 00000000.00000003.242308012.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	BANK COPY.exe, 00000000.00000003.245237254.0000000005B64000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245247770.0000000005B69000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245400300.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.244727394.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.245237254.0000000005B64000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.244817743.0000000005B64000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	BANK COPY.exe, 00000000.00000003.250092163.0000000005B9D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.comcY	BANK COPY.exe, 00000000.00000003.242234514.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.	BANK COPY.exe, 00000000.00000003.253812232.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253923382.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253743728.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.253982107.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comP	BANK COPY.exe, 00000000.00000003.242764767.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242745354.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comk	BANK COPY.exe, 00000000.00000003.242764767.0000000005B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	BANK COPY.exe, 00000000.00000002.297706220.0000000006D72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comitu	BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.coma-dt	BANK COPY.exe, 00000000.00000003.242005445.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241973593.0000000005B83000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.242028008.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, BANK COPY.exe, 00000000.00000003.241943884.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsFny	BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.dec	BANK COPY.exe, 00000000.00000003.250549697.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.217.198	mail.absheron-sharab.az	United States		46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680551
Start date and time: 08/08/202219:54:08	2022-08-08 19:54:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BANK COPY.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@10/8@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 96% Number of executed functions: 107 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, fs.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:55:16	API Interceptor	1x Sleep call for process: BANK COPY.exe modified
19:55:29	API Interceptor	662x Sleep call for process: RegSvcs.exe modified
19:55:30	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yqWDN C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
19:55:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yqWDN C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
162.241.217.198	INVOICE.exe	Get hash	malicious	Browse
	DEBIT NOTE for JUNEJULY 2022.exe	Get hash	malicious	Browse
	SWIFT COPY.exe	Get hash	malicious	Browse
	PURCHASE ORDER.exe	Get hash	malicious	Browse
	UPDATED SOA.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.absheron-sharab.az	BANK COPY.exe	Get hash	malicious	Browse	162.241.217.198
	INVOICE.exe	Get hash	malicious	Browse	162.241.217.198
	DEBIT NOTE for JUNEJULY 2022.exe	Get hash	malicious	Browse	162.241.217.198
	SWIFT COPY.exe	Get hash	malicious	Browse	162.241.217.198
	PURCHASE ORDER.exe	Get hash	malicious	Browse	162.241.217.198
	UPDATED SOA.exe	Get hash	malicious	Browse	162.241.217.198

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	http://okaloosaclerk.loyaltyhn.com/#.aHR0cDovL2Z1ZWd1aWxsb3MuY2wvd3AtaW5jbHVkZXMvaW1hZ2VzL3NtaWxpZXMvenovP2U9dHdpbGNveEBva2Fsb29zYWNsZXJrLmNvbQ==	Get hash	malicious	Browse	50.87.153.169
	QBORemittance_Danellarealty#007-Intuit.html	Get hash	malicious	Browse	69.49.246.164
	vbc.exe	Get hash	malicious	Browse	108.167.169.56
	PAYMENT-ADVICE.exe	Get hash	malicious	Browse	50.87.144.250
	SecuriteInfo.com.Trojan.DownLoaderNET.447.21602.exe	Get hash	malicious	Browse	162.240.35.239
	Inquiry Order Q330284.exe	Get hash	malicious	Browse	162.144.73.161
	B1kefW3SOZ	Get hash	malicious	Browse	173.83.45.198
	Custom Release Form(E) AWB 825.pdf.exe	Get hash	malicious	Browse	192.185.174.178
	aYlPjjl4yW	Get hash	malicious	Browse	66.116.195.121
	Custom Release Form (E) AWB 825.pdf.exe	Get hash	malicious	Browse	192.185.174.178
	STS5492338072022.xlsx	Get hash	malicious	Browse	192.185.174.177
	SecuriteInfo.com.Trojan.MSIL.AgentTesla.MY.MTB.26387.exe	Get hash	malicious	Browse	192.185.174.177
	SWIFT_5201660828948016.pdf.exe	Get hash	malicious	Browse	192.185.174.177
	fake.html	Get hash	malicious	Browse	69.49.246.164
	https://geni.us/SecureCaliberfile	Get hash	malicious	Browse	192.185.28.38
	https://adclick.g.doubleclick.net/pcs/click?adurl=https://550418.secure.micomya.com/./outlook.office.com/mail/inbox/id/thall/op-f/77468616c6c406f702d662e6f7267#dGhhbGxAb3AtZi5vcmc	Get hash	malicious	Browse	162.215.222.33
	Universalmiddel169.exe	Get hash	malicious	Browse	173.254.30.236
	https://venkeywonder.com/gtrsfauvc/xwazutdrs/yxwaertfs/oglvjh0jkhjh/traciparker@smartcabinetry.com	Get hash	malicious	Browse	192.185.181.244
	SWIFT_5201660828948056.pdf.exe	Get hash	malicious	Browse	192.185.174.177
	Shipping Document.exe	Get hash	malicious	Browse	192.185.16.184

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe	new artwork.exe	Get hash	malicious	Browse
	new artwork.exe	Get hash	malicious	Browse
	Processed payment.exe	Get hash	malicious	Browse
	BANK COPY.exe	Get hash	malicious	Browse
	PO CPWPKL-1901088.exe	Get hash	malicious	Browse
	UPDATED SOA.exe	Get hash	malicious	Browse
	Ordem de Compra pdf QD2y.exe	Get hash	malicious	Browse
	INVOICE.exe	Get hash	malicious	Browse
	xox.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse
	REMINDER 1.exe	Get hash	malicious	Browse
	Offer for sale.exe	Get hash	malicious	Browse
	purchase order.exe	Get hash	malicious	Browse
	Offer for sale.exe	Get hash	malicious	Browse
	svbhjvUpxT.exe	Get hash	malicious	Browse
	SHIPMENT DOCUMENT.exe	Get hash	malicious	Browse
	g0t8s6FogF.exe	Get hash	malicious	Browse
	QUATION.exe	Get hash	malicious	Browse
	PAYMENT COPY.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK COPY.exe.log

Download File

Process:	C:\Users\user\Desktop\BANK COPY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yqWDN.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp1205.tmp

Download File

Process:	C:\Users\user\Desktop\BANK COPY.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1641
Entropy (8bit):	5.184328660661114
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBDYtn:cbh47TlNQ//rydbz9I3YODOLNdq3s
MD5:	86B04371CA462A6BE046C3EAA9671823
SHA1:	3E8E41B4250A4563ED07C9F8AF74B78345B4F257
SHA-256:	2D37DC322D4039166A732F08E8FE4B62C7D48A1B5274FF222D9371D94E247170
SHA-512:	39102335C05F2D7B6892DD425B8A42B1A9ABE5A062F5B7F1799476BE1D1CA0665679C350E555B18DB823FA79E386F1348DE93C560CA76AFFEEC03429C3DF861B
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\gPxsznxm.exe

Download File

Process:	C:\Users\user\Desktop\BANK COPY.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	798208
Entropy (8bit):	7.742343453025608
Encrypted:	false
SSDEEP:	12288:1lEsuE02iN2UP3L/2+vCU48RXnnYph89YSrHp1S+tzTyy+dT9Z25MqT:4V18UfL5vO8R3YpuYSrHLSozTyJ9Zk
MD5:	0197C423EDDEB8A0ED293E96A152F5A2
SHA1:	068261F9991202B0A75D813F0C25267D28E4FB51
SHA-256:	54877CF2E0D27D13A5E94FCFB0EAE5749BFC56E0E2F548F6410E6E4D56F3EA3F
SHA-512:	8223327EE59D6B93CE6CA2B916DC1583857A66BDF1B4777BD6855C46C3E27563F260CF89138128E7DF60286867CCC39E92734DF82D89C0659D835E30F2192C05
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..b..............P......$......z&... ...@....@.. ....................................@.................................(&..O....@..D ........................................................................... ............... ..H............text........ ...................... ..`.rsrc...D ...@..."..................@..@.reloc...............,..............@..B................\&......H.......8~..XH..............._............................................( ...&..(!.....s"........s#........s$........s%........s&...........0...........~....o'....+...0...........~....o(....+...0...........~....o)....+...0...........~....o....+...0...........~....o+....+...0..<........~.....(,.....,!r...p.....(-...o....s/............~.....+...0...........~.....+.."........0..&........(....r5..p~....o0...(1.....t$....+..*...0..&........(....rC..p~....o0...(1.....

C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:	768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: new artwork.exe, Detection: malicious, Browse Filename: new artwork.exe, Detection: malicious, Browse Filename: Processed payment.exe, Detection: malicious, Browse Filename: BANK COPY.exe, Detection: malicious, Browse Filename: PO CPWPKL-1901088.exe, Detection: malicious, Browse Filename: UPDATED SOA.exe, Detection: malicious, Browse Filename: Ordem de Compra pdf QD2y.exe, Detection: malicious, Browse Filename: INVOICE.exe, Detection: malicious, Browse Filename: xox.exe, Detection: malicious, Browse Filename: payment.exe, Detection: malicious, Browse Filename: payment.exe, Detection: malicious, Browse Filename: REMINDER 1.exe, Detection: malicious, Browse Filename: Offer for sale.exe, Detection: malicious, Browse Filename: purchase order.exe, Detection: malicious, Browse Filename: Offer for sale.exe, Detection: malicious, Browse Filename: svbhjvUpxT.exe, Detection: malicious, Browse Filename: SHIPMENT DOCUMENT.exe, Detection: malicious, Browse Filename: g0t8s6FogF.exe, Detection: malicious, Browse Filename: QUATION.exe, Detection: malicious, Browse Filename: PAYMENT COPY.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	835
Entropy (8bit):	4.694294591169137
Encrypted:	false
SSDEEP:	24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
MD5:	6EB47C1CF858E25486E42440074917F2
SHA1:	6A63F93A95E1AE831C393A97158C526A4FA0FAAE
SHA-256:	9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
SHA-512:	08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.44831826838854
Encrypted:	false
SSDEEP:	24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
MD5:	1AEB3A784552CFD2AEDEDC1D43A97A4F
SHA1:	804286AB9F8B3DE053222826A69A7CDA3492411A
SHA-256:	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
SHA-512:	5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.742343453025608
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	BANK COPY.exe
File size:	798208
MD5:	0197c423eddeb8a0ed293e96a152f5a2
SHA1:	068261f9991202b0a75d813f0c25267d28e4fb51
SHA256:	54877cf2e0d27d13a5e94fcfb0eae5749bfc56e0e2f548f6410e6e4d56f3ea3f
SHA512:	8223327ee59d6b93ce6ca2b916dc1583857a66bdf1b4777bd6855c46c3e27563f260cf89138128e7df60286867ccc39e92734df82d89c0659d835e30f2192c05
SSDEEP:	12288:1lEsuE02iN2UP3L/2+vCU48RXnnYph89YSrHp1S+tzTyy+dT9Z25MqT:4V18UfL5vO8R3YpuYSrHLSozTyJ9Zk
TLSH:	7F05F1F06AF97668F035637636D0A03C3BE2E90BD905E1399DA7934D9752EC046E1A33
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..b..............P......$......z&... ...@....@.. ....................................@................................

File Icon


Icon Hash:	0220839690409040

Static PE Info

General

Entrypoint:	0x4c267a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F10A3F [Mon Aug 8 13:06:07 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2628	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x2044	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc0680	0xc0800	False	0.8528168120941558	data	7.749151091847694	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x2044	0x2200	False	0.8245634191176471	data	7.364406728241504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc8000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc4130	0x19ef	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xc5b20	0x14	data
RT_VERSION	0xc5b34	0x324	data
RT_MANIFEST	0xc5e58	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 19:55:48.572746038 CEST	49752	587	192.168.2.3	162.241.217.198
Aug 8, 2022 19:55:48.714828014 CEST	587	49752	162.241.217.198	192.168.2.3
Aug 8, 2022 19:55:48.715018034 CEST	49752	587	192.168.2.3	162.241.217.198
Aug 8, 2022 19:55:48.959501982 CEST	587	49752	162.241.217.198	192.168.2.3
Aug 8, 2022 19:55:48.988403082 CEST	49752	587	192.168.2.3	162.241.217.198
Aug 8, 2022 19:55:49.130188942 CEST	587	49752	162.241.217.198	192.168.2.3
Aug 8, 2022 19:55:49.131726980 CEST	49752	587	192.168.2.3	162.241.217.198
Aug 8, 2022 19:55:49.273731947 CEST	587	49752	162.241.217.198	192.168.2.3
Aug 8, 2022 19:55:49.274251938 CEST	49752	587	192.168.2.3	162.241.217.198
Aug 8, 2022 19:55:49.455485106 CEST	587	49752	162.241.217.198	192.168.2.3
Aug 8, 2022 19:55:49.456295967 CEST	49752	587	192.168.2.3	162.241.217.198
Aug 8, 2022 19:55:49.597950935 CEST	587	49752	162.241.217.198	192.168.2.3
Aug 8, 2022 19:55:49.598197937 CEST	49752	587	192.168.2.3	162.241.217.198
Aug 8, 2022 19:55:49.751415014 CEST	587	49752	162.241.217.198	192.168.2.3
Aug 8, 2022 19:55:49.820390940 CEST	49752	587	192.168.2.3	162.241.217.198
Aug 8, 2022 19:55:49.963474035 CEST	587	49752	162.241.217.198	192.168.2.3
Aug 8, 2022 19:55:49.963519096 CEST	587	49752	162.241.217.198	192.168.2.3
Aug 8, 2022 19:55:49.963586092 CEST	49752	587	192.168.2.3	162.241.217.198
Aug 8, 2022 19:55:49.963629961 CEST	49752	587	192.168.2.3	162.241.217.198

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 19:55:48.381268978 CEST	57723	53	192.168.2.3	8.8.8.8
Aug 8, 2022 19:55:48.529407978 CEST	53	57723	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 19:55:48.381268978 CEST	192.168.2.3	8.8.8.8	0x2e54	Standard query (0)	mail.absheron-sharab.az	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 19:55:48.529407978 CEST	8.8.8.8	192.168.2.3	0x2e54	No error (0)	mail.absheron-sharab.az		162.241.217.198	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 8, 2022 19:55:48.959501982 CEST	587	49752	162.241.217.198	192.168.2.3	220-box5507.bluehost.com ESMTP Exim 4.95 #2 Mon, 08 Aug 2022 11:55:48 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 8, 2022 19:55:48.988403082 CEST	49752	587	192.168.2.3	162.241.217.198	EHLO 835180
Aug 8, 2022 19:55:49.130188942 CEST	587	49752	162.241.217.198	192.168.2.3	250-box5507.bluehost.com Hello 835180 [102.129.143.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 8, 2022 19:55:49.131726980 CEST	49752	587	192.168.2.3	162.241.217.198	AUTH login ZW1pbi5nYXNpbW92QGFic2hlcm9uLXNoYXJhYi5heg==
Aug 8, 2022 19:55:49.273731947 CEST	587	49752	162.241.217.198	192.168.2.3	334 UGFzc3dvcmQ6
Aug 8, 2022 19:55:49.455485106 CEST	587	49752	162.241.217.198	192.168.2.3	235 Authentication succeeded
Aug 8, 2022 19:55:49.456295967 CEST	49752	587	192.168.2.3	162.241.217.198	MAIL FROM:<emin.gasimov@absheron-sharab.az>
Aug 8, 2022 19:55:49.597950935 CEST	587	49752	162.241.217.198	192.168.2.3	250 OK
Aug 8, 2022 19:55:49.598197937 CEST	49752	587	192.168.2.3	162.241.217.198	RCPT TO:<zakirrome@ostdubai.com>
Aug 8, 2022 19:55:49.751415014 CEST	587	49752	162.241.217.198	192.168.2.3	550-Domain absheron-sharab.az has exceeded the max emails per hour (150/150 550 (100%)) allowed. Message discarded.
Aug 8, 2022 19:55:49.963474035 CEST	587	49752	162.241.217.198	192.168.2.3	421 box5507.bluehost.com lost input connection

Target ID:	0
Start time:	19:55:06
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\BANK COPY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BANK COPY.exe"
Imagebase:	0x780000
File size:	798208 bytes
MD5 hash:	0197C423EDDEB8A0ED293E96A152F5A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.290430667.0000000003BF9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	19:55:24
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPxsznxm" /XML "C:\Users\user\AppData\Local\Temp\tmp1205.tmp
Imagebase:	0x7ff7c9170000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	19:55:25
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	19:55:25
Start date:	08/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xdb0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000007.00000000.280231622.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.512101132.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	19:55:39
Start date:	08/08/2022
Path:	C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
Imagebase:	0x6e0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Show Windows behavior

Target ID:	15
Start time:	19:55:39
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	20
Start time:	19:55:48
Start date:	08/08/2022
Path:	C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe"
Imagebase:	0x3b0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	22
Start time:	19:55:48
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	158
Total number of Limit Nodes:	5

Executed Functions

Function 075B2D00 Relevance: 4.3, Strings: 3, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xck, xrefs: 075B2E1A
Xck, xrefs: 075B2E28
D0k, xrefs: 075B3261

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID: D0k$Xck$Xck
API String ID: 0-1795155639
Opcode ID: d60f7fab18e0375caf785218774748cd61988d9776c7400c8aa0a5f3a1890800
Instruction ID: f860615e19ceb222ccebf1c171714602a420c0b89e77d9344bbd9cd8c517b616
Opcode Fuzzy Hash: d60f7fab18e0375caf785218774748cd61988d9776c7400c8aa0a5f3a1890800
Instruction Fuzzy Hash: 8002C2B4B002168FC724DB69C4856FEBBB6FF85204F25846AD40ADB361DB35DC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 075B63F8 Relevance: 2.8, Strings: 2, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

oE h, xrefs: 075B65E1
oE h, xrefs: 075B65DA

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID: oE h$oE h
API String ID: 0-3624717963
Opcode ID: 321fa30f5b3412ba4571be264fd1937860cc09578fae70eba08e8ede13fa0169
Instruction ID: c476c7be138a7c22fabf60b0f740a1730230e3fb0bcf5c2cc6b8dc6e42f0d37f
Opcode Fuzzy Hash: 321fa30f5b3412ba4571be264fd1937860cc09578fae70eba08e8ede13fa0169
Instruction Fuzzy Hash: 16D116B0D1461ADFCB58CF96C4818EEFBB2FF89300F258559D516AB258C734AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 075B6330 Relevance: 1.6, Strings: 1, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

oE h, xrefs: 075B65E1

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID: oE h
API String ID: 0-3804084906
Opcode ID: fbbccf99f01f2b9a152fa1782dedf4853f79e1685a16ab41a66d699dced1ed3b
Instruction ID: afe1de1215bc31ead2f3c9c49ad6e21d5ca7bced8ea0cb4b2d3ff2927c0368a2
Opcode Fuzzy Hash: fbbccf99f01f2b9a152fa1782dedf4853f79e1685a16ab41a66d699dced1ed3b
Instruction Fuzzy Hash: 7FE19BB1E1960ADFCB18CF95D4818EEFBB2FF89310F248566D505AB254C734AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 075B6389 Relevance: 1.6, Strings: 1, Instructions: 350
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

oE h, xrefs: 075B65E1

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID: oE h
API String ID: 0-3804084906
Opcode ID: 706c3da5278faf3e210b3864e7d8ec8fb927a5068201c0703ae0612220aff287
Instruction ID: 4eff2dcb582a5d5c45ef4b8a8d1466d566de631a97c40c4340bd343ebe278228
Opcode Fuzzy Hash: 706c3da5278faf3e210b3864e7d8ec8fb927a5068201c0703ae0612220aff287
Instruction Fuzzy Hash: A9E18AB0E1460ADFCB18CF95D4818EEFBB2FF89310F24856AD505AB254C734AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 075B4C00 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

'$`, xrefs: 075B4D90

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID: '$`
API String ID: 0-2852639213
Opcode ID: fafa65836f60f1514f6b203ee842235a78d331452f6c8b98d041a7866d9831d2
Instruction ID: 6a1cacfd390e9b8818dab2263613e2a455f075ccfc64219f91cbc6e9b23d11bb
Opcode Fuzzy Hash: fafa65836f60f1514f6b203ee842235a78d331452f6c8b98d041a7866d9831d2
Instruction Fuzzy Hash: DA512CB0E1424ADFCB18CFA6C5416EEFBF2FF89600F24D42AD419A7265D7349A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 075B4C10 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

'$`, xrefs: 075B4D90

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID: '$`
API String ID: 0-2852639213
Opcode ID: 02aa93f4f45c1b4823dbbf7626e336353e9f6c15963dd2a44c005935bf349e80
Instruction ID: 1dbe1c39953ff0963303e8d7e5e23604a66942c185a60977c2b53bce7cf2be87
Opcode Fuzzy Hash: 02aa93f4f45c1b4823dbbf7626e336353e9f6c15963dd2a44c005935bf349e80
Instruction Fuzzy Hash: 2E511BB0E1824ADFCB18CFA6C5416EEFBF2FB89200F24D42AD519A7255D7349A418F54

Uniqueness

Uniqueness Score: -1.00%

Function 075B3EE1 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85121a36e709c0bd225c6e7ff06279aac36de1bd94a171f5cfa684f68325b40f
Instruction ID: c5cfdf3d4f6b2ee9a7a2b331117ce9bbb41951ea26d0950b942525974aa31a84
Opcode Fuzzy Hash: 85121a36e709c0bd225c6e7ff06279aac36de1bd94a171f5cfa684f68325b40f
Instruction Fuzzy Hash: C8B18D75E152188FDB14CFA9E8806EDFBB2FF89324F24812AD409AF255C7355946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 075BC070 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a345cc43b1ea1ee24ca138d7c25d4fd1c1c16e3f6dfa9630d27062b21af74b8
Instruction ID: 1c3e845e89017970372681a23ff2f59b64ba48399e14158faed14ab84dea0733
Opcode Fuzzy Hash: 9a345cc43b1ea1ee24ca138d7c25d4fd1c1c16e3f6dfa9630d27062b21af74b8
Instruction Fuzzy Hash: B6D17FB0914205CFCB54EFA9D6899DDBBF2FB49345B1494AAE405DB328DB309901CF64

Uniqueness

Uniqueness Score: -1.00%

Function 075BD468 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae679aa097210a1313c8c9c3a3c114fe246f5c03190e91e7dab418864101c7b
Instruction ID: 72484b7341f8a784a7e8dfcf4c8180b536df2f8450d3b59bf4e0247f74a80a97
Opcode Fuzzy Hash: 7ae679aa097210a1313c8c9c3a3c114fe246f5c03190e91e7dab418864101c7b
Instruction Fuzzy Hash: 5AB116B4E046198FCB14CFA9C5816EEFBF2FF89300F14C565D409AB358E774A9428B65

Uniqueness

Uniqueness Score: -1.00%

Function 075B3FA0 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb9d4ca07d65a20ac5e59e87f8381081c2cf75b2425fd753d864d55fcff414b
Instruction ID: 43c3c8192de45359e32b5cbaea00a9e2dc2bd321c26bbecff4de509c37531ef8
Opcode Fuzzy Hash: 5cb9d4ca07d65a20ac5e59e87f8381081c2cf75b2425fd753d864d55fcff414b
Instruction Fuzzy Hash: 7081E2B4E102198FDB18CFA9D884AEEFBB2FF89300F10952AD419BB254D7359946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08020040 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58bbed2dd5d18e80ca69d5e6f96aa5ae1450ffcfe9490ad1d7f960da2b1aaa5
Instruction ID: f6489f1d9f9f09b5ae6bcb0249b15651c10a1dd4e8ae2c571dd19f43e30f1d69
Opcode Fuzzy Hash: b58bbed2dd5d18e80ca69d5e6f96aa5ae1450ffcfe9490ad1d7f960da2b1aaa5
Instruction Fuzzy Hash: 34813A71E0562ACBDB68CF65CC457DDBBB2BF89300F1082EAD50DA7654EBB05A858F40

Uniqueness

Uniqueness Score: -1.00%

Function 08020006 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41aec0ce4e9c596e77d588a638e40eb794097f90d6c2c02e059de0f193b51f11
Instruction ID: 92dcfaf37142497ac5854ced0dd6ea75cb2d5b8df05406ebb4de399e20480d71
Opcode Fuzzy Hash: 41aec0ce4e9c596e77d588a638e40eb794097f90d6c2c02e059de0f193b51f11
Instruction Fuzzy Hash: 0D613971D0576ACBDB28CF65CC447DABBB2AF89300F1482EAC508A7265EB745A85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 08020283 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9129bf6a96971a8024f1fe4b31c1d445b77375bc2eb2244b677e8e83bde6be
Instruction ID: 7bdc235bd9f06da3fca8ae7f54522142c0338090e34b93b27290253dfb7545a4
Opcode Fuzzy Hash: ff9129bf6a96971a8024f1fe4b31c1d445b77375bc2eb2244b677e8e83bde6be
Instruction Fuzzy Hash: F1511571E1562ACFDB74CF64C984BDAB7B2BF89300F1082EAD109A6650E7B05AC58F40

Uniqueness

Uniqueness Score: -1.00%

Function 080244A8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1cc560751f7249aa4f5670bfbfb747c5521c9b649d198c71437205bb75e7b3
Instruction ID: 6a5081405327815c7ec0ad02ed9af8a7799c20a57df34c37b11e3c57704b7954
Opcode Fuzzy Hash: ff1cc560751f7249aa4f5670bfbfb747c5521c9b649d198c71437205bb75e7b3
Instruction Fuzzy Hash: F6219E71A00624CFDB14CF68D448BEEBBF2BF4D312F148469D045BB261C7789944CB68

Uniqueness

Uniqueness Score: -1.00%

Function 075B5630 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50eddd452881da5248b5ba8d00cc3a44bf30586105cccaf8e21e97f8600b4dd4
Instruction ID: 8e0910491840d5d6b578c38e2760b6853ef1f6dd30616cade5ffab20a69c7163
Opcode Fuzzy Hash: 50eddd452881da5248b5ba8d00cc3a44bf30586105cccaf8e21e97f8600b4dd4
Instruction Fuzzy Hash: A221F6B1E016189BDB28CFAAD8446DEBBB3FFC8310F14C06AD409A6264DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 075B5623 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc67508a175d0130d2506d63000b62dbd3d93314499b4594217101c0a27e19e0
Instruction ID: c9298443e6d6b429fd092423e4a851d72257834736cdc9b65c309d9f30b2508b
Opcode Fuzzy Hash: dc67508a175d0130d2506d63000b62dbd3d93314499b4594217101c0a27e19e0
Instruction Fuzzy Hash: 4F21E7B1E006589BDB28CFABD8453DEBAF3AFC8300F14C16AD409A6258DB7459468F54

Uniqueness

Uniqueness Score: -1.00%

Function 080244B8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f91e33caa35464d71c86944e08b6b78615cd5539df139a42fc7fbc05447f9cf
Instruction ID: 9450fe1140945fbe30dccc47aaef3415a8853378b378c8a77f7d9980d418374b
Opcode Fuzzy Hash: 5f91e33caa35464d71c86944e08b6b78615cd5539df139a42fc7fbc05447f9cf
Instruction Fuzzy Hash: 49115A70D04228CFCB14CFA9D4187EEBBF1AB4E312F14906AD445B3291CBB88984CF68

Uniqueness

Uniqueness Score: -1.00%

Function 075B5620 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd9f98483c89a963d78db4783533c2e81b0b6aa393d2989348fadf5067dffc0
Instruction ID: b21237d7b198595ed4300cc8cfeaa23047e754796b80ef232280e0aa6b214953
Opcode Fuzzy Hash: dfd9f98483c89a963d78db4783533c2e81b0b6aa393d2989348fadf5067dffc0
Instruction Fuzzy Hash: A61196B1E016488BDB18CFA7C9442DEFBF3BFC8310F14C169D409AA258DB7559468F40

Uniqueness

Uniqueness Score: -1.00%

Function 0802456C Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78eb4b0cfc4a53253595eab7127c5fe9960d62d8288555f7c6d6e05c79b1635d
Instruction ID: 022482c15ef2a64e26e2c4405c71a215f2d72cd4c652cf38bdd1a3b54610686b
Opcode Fuzzy Hash: 78eb4b0cfc4a53253595eab7127c5fe9960d62d8288555f7c6d6e05c79b1635d
Instruction Fuzzy Hash: B6E09B5194C6B9CFD7114F6C48655BD7F71AB0B202F14108AD4C1BB552D6E88505C769

Uniqueness

Uniqueness Score: -1.00%

Function 02AD9788 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02AD99CE

Memory Dump Source

Source File: 00000000.00000002.284410430.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_BANK COPY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9235d461321944b137439478733317a4c48ecf8c1cf3515bb9f7a13b72fc36b8
Instruction ID: 97852fa3679b4dff5fedd084016ef7e6b5aeaf2d5b9c9fff785c5c4369db6207
Opcode Fuzzy Hash: 9235d461321944b137439478733317a4c48ecf8c1cf3515bb9f7a13b72fc36b8
Instruction Fuzzy Hash: 9C714470A00B058FD724DF29D59479BBBF1BF88708F008929D04ADBA50DB34E809CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0802164C Relevance: 1.6, APIs: 1, Instructions: 145
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 080217AB

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e89ad2239487c07d18751c168a17e3d2d07ced7339df09dabf20b22978ca9443
Instruction ID: 0634c9861c0079be19b8fa5cb76d5e3e53f9bdf0260bb00b5a42bd15a7d65865
Opcode Fuzzy Hash: e89ad2239487c07d18751c168a17e3d2d07ced7339df09dabf20b22978ca9443
Instruction Fuzzy Hash: 4A51E875D00329DFDB61CF99C884BDDBBB2BF48314F14809AE848A7250DB716A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 08021658 Relevance: 1.6, APIs: 1, Instructions: 143
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 080217AB

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 498482437564dc36420dcf09769c50e0d6f99010b82c543ebfe0dce98a0046fa
Instruction ID: 3745c8662f28feec6393bded1de73c2087d49f10000982c2f2333d14597b9423
Opcode Fuzzy Hash: 498482437564dc36420dcf09769c50e0d6f99010b82c543ebfe0dce98a0046fa
Instruction Fuzzy Hash: 8651F871D00329DFDB60CF99C880BDDBBB6BF48314F14809AE808A7250DB716A89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 08021BF8 Relevance: 1.6, APIs: 1, Instructions: 67
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08021C8D

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 29177b5ed0de5bbe3a560ba4230a5f59212d19e2987fb76b445debc3d5aee43a
Instruction ID: e365f6f8114899baccf3a2dbc91491d7ac3a23e013226c9bf447346f0bc2e261
Opcode Fuzzy Hash: 29177b5ed0de5bbe3a560ba4230a5f59212d19e2987fb76b445debc3d5aee43a
Instruction Fuzzy Hash: 9E2134B5900259DFCB10CF9AC885BDEBBF5FF48310F10802AE918A7750D778AA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 08021C00 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08021C8D

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ab971b34b968bfa7aa181e638d35566f2b5fed1c0d36954a37f4e048b4d7ae72
Instruction ID: 6ffd802a599720a0cf97d7b158c6f59de4ecec0ff39f0510c7d8b1882de319c4
Opcode Fuzzy Hash: ab971b34b968bfa7aa181e638d35566f2b5fed1c0d36954a37f4e048b4d7ae72
Instruction Fuzzy Hash: 622112B5900259DFCB10CF9AC885BDEBBF5FF48310F10842AE918A3750D778A954CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02ADA4DC Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02ADC066,?,?,?,?,?), ref: 02ADC127

Memory Dump Source

Source File: 00000000.00000002.284410430.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_BANK COPY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6a47fc997119df8ff01816f127ab8e9838a91535fc34b994dee9f80d14297f55
Instruction ID: cc3fcc68487dad163a2596e1c6f4462405ff2c67a947dd37059f827c4cf99fc8
Opcode Fuzzy Hash: 6a47fc997119df8ff01816f127ab8e9838a91535fc34b994dee9f80d14297f55
Instruction Fuzzy Hash: C721E4B5900218AFDB10CF99D984BDEFBF5FB48324F54801AE915A7710D774A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ADC099 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02ADC066,?,?,?,?,?), ref: 02ADC127

Memory Dump Source

Source File: 00000000.00000002.284410430.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_BANK COPY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f54c9e0c519aea1282b72faeb3d398fc32194480512e317bfa6908d70033019d
Instruction ID: 494092afdbefec905a3c95006bd37b2be0ca00a1d59cf29438d2a0cc50097595
Opcode Fuzzy Hash: f54c9e0c519aea1282b72faeb3d398fc32194480512e317bfa6908d70033019d
Instruction Fuzzy Hash: B121E3B5900218AFDB10CF99D985ADEFBF5FB48324F14801AE915A3710D374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 080219C0 Relevance: 1.6, APIs: 1, Instructions: 61
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 08021A3F

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 0de83ea9fef51c3018a8efaef1eb1ad1538f34bd8f9175c523c5659fd72b0191
Instruction ID: 04784cecc19e8283952014841ddcba4f247771ba21c48f186d56a2b0cdcef8c8
Opcode Fuzzy Hash: 0de83ea9fef51c3018a8efaef1eb1ad1538f34bd8f9175c523c5659fd72b0191
Instruction Fuzzy Hash: 972156B1E002199FDB00CF99C5857EEFBF4BB08210F04812AD418F3740D778A9458FA0

Uniqueness

Uniqueness Score: -1.00%

Function 08021A81 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08021B07

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5a4c7ef0da5f2178b532a2f55b4de11c16e498fbe8922dbc0ddce69e9deb3c0d
Instruction ID: d172197a700493acbc4d29aaaeb195a4aacc052c5e0e46983656bdde69c0d3e7
Opcode Fuzzy Hash: 5a4c7ef0da5f2178b532a2f55b4de11c16e498fbe8922dbc0ddce69e9deb3c0d
Instruction Fuzzy Hash: 3E21F3B6900259DFCB10CF99D985BDEBBF5BB48310F14842AE518A7610D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08021A88 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08021B07

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3ff551dbd05e9454cf9c50ceb5e687a432a8f3b14f472e9a18b49a5ebb53e7e7
Instruction ID: fc33fe9c805b88625c7d61e1d14e88b9a159d8a1bdffee7222116e296ee4c837
Opcode Fuzzy Hash: 3ff551dbd05e9454cf9c50ceb5e687a432a8f3b14f472e9a18b49a5ebb53e7e7
Instruction Fuzzy Hash: 5F21F3B1900259DFCB10CF9AD884BDEFBF8FB48310F10842AE918A3610D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 080219C8 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 08021A3F

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6d5ddbfbfc25072105f1107b9926e3776a9a1598d742964ee16b5e37ae2b1bf3
Instruction ID: df77fff379a795157f5078f19b574cfa2c1653abe8e40335bde7a5bda4ce6179
Opcode Fuzzy Hash: 6d5ddbfbfc25072105f1107b9926e3776a9a1598d742964ee16b5e37ae2b1bf3
Instruction Fuzzy Hash: A22106B1D002199FDB10CF9AC9857DEFBF4BB48224F54816AD418B3740D778A9548FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AD8AF8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02AD9A49,00000800,00000000,00000000), ref: 02AD9C5A

Memory Dump Source

Source File: 00000000.00000002.284410430.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_BANK COPY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e45f00ce102084e886d35394164d3fd3958c2f1deae12a2fe46c8c893e31f24e
Instruction ID: fa1b8a02286bf90b619ca8c01b95857a4a6905edcf0a3ef6da46bff3156b6b6a
Opcode Fuzzy Hash: e45f00ce102084e886d35394164d3fd3958c2f1deae12a2fe46c8c893e31f24e
Instruction Fuzzy Hash: DE1114B69002099FCB10CF9AD484BDFFBF4EB88324F10842ED51AA7600C775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02AD9BE8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02AD9A49,00000800,00000000,00000000), ref: 02AD9C5A

Memory Dump Source

Source File: 00000000.00000002.284410430.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_BANK COPY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5f4dabd0cda7bf85379a6cc9ec15563be2cee04c276d4c2f82a1e553f01cdaef
Instruction ID: 4a684b80bfe237d0cbf2add7b805becd034e8adf878a931d2794e11f7d6ee6bd
Opcode Fuzzy Hash: 5f4dabd0cda7bf85379a6cc9ec15563be2cee04c276d4c2f82a1e553f01cdaef
Instruction Fuzzy Hash: CD1103B69002099FCB10CF9AD884BDFFBF4EB88324F14842AE41AA7600C774A545CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 075BBF68 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 075BBFDB

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: af46a9330417a14ac18055f63682041c5730ba97ebb3b976360f307accae0558
Instruction ID: 76e549710a78b05033ffdee1cbf0d2b410821e7bcbc910449d925ab32d1c25cf
Opcode Fuzzy Hash: af46a9330417a14ac18055f63682041c5730ba97ebb3b976360f307accae0558
Instruction Fuzzy Hash: 372114B59002499FCB10CF9AC885BDEFBF4FF48320F10842AE458A7650D378AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08021B50 Relevance: 1.5, APIs: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08021BC3

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b6cba3d9f4e9684ee5cf391a978dea843d99684ec2119abf31adb32e89053901
Instruction ID: 222b402b8bfe6e8d304d62607954c2ef62246dec4776936eacd82ff296a9f358
Opcode Fuzzy Hash: b6cba3d9f4e9684ee5cf391a978dea843d99684ec2119abf31adb32e89053901
Instruction Fuzzy Hash: F61155B5900208DFCB10CF99C884BDEBBF8FF48320F208419E529A7610C374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 08021B58 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08021BC3

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 163d95e704056c99820bb3de52fc1c670c0e4ebf65b41e7aee762b45e89045f1
Instruction ID: 0d520cff5161bc32923a3e024975c2a5244f2986358444bf8197d091c16a1e0e
Opcode Fuzzy Hash: 163d95e704056c99820bb3de52fc1c670c0e4ebf65b41e7aee762b45e89045f1
Instruction Fuzzy Hash: E51110B5900249DFCB10DF9AD884BDEBBF8EB88324F108419E529A7610C375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AD9968 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02AD99CE

Memory Dump Source

Source File: 00000000.00000002.284410430.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_BANK COPY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 140130219e50e2927dc5eafba4d8dfb96906a7a03318cc6da57cd5c359b76cbc
Instruction ID: 3c3fcc9674f4d9616e2e2c7a623f357b31c4e852432b778b7e193121ffe75ad2
Opcode Fuzzy Hash: 140130219e50e2927dc5eafba4d8dfb96906a7a03318cc6da57cd5c359b76cbc
Instruction Fuzzy Hash: D211DFB6D002498FCB20CF9AD484BDFFBF4AF88228F14842AD459A7610C779A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08022728 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0802278D

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3a725cd791ddb7df923b286633773ca8c5ccabcb61d054092b5cf937bb1e5451
Instruction ID: f5f4728201a9933210a7b250b0f85412638ff464780b683591f7bff0dfcbce97
Opcode Fuzzy Hash: 3a725cd791ddb7df923b286633773ca8c5ccabcb61d054092b5cf937bb1e5451
Instruction Fuzzy Hash: C311F2B58002499FCB20DF99D889BDEFBF8EB48324F14841AE515A7600C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08022730 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0802278D

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2d54243e779d24bcbbb42c02ce16986d0aab11c0e501e3a6e73c886daf6c9c1a
Instruction ID: b5a9d2ff1977944ac50aa187f143e196e00695fe30c8cb92c2f304b0838b74e3
Opcode Fuzzy Hash: 2d54243e779d24bcbbb42c02ce16986d0aab11c0e501e3a6e73c886daf6c9c1a
Instruction Fuzzy Hash: 7D11E2B5900349DFDB10DF99D889BDEFBF8EB48324F20841AE515A7600C375A994CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08021DB1 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08021E17

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 17b31d19bea953a2fd32a9e6ab0a70466f95f36608552f08ae3109f444dbb0d1
Instruction ID: eaa36d10a2af18b1c10fe4cd456336d3da67b50ac44e99b22fe368c040099e63
Opcode Fuzzy Hash: 17b31d19bea953a2fd32a9e6ab0a70466f95f36608552f08ae3109f444dbb0d1
Instruction Fuzzy Hash: 791100B5900249CFCB10CF99D985BDEBBF4EB48224F20841AD519B7600C378A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08021DB8 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08021E17

Memory Dump Source

Source File: 00000000.00000002.313893456.0000000008020000.00000040.00000800.00020000.00000000.sdmp, Offset: 08020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8020000_BANK COPY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 50135755ae0a40215694bfea7611d2163fcf8be189d482a1b2a26a70ffae5a39
Instruction ID: a951da1c02810fbf638a9141b3702186025f4ccf19eee6ad5a1d8116a7c30c1c
Opcode Fuzzy Hash: 50135755ae0a40215694bfea7611d2163fcf8be189d482a1b2a26a70ffae5a39
Instruction Fuzzy Hash: 5B1112B1900249CFCB10DF9AD885BDEFBF8EB49324F20841AD519A7700C775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E0D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.282812375.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0d000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e23cc2a4c0ab1c24386436fe8f0dffd0f78dddd6cedae9ef4e2684dc617819
Instruction ID: 635019f0f490033b2e73a62e4e4d077590ce97291e1554fba040302b1aca09ba
Opcode Fuzzy Hash: 00e23cc2a4c0ab1c24386436fe8f0dffd0f78dddd6cedae9ef4e2684dc617819
Instruction Fuzzy Hash: 742107B1508240DFDB15DF90DCC0B66BF75FB94328F24C569E8096B686C336E896C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0111D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.283510007.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a611265501f3f7041685b784216c538fa42f05597bd196915bede7936b6f6f
Instruction ID: 916950fe70305e930602b55e57b368e8ae530a97b6bbf2d58ca3cb3686f072ee
Opcode Fuzzy Hash: d1a611265501f3f7041685b784216c538fa42f05597bd196915bede7936b6f6f
Instruction Fuzzy Hash: 5721F571504240DFDF09DF94E9C4B66FBA5FB84324F24C67DE8094B64AC336D846CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0111D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.283510007.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc543750f6d508f8c23c5967a3b4d5dd6d94aab595ff4e40cebbeb1449e030e
Instruction ID: 0391e416f9832dfb06d98038067b1fe0cc0ea6137cf81af690b853fa0c86ed13
Opcode Fuzzy Hash: dcc543750f6d508f8c23c5967a3b4d5dd6d94aab595ff4e40cebbeb1449e030e
Instruction Fuzzy Hash: 2221D075504240DFDF19DF54E8C8B26FB65FB84354F24C5BDD8094B64AC33AD84ACAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E0D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.282812375.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0d000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbef4a1e70deff03197093d81f521a6a7c6ef6ce65c584de2f463e24d10b77d
Instruction ID: 96ec9a8fb1236755268e26787bd3baabdef6506a19a63d882ab4cbed658c5245
Opcode Fuzzy Hash: 8fbef4a1e70deff03197093d81f521a6a7c6ef6ce65c584de2f463e24d10b77d
Instruction Fuzzy Hash: 0111E676404280DFCF12CF50D9C4B16BF71FB94324F24C6A9D8495B656C336E896CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0111D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.283510007.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12f6e5284a8006670de04e8acf0eae73a3b637b28784ce6af087747e0efce52
Instruction ID: 6e3145e28c61d88ddbbe87454957ea1f95efd8ff9c2e6b1763162a129c47b51f
Opcode Fuzzy Hash: b12f6e5284a8006670de04e8acf0eae73a3b637b28784ce6af087747e0efce52
Instruction Fuzzy Hash: 0B11BE75504280CFDB16CF14E5C4B16FB61FB84314F24C6A9D8094B65AC33AD44ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0111D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.283510007.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_111d000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12f6e5284a8006670de04e8acf0eae73a3b637b28784ce6af087747e0efce52
Instruction ID: c80fb330e14a5f2624ae79f4acbae3ddf9551c48271dee584d4c9e12432cd64c
Opcode Fuzzy Hash: b12f6e5284a8006670de04e8acf0eae73a3b637b28784ce6af087747e0efce52
Instruction Fuzzy Hash: F011BB75904280DFDF06CF54E5C4B55FBB1FB84224F28C6A9D8494B65AC33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E0D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.282812375.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0d000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab8f654c1932eb4cfbd45a5fd21c41a92bf2ed54904e4be405c30cd3e9458a4
Instruction ID: 86ed5abf5b9f228f41e9ffd983eed88e1043ec4ac33e4c463d87a4c32c375162
Opcode Fuzzy Hash: cab8f654c1932eb4cfbd45a5fd21c41a92bf2ed54904e4be405c30cd3e9458a4
Instruction Fuzzy Hash: 2C01D47150C3409AE7205A55CC84BA6FBE8EB82378F1C851BE9046B686D3799884C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E0D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.282812375.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0d000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d2bc2f63ce6807f9c2e44b0a50407750b1cf3e5f3bbcc44597d04f9fe546e1
Instruction ID: 4f42d8ef371bc667e0565694ca08065b9ff59e6062c2907ccf422f2452e9499e
Opcode Fuzzy Hash: b3d2bc2f63ce6807f9c2e44b0a50407750b1cf3e5f3bbcc44597d04f9fe546e1
Instruction Fuzzy Hash: 04F04F715082849EE7109E55DCC4BA2FBE8EB81778F18C55AED085A686C3799C84CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 075BD938 Relevance: 2.9, Strings: 2, Instructions: 358COMMON

Download Yara Rule

Strings

'QsR, xrefs: 075BDD7A
D0k, xrefs: 075BDA8B

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID: 'QsR$D0k
API String ID: 0-2312413296
Opcode ID: 5865a9fd94a38efb46fdf9eadeda39e189e5e836301de199e8adf4fcd9e2b8c9
Instruction ID: 46df050021a5eb6019d54d5ed178ee6b218d90ee6207e5a2bc86f758738bd85f
Opcode Fuzzy Hash: 5865a9fd94a38efb46fdf9eadeda39e189e5e836301de199e8adf4fcd9e2b8c9
Instruction Fuzzy Hash: CED19DB1F1521A9FCF14DFA5C4416FEBBB2BF89344F14842AD405AB354DB7899018FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02ADE820 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284410430.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8644e2c68958442d3a4adf6aee07b366c50e84f8363f777f4a5757f4bc317aa9
Instruction ID: 87ea5375f7ec39f97fa9fe4f711c518e75a386db353cf2842927bb628c1cb527
Opcode Fuzzy Hash: 8644e2c68958442d3a4adf6aee07b366c50e84f8363f777f4a5757f4bc317aa9
Instruction Fuzzy Hash: 4312C6F9C917468BD310CF65E48C1893BE1B7E1328BD04A2AD2611BAD1DBB6D16BCF44

Uniqueness

Uniqueness Score: -1.00%

Function 02ADBF54 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284410430.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065779f0f28dec839420a9c0dd846f2299bd124aa08378999be536fa922ffc4b
Instruction ID: 73bcbc29cceb7ed04316a4bc3fcf9b0107b666ecd076051a7a1d53c1e4077be8
Opcode Fuzzy Hash: 065779f0f28dec839420a9c0dd846f2299bd124aa08378999be536fa922ffc4b
Instruction Fuzzy Hash: ECA15A36E00609CFCF15DFA5C98459EBBB2FF88304B15856AE906AB220EF31E955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02ADE810 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.284410430.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ad0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f1a64b6df4de4a5ea76b671368557e01f86be0d3d2c45838eb160c110410a7
Instruction ID: ea9da8ba533f679e15c48cd1e4b2aaa69dc913eacc07b9284c59a84e8a5d2ca1
Opcode Fuzzy Hash: f5f1a64b6df4de4a5ea76b671368557e01f86be0d3d2c45838eb160c110410a7
Instruction Fuzzy Hash: 52C15DB9C917058BD310CF65E8881893BE1FBE5328F904A29D2612B6D0DFB6D16BCF44

Uniqueness

Uniqueness Score: -1.00%

Function 075B9726 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c826f6809fd60643f2f58f0460dcf0f0050a91ab05edae10d5027a1ad0cc2d
Instruction ID: 526c007348dfc756e0443cbccd5ce4a44f9a7cb2d0dce72559e3dd3800d60317
Opcode Fuzzy Hash: 87c826f6809fd60643f2f58f0460dcf0f0050a91ab05edae10d5027a1ad0cc2d
Instruction Fuzzy Hash: A951FA72E056598FEB18CF679C402DAFBF3FFC9210F14C1AAC448AB265DB3006868E41

Uniqueness

Uniqueness Score: -1.00%

Function 075B7EE0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e8149e2b7cc1b11d612f3499734c71bc99e64f4b4d6d6a7340cf9254e1489b
Instruction ID: 324451a88404e6beb5a247de346fcf1866f2b3bdcdff0b9bbe5ad7f1aac7c579
Opcode Fuzzy Hash: c0e8149e2b7cc1b11d612f3499734c71bc99e64f4b4d6d6a7340cf9254e1489b
Instruction Fuzzy Hash: FA7104B4D1520ACFCB14CF99D4808EEFBF2FF89210F14991AD415AB214D334AA82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 075B7ED0 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c98eb7f1b186e4735ab2b0ebad3429b8e7e25e8e84b7d7fd4c5a8b5552a6ce0
Instruction ID: fc31def3e0a3e9554bdebf03c1caecfeb8d601393e57e35783204c4edd5df553
Opcode Fuzzy Hash: 3c98eb7f1b186e4735ab2b0ebad3429b8e7e25e8e84b7d7fd4c5a8b5552a6ce0
Instruction Fuzzy Hash: 0B6112B4E1020ACFCB14CF99C4809EEFBF6FF89210F149916D414AB204D734AA82CF99

Uniqueness

Uniqueness Score: -1.00%

Function 075B8200 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422fae9ac7cc8092f8bb7435850810100717ad3a73c5af1559f08e2f8dad9a14
Instruction ID: b95dd3ae0b784a5f4dc0c9e5ea5ba8528eff8c6f69a9030247e2fe78e56689fa
Opcode Fuzzy Hash: 422fae9ac7cc8092f8bb7435850810100717ad3a73c5af1559f08e2f8dad9a14
Instruction Fuzzy Hash: 096148B4E1420ADFCB14CFA6D8805EEFBB6BF89310F14941AD511A7348D735AA42CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 075B81F0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24dc29073f87808c2f3176e5d1201ae0044197fee0ce75bb0641fcfa34d4fea
Instruction ID: aad6d858d2c174a0bb25c653791c46ddeb1e34909bca2a01eb83dd95e4845546
Opcode Fuzzy Hash: a24dc29073f87808c2f3176e5d1201ae0044197fee0ce75bb0641fcfa34d4fea
Instruction Fuzzy Hash: D26149B4E1420ADFCB14CFA6C8815EEFBB6FF89300F149426D511A7314D735AA468FA4

Uniqueness

Uniqueness Score: -1.00%

Function 075B8818 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5525ac2b5c7041fcc470de3082aa7ff102b11454a3b7707b86a7c592571c36
Instruction ID: df8952037980c3d2cec827cad26e6e33e276599c912d4b11bb6b9c62558f5580
Opcode Fuzzy Hash: 3d5525ac2b5c7041fcc470de3082aa7ff102b11454a3b7707b86a7c592571c36
Instruction Fuzzy Hash: 5561E5B0E15219CFCB18CFA9C9845EEFBF6FF89210F24982AD515B7314D734A9418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 075B8808 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469c97bdbc81c993a3772aec74b440b265486eec1415cce3cad5e983109caca1
Instruction ID: 84411eb6d3a904039c99227ae5610ce346fb2f6c3cf964690182cad32439d6e6
Opcode Fuzzy Hash: 469c97bdbc81c993a3772aec74b440b265486eec1415cce3cad5e983109caca1
Instruction Fuzzy Hash: D261F8B0E152098FCB18CFA9C9845EEFBF6FF89210F28986AD515B7314D734A941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 075B85B0 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57e8c94235ed46b78ee9707be846c62761ec9bf0e63bb19e0cd5f6deebdb2c
Instruction ID: a84c3ff3879fb0b6d808b754259b20a1fc3b0c12f5e193da79aff9bc010104ed
Opcode Fuzzy Hash: 2f57e8c94235ed46b78ee9707be846c62761ec9bf0e63bb19e0cd5f6deebdb2c
Instruction Fuzzy Hash: E25119B0D1560A9FCB58CFAAC4815EEFBF6FF98300F14D42AC415A7254D334AA428F99

Uniqueness

Uniqueness Score: -1.00%

Function 075B85C0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d1e577fdd98729acdb7bea61c7ed0b6033db6f22577eed56d43ebf4a7069af
Instruction ID: fc28868f09f53278a3b73e6dbd0a7ee1d9b81d1b7980fa1cb8334fc93803d4bc
Opcode Fuzzy Hash: a3d1e577fdd98729acdb7bea61c7ed0b6033db6f22577eed56d43ebf4a7069af
Instruction Fuzzy Hash: 925109B0D1560A9FCB48CFAAC4815FEFBF6BF99300F14D42AC415A7254D334AA418F99

Uniqueness

Uniqueness Score: -1.00%

Function 075B8A60 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f4702ce996c853ad79cb5cba7a09e457815537c62572d3fa061fd684d2bde4
Instruction ID: 69682434b382ff08920e798253f06e74b6aeb7d397db7c2a6893a155fb4ccfa1
Opcode Fuzzy Hash: e3f4702ce996c853ad79cb5cba7a09e457815537c62572d3fa061fd684d2bde4
Instruction Fuzzy Hash: 1F41F4B0E1520ADFCB58CFA9C5815EEFBB6BB89310F24D56AC405B7214DB34AA418F94

Uniqueness

Uniqueness Score: -1.00%

Function 075B8A52 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff4dfeb1838daece57fd7ed58d807da75b83bfcda6eb9d9b8938f19f4ed54e1
Instruction ID: 64419932fd74de1cbf35962d0b4b9a0c34771035f75487db3dac2669ee9fc4c3
Opcode Fuzzy Hash: 0ff4dfeb1838daece57fd7ed58d807da75b83bfcda6eb9d9b8938f19f4ed54e1
Instruction Fuzzy Hash: 8F410BB0E1520ADFCB08CFA9C5414EEFBB6FB89310F24D56AC415B7254D734AA428B94

Uniqueness

Uniqueness Score: -1.00%

Function 075B9770 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4dc22339d44b55c7cbb25e51a22cd31bff0c8271f1a48512540c4655c6c384b
Instruction ID: 251aa88137dfb19ddfae693c6b2838395f236f3a13fa06be096d583c276a6690
Opcode Fuzzy Hash: e4dc22339d44b55c7cbb25e51a22cd31bff0c8271f1a48512540c4655c6c384b
Instruction Fuzzy Hash: 11415EB1E156188BDB68CF6B8D452DAFAF3BFC9200F14C1BA950CA6264DB3419858E11

Uniqueness

Uniqueness Score: -1.00%

Function 075BC540 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14db0de72a6ac78b49e2532e4ee5431cce30633243591e1468b0b8081ad7033
Instruction ID: f731175d8ac135d300162c0b81fd328396c6d2576f2813a902b5070b818f7e6e
Opcode Fuzzy Hash: b14db0de72a6ac78b49e2532e4ee5431cce30633243591e1468b0b8081ad7033
Instruction Fuzzy Hash: 27315A70E156198FDB18CFAAD8816EEFBF2FFC9200F10C56AD408A7254DB305A018F54

Uniqueness

Uniqueness Score: -1.00%

Function 075B3340 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86aa094c115d14cbc80af005aad307ee75ef9813275f91921978a17c57f7259
Instruction ID: a0ca78f9b4682998415bf82c650d20e08a8842b82e8f443aa2d311b499fbb7f9
Opcode Fuzzy Hash: a86aa094c115d14cbc80af005aad307ee75ef9813275f91921978a17c57f7259
Instruction Fuzzy Hash: 7311AAB1E146189BEB18CFABD8446DEFBF7AFC8200F04C17AD918B6264EB3415568F51

Uniqueness

Uniqueness Score: -1.00%

Function 075B8C40 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef09f77f7f2ff8dfe40b424baa6719a848b2dfd7a1df7cd19078282f1c8556d
Instruction ID: a23480ec8fae10a5540cadd732ceedac4d0d046efdfcbf16827aab62beca2f38
Opcode Fuzzy Hash: 0ef09f77f7f2ff8dfe40b424baa6719a848b2dfd7a1df7cd19078282f1c8556d
Instruction Fuzzy Hash: D411EFB1E046188BEB18CFABD8406DEFAF7BFCC200F04C17AC918A6214DB3415568F55

Uniqueness

Uniqueness Score: -1.00%

Function 075B3330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2228c82160270b1add6f8d3ffbe5bccb9b5ad28890811872cf3967df9cca4e05
Instruction ID: e67cfc1fc09fb02c9e6cc46478e15c45a7d14e69ff401409b80e5a346efe53e8
Opcode Fuzzy Hash: 2228c82160270b1add6f8d3ffbe5bccb9b5ad28890811872cf3967df9cca4e05
Instruction Fuzzy Hash: 8F119CB1E046189BEB5CCFABC8457DEFAF3ABC8200F08C17AD918B6254EB3455468E55

Uniqueness

Uniqueness Score: -1.00%

Function 075B8C30 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312255424.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75b0000_BANK COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cbe5e5194a394cb855df6018e0eef3adf268a60cceeac2caec0b7051eb5b2d
Instruction ID: de69407071776e521c63c5a735d88ffb76e6e7117e0c64b46c28af1334dca3e8
Opcode Fuzzy Hash: e5cbe5e5194a394cb855df6018e0eef3adf268a60cceeac2caec0b7051eb5b2d
Instruction Fuzzy Hash: AD11D0B1E006188BEB58CFABC9457DEFAF3AFC8200F08C176C518A6258EB3455468E55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 4692, Parent PID: 5724COMMON

Execution Graph

Execution Coverage:	20.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	297
Total number of Limit Nodes:	16

Executed Functions

Function 069AC7E8 Relevance: 4.8, Strings: 3, Instructions: 1013COMMON

Download Yara Rule

Strings

Xck, xrefs: 069AD1C6
Xck, xrefs: 069AD1BC
D0k, xrefs: 069AC93B

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID: D0k$Xck$Xck
API String ID: 0-1795155639
Opcode ID: da2937526e0127c118d88552889ce0708d9e0ce3b8b03dea69794f5c3fb5384e
Instruction ID: 8e2f29e0bcc1adfd5e965cf4eacfec1f14e94c85f0de2f24c48fcc7e99332f0f
Opcode Fuzzy Hash: da2937526e0127c118d88552889ce0708d9e0ce3b8b03dea69794f5c3fb5384e
Instruction Fuzzy Hash: 9172CF30B003159FDB54EBA8C854BAEB7F6AF89204F248469E40ADB785DB34DC46C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 069A65F0 Relevance: 2.9, Instructions: 2857COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecc73cf78a43d6c211cc1fefc8a97a4da8e15748e07d7a9974b40bcc5f2250a
Instruction ID: 2e4912f7f1116b49c00031c8acd807573eb29406306ca99868afc0e676ec32de
Opcode Fuzzy Hash: 5ecc73cf78a43d6c211cc1fefc8a97a4da8e15748e07d7a9974b40bcc5f2250a
Instruction Fuzzy Hash: 44531C30D10B1A8EDB61EF68C980699F7F5FF99310F10D69AD459A7610EB70AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 069A721A Relevance: 2.5, Instructions: 2473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec45150400acebae0f49ffee2444f723955dd25772b1cc4329b578cbedc0e3bd
Instruction ID: afcb5ddb0a14bc736852a1a2ad0e390e370dc3f47d6e068b05b04eaadd483d2c
Opcode Fuzzy Hash: ec45150400acebae0f49ffee2444f723955dd25772b1cc4329b578cbedc0e3bd
Instruction Fuzzy Hash: 29433F30D10B198EDB61EF68C984699F7F5FF99310F10C69AD459AB611EB30AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 069764D0 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0697652F

Memory Dump Source

Source File: 00000007.00000002.521986076.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6970000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b27ec6a3e317430016ce9ac3931aaed7f617c4dd4061a601a9fdbd25cdf36003
Instruction ID: 5f4715447bf8d550fffab44e4a75fb73677b65a37bb4218f1a9170d2345d20b6
Opcode Fuzzy Hash: b27ec6a3e317430016ce9ac3931aaed7f617c4dd4061a601a9fdbd25cdf36003
Instruction Fuzzy Hash: 4151A270A002059FCB54FBB4D845AEEB7FAFF89208B148969D5129F395DF34E944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0690C630 Relevance: 6.1, APIs: 4, Instructions: 125
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0690C6A0
GetCurrentThread.KERNEL32 ref: 0690C6DD
GetCurrentProcess.KERNEL32 ref: 0690C71A
GetCurrentThreadId.KERNEL32 ref: 0690C773

Memory Dump Source

Source File: 00000007.00000002.521899384.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6900000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e71886d8c37b7982d0a9ffca68b7dff44f3cbc68ba48e1509dcfefb14f2d5e11
Instruction ID: 6f8f3016f4eb6799c4d706e55a2ece24b2c55a761c4bf98bee90aecebd1f2bbc
Opcode Fuzzy Hash: e71886d8c37b7982d0a9ffca68b7dff44f3cbc68ba48e1509dcfefb14f2d5e11
Instruction Fuzzy Hash: 435142B4900209DFDB14CFAAD948BDEBBF1EF88314F208559E409B7790D734A884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0690C640 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0690C6A0
GetCurrentThread.KERNEL32 ref: 0690C6DD
GetCurrentProcess.KERNEL32 ref: 0690C71A
GetCurrentThreadId.KERNEL32 ref: 0690C773

Memory Dump Source

Source File: 00000007.00000002.521899384.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6900000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2531e1b15636bc5f1625854d265b29341762c97dcf099ac0b047c46d5d93f050
Instruction ID: 839455b15a6e0a548ce22150e9941374a33a489e8f122f694690de74114e61d2
Opcode Fuzzy Hash: 2531e1b15636bc5f1625854d265b29341762c97dcf099ac0b047c46d5d93f050
Instruction Fuzzy Hash: EA5131B4900209DFDB14CFAAD948BDEBBF1EF88314F208559E409B77A0D7749884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 062674C5 Relevance: 3.3, APIs: 2, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b624b044222941e033ff4f5790efef469c6feb5379e28109f7b676fa2f4a1af7
Instruction ID: fc6f738e93d979983edd09ee312278453ab4bcd425d9c9ac52b52c9c981ab86b
Opcode Fuzzy Hash: b624b044222941e033ff4f5790efef469c6feb5379e28109f7b676fa2f4a1af7
Instruction Fuzzy Hash: 4D02C734911368CFDB65DF30E88C699B7B6BF4931AF1041E9D90A96340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062674AE Relevance: 3.3, APIs: 2, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 17b51d2d16eeee8d85f34bbdb20efa26d6bbb53a8fa8192daa2b820de8a4e3ea
Instruction ID: 28edd4ec8c290415ade0e051b318d1f8331416c79631a4bf4cda3a07ac442572
Opcode Fuzzy Hash: 17b51d2d16eeee8d85f34bbdb20efa26d6bbb53a8fa8192daa2b820de8a4e3ea
Instruction Fuzzy Hash: 8102B734911368CFDBA5DF30E88C699B7B6BF4931AF1041E9D90A56340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06267502 Relevance: 3.3, APIs: 2, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4a156094c2b0d4bbcbf2614c94876c20f0588648f7a54b8936d2db9876d930d1
Instruction ID: 681d1ddb4a1f6cdfbd65f59eb63aecc31936d28c4b0eb9b58e8ee77686d178c4
Opcode Fuzzy Hash: 4a156094c2b0d4bbcbf2614c94876c20f0588648f7a54b8936d2db9876d930d1
Instruction Fuzzy Hash: E102C734911368CFDBA5DF30E88C699B7B6BF4931AF1041E9D90A56340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0626753F Relevance: 3.3, APIs: 2, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5cb717762a40eb30c900b72465868a29e992054d8ca4efd1ab042147354ad805
Instruction ID: 13f133a30c4718ffb303aa35d0bfe201133c7d3d39918afe34daecf554a85cc4
Opcode Fuzzy Hash: 5cb717762a40eb30c900b72465868a29e992054d8ca4efd1ab042147354ad805
Instruction Fuzzy Hash: A802B734911368CFDB65DF30E88C699B7B6BF4931AF1041E9D90A66340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0626757C Relevance: 3.3, APIs: 2, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3e706cce6b9f6163c610b6f28d9fa2c2df2b74b2da3dae2f170a6d8dea7a70dd
Instruction ID: a388fb420a054e0c72ea7463d90723166b72a75cb63dc52b4c9f13948c8c6cae
Opcode Fuzzy Hash: 3e706cce6b9f6163c610b6f28d9fa2c2df2b74b2da3dae2f170a6d8dea7a70dd
Instruction Fuzzy Hash: 33F1C734911368CFDB65DF30E88C699B7B6BF4931AF1041E9D90A66340DB395E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062675B0 Relevance: 3.3, APIs: 2, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 76a964582f9656773a7d54ecbaeffeda98528bbd1e42b7df6aa67e7171a70a3d
Instruction ID: db86249b006874711fdc9cc3aae68475eebc2d39a66b7a416bbf0cc561c207a8
Opcode Fuzzy Hash: 76a964582f9656773a7d54ecbaeffeda98528bbd1e42b7df6aa67e7171a70a3d
Instruction Fuzzy Hash: 4BF1B734911368CFDB65DF30E88C699B7B6BF4931AF1041E9D90A66340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062675ED Relevance: 3.3, APIs: 2, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 129310281488ce1d8476a423768da98829054f512d3cde359fc7a2806853c6b2
Instruction ID: 7ab0027b41cb079158ac35cef3a8f730545c2d9a7d03d459f3fe491aa93ad244
Opcode Fuzzy Hash: 129310281488ce1d8476a423768da98829054f512d3cde359fc7a2806853c6b2
Instruction Fuzzy Hash: E1F1B634911368CFDBA5DF30E88C699B7B6BF4931AF1041D9D90A66340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0626762A Relevance: 3.3, APIs: 2, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a765ff5e79fb51c30688dbcc6ac62e292acd1e5fac62dd1c6882a00d9c2d45b5
Instruction ID: 2265149d3a94ad147c946d854d876ecde25c44df98ac8d413a81434cf43fc3ee
Opcode Fuzzy Hash: a765ff5e79fb51c30688dbcc6ac62e292acd1e5fac62dd1c6882a00d9c2d45b5
Instruction Fuzzy Hash: 73F1B634911368CFDBA5DF30E88C699B7B6BF4931AF1041D9D90A66340DB395E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06267671 Relevance: 3.3, APIs: 2, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2e98e32d961192fb0c91d520ad91d7f19d8fd5e64007f538cd1fa933e6f6e3b1
Instruction ID: 8c57e28aac30e56c3c582509b7ca4f68b617a3b3547c236e8f4666e128fa5d01
Opcode Fuzzy Hash: 2e98e32d961192fb0c91d520ad91d7f19d8fd5e64007f538cd1fa933e6f6e3b1
Instruction Fuzzy Hash: E1F1B534911368CFDBA5DF30E88C699B7B6BF4931AF1041E9D90A66340DB395E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062676AF Relevance: 3.3, APIs: 2, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ec9c17f3cb53d3a9d0200a94cfc753671dbe71d809b8986f60414926ec0fc82a
Instruction ID: c59e609a9003a939e219c775f623b47c29f248a9ed444df10971c1e306caf3f2
Opcode Fuzzy Hash: ec9c17f3cb53d3a9d0200a94cfc753671dbe71d809b8986f60414926ec0fc82a
Instruction Fuzzy Hash: 94E1B634911368CFDB65DF30E88C699B7B6BF4931AF1041D9D90A66340DB395E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062676F6 Relevance: 3.3, APIs: 2, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f1bb062bb6918c78fa4be7967446b95d70a81fdb718836ed2133fcc55d4dfa8c
Instruction ID: 6e3525f1618916acaebf3bc7e2bfcaa812016831ca840f9804ed8f919fab58d7
Opcode Fuzzy Hash: f1bb062bb6918c78fa4be7967446b95d70a81fdb718836ed2133fcc55d4dfa8c
Instruction Fuzzy Hash: 50E1B534911368CFDBA5DF30E88C699B7B6BF4931AF1041D9D90A66340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0626773D Relevance: 3.3, APIs: 2, Instructions: 277COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267763
KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 17ee906eef018d8f3ffda94c65032eb39149615732acc20edae0ea741d2d4d83
Instruction ID: 238e897d9b57e527ce4c19b34311db6ab6d681cde2a3b5fa8272c95af426a608
Opcode Fuzzy Hash: 17ee906eef018d8f3ffda94c65032eb39149615732acc20edae0ea741d2d4d83
Instruction Fuzzy Hash: 06E1C634911368CFDBA5DF30E88C699B7B6BF4931AF1041D9D90A66340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06267784 Relevance: 1.8, APIs: 1, Instructions: 270COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 55f1720445fbd15d720c8a163ab60f4ca444daaaf20983d454cdfb39aff8227b
Instruction ID: 817c1faa807ed1abe75a2ba33ca5b18144f6bc38615224abc911707ec30a0e1e
Opcode Fuzzy Hash: 55f1720445fbd15d720c8a163ab60f4ca444daaaf20983d454cdfb39aff8227b
Instruction Fuzzy Hash: C7E1B634911368CFDBA5DF30E88C699B7B6BF4931AF1041D9D90A66340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062677CB Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8540595229da2f2752de46d3df8f71d2f7feb0607935f56630960b25f043501d
Instruction ID: ff4d6db29fe358b1cdf9034867b7274c40110359b9b9052ef4ce8f17bd5a1061
Opcode Fuzzy Hash: 8540595229da2f2752de46d3df8f71d2f7feb0607935f56630960b25f043501d
Instruction Fuzzy Hash: 93D1B634911368CFDBA5DF30E88C699B7B6BF4931AF1041D9D90A66340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06267812 Relevance: 1.8, APIs: 1, Instructions: 256COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6f2be1a47d1cae20a54ead4e03d3260307fd5124e516c6e215f19046b1405739
Instruction ID: 18765686188ece1e85d2d279d539588f47db1994adcd16a70fa1d40e944d8d5b
Opcode Fuzzy Hash: 6f2be1a47d1cae20a54ead4e03d3260307fd5124e516c6e215f19046b1405739
Instruction Fuzzy Hash: 30D1B534911368CFDBA5DF30E88C699B7B6BF4931AF1041D9D90A66340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06267859 Relevance: 1.7, APIs: 1, Instructions: 249COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3b951b8ec71b26c4205f37537c571ff4bd14162e3701287433c2bc922793be03
Instruction ID: f7334994c07d98f46e4324efc13f095087792f1839faa98029b46390646700e2
Opcode Fuzzy Hash: 3b951b8ec71b26c4205f37537c571ff4bd14162e3701287433c2bc922793be03
Instruction Fuzzy Hash: 5ED1B634911368CFDBA5DF30E88C699B7B6BF4931AF1041D9D90A66340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062678A0 Relevance: 1.7, APIs: 1, Instructions: 240COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: aa68332833cc15de270269a8084e74c9b21b411b70af10268df445e0a78a1a5f
Instruction ID: 6a9b9ac888191f8ce75763ac3b6ac706d82d9f546a0cba0c329fef05afadedf8
Opcode Fuzzy Hash: aa68332833cc15de270269a8084e74c9b21b411b70af10268df445e0a78a1a5f
Instruction Fuzzy Hash: 86C1B634911368CFDBA5DF30E88C699B7B6BF4931AF1041E9D90A66340DB395E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 062678DE Relevance: 1.7, APIs: 1, Instructions: 235COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c11bd84c830f5f01b683ae0a9af8604e6b0e4d86fe72225f79fc1ba1646b2b4d
Instruction ID: b68cde878251019dbeae4c1f0a4e19fab02e4a2cdfa4a85428cbccc7aedef0a1
Opcode Fuzzy Hash: c11bd84c830f5f01b683ae0a9af8604e6b0e4d86fe72225f79fc1ba1646b2b4d
Instruction Fuzzy Hash: 0CC1B634911368CFDBA5DF30E88C699B7B6BF4931AF1041D9D90A66340DB395E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06267925 Relevance: 1.7, APIs: 1, Instructions: 228COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d544885a68aac3e3edcf0ab368a456255d3fe4a1063038d861e4d3f6bb60183c
Instruction ID: df852c4c631e2dd17c7f7663545f2bf94bbad1371785c592a63a4e6dfbed3cf1
Opcode Fuzzy Hash: d544885a68aac3e3edcf0ab368a456255d3fe4a1063038d861e4d3f6bb60183c
Instruction Fuzzy Hash: 79C1B634911368CFDBA5DF30E88C699B7B6BF49316F1041D9D90A66340DB395E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0626796C Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06267992

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7e8783fb9d39e91a9d1d04e37ca38abae062799bb53e4a0474ab3cd3c675a500
Instruction ID: 61621587c3cf0205f226ee7d233e651d7ea599328b0ab1f0c905b9d6bd376767
Opcode Fuzzy Hash: 7e8783fb9d39e91a9d1d04e37ca38abae062799bb53e4a0474ab3cd3c675a500
Instruction Fuzzy Hash: 7FB1B534911368CFDBA5DF30E88C699B7B6BF49316F1041D9D90AA6340DB399E81CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06972008 Relevance: 1.7, APIs: 1, Instructions: 185libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06972049

Memory Dump Source

Source File: 00000007.00000002.521986076.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6970000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 947f5deac65ff6fd9c9435b189e3234834214770518e3841b07d670e2d00f795
Instruction ID: e24ef1bf4e61565b5f69a2532756ea85576108aff7c92793e7a60e1143d2c53d
Opcode Fuzzy Hash: 947f5deac65ff6fd9c9435b189e3234834214770518e3841b07d670e2d00f795
Instruction Fuzzy Hash: 6D715C30A10209DFDB58EFB4D4596AEB7B2BF88304F108928D406AB754DF79DE46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 069729E0 Relevance: 1.6, APIs: 1, Instructions: 144registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06972AF9

Memory Dump Source

Source File: 00000007.00000002.521986076.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6970000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 851758ee832c90343b42c3afbe400c8bb2b3fef68f975c905e546257264fe27f
Instruction ID: 85abe696d0514063d134a33fc928d6fbada5adab4593cbfc0d8b1a409b277f1d
Opcode Fuzzy Hash: 851758ee832c90343b42c3afbe400c8bb2b3fef68f975c905e546257264fe27f
Instruction Fuzzy Hash: 54517B71E103589FCB20CFA9C9846DEBBF5BF49314F24806AE819EB751D7349A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 069764C0 Relevance: 1.6, APIs: 1, Instructions: 142libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0697652F

Memory Dump Source

Source File: 00000007.00000002.521986076.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6970000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce57de12184fb8fa398b0b4533403d7d980f574ca6c46f59236cac2769a830bc
Instruction ID: b30d9dd80f351533571eb2923d2006984f1c69b2c5ef3d81615b2b122b891663
Opcode Fuzzy Hash: ce57de12184fb8fa398b0b4533403d7d980f574ca6c46f59236cac2769a830bc
Instruction Fuzzy Hash: 7851A330A002069FCB54EFB4D845AAEB7F6FF88208F148929D4169F255DF34E944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06971FA8 Relevance: 1.6, APIs: 1, Instructions: 139libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06972049

Memory Dump Source

Source File: 00000007.00000002.521986076.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6970000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e6eb6aca8c2693f3db5c820339ae6fe6ec68b47627e2ee4f370416997d9fd5d
Instruction ID: 91fe28a07feb5081e33a696d1191278fe082503ef40f01c94391c031436f47d6
Opcode Fuzzy Hash: 4e6eb6aca8c2693f3db5c820339ae6fe6ec68b47627e2ee4f370416997d9fd5d
Instruction Fuzzy Hash: E251F030A24349CFDB58DFA4D8547AEBBB1FF85304F2484AAD4059B251DB38DD46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06907E10 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.521899384.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6900000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925c54b5e8a66599835c4130d72a561d0dac7e3bb060a8c8d3674e39af2454c3
Instruction ID: 374066535d364272dd1236adcf92e07d0ddcb66f2849778bd36cacc552de847c
Opcode Fuzzy Hash: 925c54b5e8a66599835c4130d72a561d0dac7e3bb060a8c8d3674e39af2454c3
Instruction Fuzzy Hash: F7412371E003599FCB00DBA5D8042EEBBF5EF89220F15816AD409EB750DB789845CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06972729 Relevance: 1.6, APIs: 1, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0697283C

Memory Dump Source

Source File: 00000007.00000002.521986076.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6970000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9757903b8de29d4883f99f6de8a0536997975a566d1a8a515b54f1174ccbf127
Instruction ID: ba1a9feb8bc65ec57bdf655501494a4f04e6a61aedbbb2309816ecd11bc328e6
Opcode Fuzzy Hash: 9757903b8de29d4883f99f6de8a0536997975a566d1a8a515b54f1174ccbf127
Instruction Fuzzy Hash: 60413470D15349DFDB14CFA9C544ACEFBF5AF48304F28816AE808AB741D7759945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 062663D1 Relevance: 1.6, APIs: 1, Instructions: 94fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 06266498

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 80500e8a30bb88b90e6e01c3e269fe36a6e9a0e28aa682b0e025f598ebf29372
Instruction ID: 52ba0f5d9966432f70d5bf1b254b8d7df0bcdad683bfef77bbdd6408ba6d03b6
Opcode Fuzzy Hash: 80500e8a30bb88b90e6e01c3e269fe36a6e9a0e28aa682b0e025f598ebf29372
Instruction Fuzzy Hash: 5A31B071D0539A9FCB11CF6AC8507DEFFF0EF49220F04816AD844A7642D7789886CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06971858 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06972AF9

Memory Dump Source

Source File: 00000007.00000002.521986076.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6970000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0247587cf040366eed5ec64cc59e0ddd9d3bbcb58cea85e8021c4fd46a886344
Instruction ID: e2405fa81e0eda3ac7572e84e917c6c17874eb53b1cd829a25996c8c7a6cbef6
Opcode Fuzzy Hash: 0247587cf040366eed5ec64cc59e0ddd9d3bbcb58cea85e8021c4fd46a886344
Instruction Fuzzy Hash: A531C1B1D102589FCB24CF99C984A9EBBF5BF48314F64802AE819AB750D774A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0697184C Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0697283C

Memory Dump Source

Source File: 00000007.00000002.521986076.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6970000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 59b62e59b78c18bfbae7e32145e6e4ba3a1deb4807aea81c606ade44a549b71f
Instruction ID: cbd829c01f4c1356c953ab47eec9da3d73b9c82b52ab52802b4e622f27f05ee7
Opcode Fuzzy Hash: 59b62e59b78c18bfbae7e32145e6e4ba3a1deb4807aea81c606ade44a549b71f
Instruction Fuzzy Hash: DD311FB0D112499FDB14CF99C584ACEFBF5BF48314F28816EE809AB741C775A985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0690C860 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0690C8EF

Memory Dump Source

Source File: 00000007.00000002.521899384.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6900000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d2471e8df5ea1aec3029322fad050b46a0841b7ced8d7829bf825e10c3950eef
Instruction ID: cbd2b7d6fdcc65b8824050678396ccea7f1db40bdd48f5b1fe4d3015071bdbae
Opcode Fuzzy Hash: d2471e8df5ea1aec3029322fad050b46a0841b7ced8d7829bf825e10c3950eef
Instruction Fuzzy Hash: 3A21F3B5D00248EFDB10CFA9D884ADEBFF4EB48324F24811AE815A3750D378A954CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0690C868 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0690C8EF

Memory Dump Source

Source File: 00000007.00000002.521899384.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6900000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cee3337233c09230027a61a0e62960c1c8c286e0ec7b152266c47e9b53e7df60
Instruction ID: d431a0e3a35d336ec76c632323445ea2758bc9f3c0bdca27f4d0d32d943009d3
Opcode Fuzzy Hash: cee3337233c09230027a61a0e62960c1c8c286e0ec7b152266c47e9b53e7df60
Instruction Fuzzy Hash: 9F21E3B5D00208AFDB10CF99D884ADEBBF8EB48324F14801AE815A3750D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 062657B4 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 06266498

Memory Dump Source

Source File: 00000007.00000002.521289102.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6260000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 39721e51969cdfdcac2babd2053fc914d61d2c47adb0350834ea43e0123c09a6
Instruction ID: 605362216526ea39a79392d351c5a708f5aca78991055729b74b995404e4eb67
Opcode Fuzzy Hash: 39721e51969cdfdcac2babd2053fc914d61d2c47adb0350834ea43e0123c09a6
Instruction Fuzzy Hash: 262135B1C0061A9FCB10CF9AC4447EEFBB4EF48224F108129E819B7740D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06906434 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06907E62), ref: 06907F4F

Memory Dump Source

Source File: 00000007.00000002.521899384.0000000006900000.00000040.00000800.00020000.00000000.sdmp, Offset: 06900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6900000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 05422472bdcfa1df963455c2bf6ef9fc2654c840eac1450e203b6bbf99bc8242
Instruction ID: c730bf840694f745f74bd5bce2bbf26e8e58c3f9e14f395b275ae6b9c520c867
Opcode Fuzzy Hash: 05422472bdcfa1df963455c2bf6ef9fc2654c840eac1450e203b6bbf99bc8242
Instruction Fuzzy Hash: DE11F2B1D006599FDB10CF9AC4447EEFBF4AB48224F15812AD819B7740D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 069A4EB0 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59d0aab17c37bb296c1bfb79abb777781c6983a546188042bf52e2dd7414fe2
Instruction ID: cdcfd485bd490a39ee93a478f6199e38afdf80a5aa01fc5a3ef70a6ef8d7a934
Opcode Fuzzy Hash: e59d0aab17c37bb296c1bfb79abb777781c6983a546188042bf52e2dd7414fe2
Instruction Fuzzy Hash: 9AF17C30B003048FCB54DBB8D8446ADB7F6EF89214F258469E50ADB791EB74DD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 069A5DD0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411da73bdcc417c050c79a5753e2a9df3e2db23d182864bde0dbc81fe0021ec8
Instruction ID: 2a25bc4c902da82648471e3ccfee81d49db59d3887c3c8f97e15195b5a2f8caf
Opcode Fuzzy Hash: 411da73bdcc417c050c79a5753e2a9df3e2db23d182864bde0dbc81fe0021ec8
Instruction Fuzzy Hash: D3B1A230B003158FCB65DB74D4546AEBBF2AF89304F2584A9D50ADB385EB38DD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 069AD7D0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49095a4f3b6fc9f6d4e14ee846502f7f59523f50f086715d4b37ab89d0f52589
Instruction ID: 26a1f84427abe373a69c14d3c1f48bf3c36c2a63ceb3318a2a28f8ee465f0e83
Opcode Fuzzy Hash: 49095a4f3b6fc9f6d4e14ee846502f7f59523f50f086715d4b37ab89d0f52589
Instruction Fuzzy Hash: 4AA16A75A04349DFCF55CFA8C854ADEBFF2BF89310F14815AE805ABA61D7309859CB90

Uniqueness

Uniqueness Score: -1.00%

Function 069A6330 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9db1b1df203fdb9495ac6b4e366e2f2a54253834f7e41eaf6ab936452d6e2d1
Instruction ID: 96df4418da1cfafc8b4c89025290936a01d9c06d30ea2c6f6f3e113725952746
Opcode Fuzzy Hash: c9db1b1df203fdb9495ac6b4e366e2f2a54253834f7e41eaf6ab936452d6e2d1
Instruction Fuzzy Hash: AB710330F043408FEB60CB28C55479DBBE6AF85318F28C16AD4599F78AEB76C845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 069AD4B0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68aa102f19b78c9a4e2c30cf18af00e1f06ca2424ea20d8ff5dd80abfd8af71a
Instruction ID: c14ef14f8bc063a8c9649fb9c4b02503099a54fa3c758e7e0f5935f0f6fe10f4
Opcode Fuzzy Hash: 68aa102f19b78c9a4e2c30cf18af00e1f06ca2424ea20d8ff5dd80abfd8af71a
Instruction Fuzzy Hash: 9B714B34B102058FDB95DF29C898A6E7BF9EF59244B2940A5E805CBB71DB70EC45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 069AFC89 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476776309ba8bb4ca8608773c4db245a088ac5e6542ba071cd6291422ac6c1fb
Instruction ID: 44dc41abfa749e4ab46fb75142f67319bedde50b1bdccd8e3f6bba0d490b26ac
Opcode Fuzzy Hash: 476776309ba8bb4ca8608773c4db245a088ac5e6542ba071cd6291422ac6c1fb
Instruction Fuzzy Hash: 60811938900348DFCB10EFF6D85559DBBB1EF48314B118966D824AF364DB38AE85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 069A6230 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28afc7432160448b57395a882d8a112ea16858f0e13fb852f302d506f6a56250
Instruction ID: 6f83ae95c38b70df3534380819ad0e2cd8a0aea4c8731e14e881587022054bd9
Opcode Fuzzy Hash: 28afc7432160448b57395a882d8a112ea16858f0e13fb852f302d506f6a56250
Instruction Fuzzy Hash: 08518630B0D3C04FD762873595543997FE68B92248F2D80EBC199CF697D67AD84AC3A2

Uniqueness

Uniqueness Score: -1.00%

Function 069AFD38 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e74c28294e5131887e743a63740593c21329dc3544e1b119aabb771110fc6d
Instruction ID: 58f1e521199916eafdb0b784c640ede7999e66371cda19fd6fc4e6f90e0848fd
Opcode Fuzzy Hash: 10e74c28294e5131887e743a63740593c21329dc3544e1b119aabb771110fc6d
Instruction Fuzzy Hash: BD519278900208DFCB54EFF6E4965DDBBB1EF48314B118925D825AB324DB386E85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 069AD923 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281864a1900ec46e54d79b9fa1955ee9cf4ed8a927752b30c178d631693468fb
Instruction ID: 3fd6b1d40505c7444a3f95309fdb49edd36dcf41f376c5286cae10c73c29d4e4
Opcode Fuzzy Hash: 281864a1900ec46e54d79b9fa1955ee9cf4ed8a927752b30c178d631693468fb
Instruction Fuzzy Hash: 1F41CE31A04349DFCF11CFA4C854A9EBFF2AF89324F148056E8459BAA1D331E918CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 069A58DB Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20f478bfdffc5167043be4acb261e1488aa534403b3700813708aa11866fcaf
Instruction ID: c04afe6ec878aacdb3686f59645f54417748d5d93e18db57d425e59cc605cff7
Opcode Fuzzy Hash: d20f478bfdffc5167043be4acb261e1488aa534403b3700813708aa11866fcaf
Instruction Fuzzy Hash: 12312131F093548FC7519B78D81039E7BF5AF85210F1484A6D588DB292EB348D85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 069AD740 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a3a4ef3cfb671296f777f987f60db2881072bef91195473044cc424dbc2c53
Instruction ID: 97c81db94672bf409b259d0a9966f6f1ff416fa7d012b3e0137d9209a5789c69
Opcode Fuzzy Hash: a3a3a4ef3cfb671296f777f987f60db2881072bef91195473044cc424dbc2c53
Instruction Fuzzy Hash: C931A0B9A05289DFCB089BA4DC119EDFBB1FFC9340F09896BD459A7781DA314904CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 069A4E60 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f047297b3f78818a9756f3af9c33eed95a3abcafb6a82c350cdbb38636f7fe4
Instruction ID: 205bd496d49394cafa29621774f8d8ec7fe91a6beb83e2f9586786d5c6379cc4
Opcode Fuzzy Hash: 5f047297b3f78818a9756f3af9c33eed95a3abcafb6a82c350cdbb38636f7fe4
Instruction Fuzzy Hash: A331A030E013499FCB90DFA8D544AAEBBF2EB89314F25846AD549DB341E734DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 069A4EA1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acb2b50274b846bdfde8401899dc532dcf4fabb84eac2d55dbe71db45f52e1a
Instruction ID: 94682f0f26aad06b4faabccd981c9057aa2551aa4221d0e933a5c773201cc6e8
Opcode Fuzzy Hash: 2acb2b50274b846bdfde8401899dc532dcf4fabb84eac2d55dbe71db45f52e1a
Instruction Fuzzy Hash: 33116D71E012199FCB54DFA5E5849EDBBF2EB88314F25852AD505A7200D330A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 069ADA08 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edee7ba40850fd2e6a2fc0bd45e5626598118bd129aaa730ee8079754a473a0
Instruction ID: ac38a676bf77dc715deb61b1c1dd82a4fd5840d4f2e8eda283a7433a86a5ba90
Opcode Fuzzy Hash: 1edee7ba40850fd2e6a2fc0bd45e5626598118bd129aaa730ee8079754a473a0
Instruction Fuzzy Hash: CE11B131B043469BDB50CFA8C840B9BBBE7EF85374F148155D4189BA92D371E818CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 069A5938 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d647eb8b01102d2fcda80b4949ac8a79418bbf98364632615431452064cef10
Instruction ID: 2c1dd79d00a65901d30c2c4ca81b6292d9e31618390b90902a152b3e65c5a4fc
Opcode Fuzzy Hash: 9d647eb8b01102d2fcda80b4949ac8a79418bbf98364632615431452064cef10
Instruction Fuzzy Hash: 12115E31E002188FCB64EFB9D9107DEB7F5EB88350F008479951DEB284EB749A84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 069A51D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0517ed8fb02e48d78a22419df0bfc517ca8155a429b28023b2e05ff37d6292
Instruction ID: eb42d866ca4357971bdd2f69d320671d6b36854c387ad2bef4d8a87559749c68
Opcode Fuzzy Hash: ba0517ed8fb02e48d78a22419df0bfc517ca8155a429b28023b2e05ff37d6292
Instruction Fuzzy Hash: F3F0F631B002145B8B24AEFAA88019FB7BAEB8A228B60443DD419DB240DB319D0687E1

Uniqueness

Uniqueness Score: -1.00%

Function 069A61A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7095194c24a01f04141bae1f5a41e7e74e22744af7d7a323121bac09d967908
Instruction ID: 7a0e46f1da5c08937c61b7f451a4666cd870c1a5d4462155b9d99e4624e55917
Opcode Fuzzy Hash: e7095194c24a01f04141bae1f5a41e7e74e22744af7d7a323121bac09d967908
Instruction Fuzzy Hash: ACF08275F002249F8B90FBB8A8082AF7AE9AFC8660B110435D919D7344EF348E0287E1

Uniqueness

Uniqueness Score: -1.00%

Function 069A4DDB Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84af16fc9cf3af18c482d8c4170da76bd02a7771b534ef4ce5b1361dfe28d0c0
Instruction ID: 6bbc69593f4ee1aecc110e60a36837d844e1f0f5659944541d69e75e0d250d0a
Opcode Fuzzy Hash: 84af16fc9cf3af18c482d8c4170da76bd02a7771b534ef4ce5b1361dfe28d0c0
Instruction Fuzzy Hash: 90E06576F012259F87A0DF68A8056EF7BF9EB88611F04056AE50AE3240DB744B158BE0

Uniqueness

Uniqueness Score: -1.00%

Function 069A4DE8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93f430d366e744f09899be1f39a1672c5e335a1876c0ecfc608118f485531aa
Instruction ID: e1c7d2ea1cbc5636961b1261439a92b6a43fb6e31a62de3ac024f6ba80d4a2f9
Opcode Fuzzy Hash: c93f430d366e744f09899be1f39a1672c5e335a1876c0ecfc608118f485531aa
Instruction Fuzzy Hash: 70E04875E003159F8B90EFBDA8045AF7BF9EE8C621B114476E60DD3300EB704A018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 069A3961 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.522194275.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_69a0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6880243add6413d8810b246deca114035bc4665c82f494306fd9cb6978ebfa
Instruction ID: e06384f99fdeeb80d9b0664c93ecd10a9df1fdd8f8968e548c93c830eeb69d57
Opcode Fuzzy Hash: cd6880243add6413d8810b246deca114035bc4665c82f494306fd9cb6978ebfa
Instruction Fuzzy Hash: 93C08C36B020148BDB149744F8054ECF370E788221F1041A2C2198200483301D144FD0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BANK COPY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK COPY.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yqWDN.exe.log

C:\Users\user\AppData\Local\Temp\tmp1205.tmp

C:\Users\user\AppData\Roaming\gPxsznxm.exe

C:\Users\user\AppData\Roaming\yqWDN\yqWDN.exe

C:\Windows\System32\drivers\etc\hosts

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
BANK COPY.exe

Function 075B2D00 Relevance: 4.3, Strings: 3, Instructions: 511
COMMON

Function 075B63F8 Relevance: 2.8, Strings: 2, Instructions: 296
COMMON

Function 075B6330 Relevance: 1.6, Strings: 1, Instructions: 362
COMMON

Function 075B6389 Relevance: 1.6, Strings: 1, Instructions: 350
COMMON

Function 02AD9788 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre