Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QNx8Bu7CNn.exe

Overview

General Information

Sample Name:QNx8Bu7CNn.exe
Analysis ID:715065
MD5:9a9cb1f7f37aa3955cfb4d8991583e31
SHA1:8d63b02db5ce9bb9bb1691ab4a5282d18078191a
SHA256:943089ba13faf44a75c9624e2b68af1f561d5567bb4ba7cf4a2596b129da6a2b
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • QNx8Bu7CNn.exe (PID: 5292 cmdline: C:\Users\user\Desktop\QNx8Bu7CNn.exe MD5: 9A9CB1F7F37AA3955CFB4D8991583E31)
    • QNx8Bu7CNn.exe (PID: 5840 cmdline: C:\Users\user\Desktop\QNx8Bu7CNn.exe MD5: 9A9CB1F7F37AA3955CFB4D8991583E31)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.valvulasthermovalve.cl/", "Username": "cva19491@valvulasthermovalve.cl", "Password": "LILKOOLL14!!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x30080:$a13: get_DnsResolver
      • 0x2e88e:$a20: get_LastAccessed
      • 0x309fe:$a27: set_InternalServerPort
      • 0x30d1a:$a30: set_GuidMasterKey
      • 0x2e995:$a33: get_Clipboard
      • 0x2e9a3:$a34: get_Keyboard
      • 0x2fcb3:$a35: get_ShiftKeyDown
      • 0x2fcc4:$a36: get_AltKeyDown
      • 0x2e9b0:$a37: get_Password
      • 0x2f463:$a38: get_PasswordHash
      • 0x30480:$a39: get_DefaultCredentials
      00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x32b4d:$s10: logins
              • 0x66f6d:$s10: logins
              • 0x325b4:$s11: credential
              • 0x669d4:$s11: credential
              • 0x2eb95:$g1: get_Clipboard
              • 0x62fb5:$g1: get_Clipboard
              • 0x2eba3:$g2: get_Keyboard
              • 0x62fc3:$g2: get_Keyboard
              • 0x2ebb0:$g3: get_Password
              • 0x62fd0:$g3: get_Password
              • 0x2fea3:$g4: get_CtrlKeyDown
              • 0x642c3:$g4: get_CtrlKeyDown
              • 0x2feb3:$g5: get_ShiftKeyDown
              • 0x642d3:$g5: get_ShiftKeyDown
              • 0x2fec4:$g6: get_AltKeyDown
              • 0x642e4:$g6: get_AltKeyDown
              0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x30280:$a13: get_DnsResolver
              • 0x646a0:$a13: get_DnsResolver
              • 0x2ea8e:$a20: get_LastAccessed
              • 0x62eae:$a20: get_LastAccessed
              • 0x30bfe:$a27: set_InternalServerPort
              • 0x6501e:$a27: set_InternalServerPort
              • 0x30f1a:$a30: set_GuidMasterKey
              • 0x6533a:$a30: set_GuidMasterKey
              • 0x2eb95:$a33: get_Clipboard
              • 0x62fb5:$a33: get_Clipboard
              • 0x2eba3:$a34: get_Keyboard
              • 0x62fc3:$a34: get_Keyboard
              • 0x2feb3:$a35: get_ShiftKeyDown
              • 0x642d3:$a35: get_ShiftKeyDown
              • 0x2fec4:$a36: get_AltKeyDown
              • 0x642e4:$a36: get_AltKeyDown
              • 0x2ebb0:$a37: get_Password
              • 0x62fd0:$a37: get_Password
              • 0x2f663:$a38: get_PasswordHash
              • 0x63a83:$a38: get_PasswordHash
              • 0x30680:$a39: get_DefaultCredentials
              0.2.QNx8Bu7CNn.exe.47e9d28.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 19 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: QNx8Bu7CNn.exeReversingLabs: Detection: 26%
                Source: QNx8Bu7CNn.exeVirustotal: Detection: 32%Perma Link
                Antivirus detection for URL or domain
                Source: ftp://ftp.valvulasthermovalve.cl/cva19491URL Reputation: Label: phishing
                Source: http://ftp.valvulasthermovalve.clAvira URL Cloud: Label: phishing
                Multi AV Scanner detection for domain / URL
                Source: ftp.valvulasthermovalve.clVirustotal: Detection: 17%Perma Link
                Machine Learning detection for sample
                Source: QNx8Bu7CNn.exeJoe Sandbox ML: detected
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.valvulasthermovalve.cl/", "Username": "cva19491@valvulasthermovalve.cl", "Password": "LILKOOLL14!!"}
                Source: QNx8Bu7CNn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: QNx8Bu7CNn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Joe Sandbox ViewIP Address: 190.107.177.239 190.107.177.239
                Source: unknownFTP traffic detected: 190.107.177.239:21 -> 192.168.2.7:49703 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.valvulasthermovalve.cl/cva19491
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: QNx8Bu7CNn.exe, 00000001.00000002.510640859.0000000002C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.valvulasthermovalve.cl
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pzxuZU.com
                Source: QNx8Bu7CNn.exe, 00000001.00000002.510594948.0000000002C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, QNx8Bu7CNn.exe, 00000001.00000002.510594948.0000000002C69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://uZTc8nGgAr9KT9EFaKnD.net
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: ftp.valvulasthermovalve.cl
                Source: QNx8Bu7CNn.exe, 00000000.00000002.264316868.0000000001698000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: QNx8Bu7CNn.exe PID: 5292, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: QNx8Bu7CNn.exe PID: 5840, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: QNx8Bu7CNn.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: QNx8Bu7CNn.exe PID: 5292, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: QNx8Bu7CNn.exe PID: 5840, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 0_2_0160E9E30_2_0160E9E3
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 0_2_0160E9F00_2_0160E9F0
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 0_2_0160CA4C0_2_0160CA4C
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_00E7F0801_2_00E7F080
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_00E702C21_2_00E702C2
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_00E7AD201_2_00E7AD20
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_00E7F3C81_2_00E7F3C8
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_0526F2001_2_0526F200
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_0526C4A81_2_0526C4A8
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_0526B7581_2_0526B758
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_05261FF81_2_05261FF8
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_052600401_2_05260040
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06044E601_2_06044E60
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06049F001_2_06049F00
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_060490001_2_06049000
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_0604A1581_2_0604A158
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_060432A81_2_060432A8
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06069C001_2_06069C00
                Source: QNx8Bu7CNn.exe, 00000000.00000002.283020050.0000000007A90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.264316868.0000000001698000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJmTxSVSTIOpBCrhAZqRMrHH.exe4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.265861063.00000000033C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.265861063.00000000033C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000000.237593514.0000000000F02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezjVS.exeL vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJmTxSVSTIOpBCrhAZqRMrHH.exe4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.274768916.00000000043C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTargetParameterCount.dll> vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.283225213.0000000007BB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.283193737.0000000007AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000000.00000002.275476275.0000000004480000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetal.dllJ vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000001.00000000.262288164.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJmTxSVSTIOpBCrhAZqRMrHH.exe4 vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000001.00000002.504395903.0000000000CC9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exe, 00000001.00000002.503539178.0000000000978000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exeBinary or memory string: OriginalFilenamezjVS.exeL vs QNx8Bu7CNn.exe
                Source: QNx8Bu7CNn.exeReversingLabs: Detection: 26%
                Source: QNx8Bu7CNn.exeVirustotal: Detection: 32%
                Source: QNx8Bu7CNn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\QNx8Bu7CNn.exe C:\Users\user\Desktop\QNx8Bu7CNn.exe
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess created: C:\Users\user\Desktop\QNx8Bu7CNn.exe C:\Users\user\Desktop\QNx8Bu7CNn.exe
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess created: C:\Users\user\Desktop\QNx8Bu7CNn.exe C:\Users\user\Desktop\QNx8Bu7CNn.exeJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QNx8Bu7CNn.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                Source: QNx8Bu7CNn.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: QNx8Bu7CNn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: QNx8Bu7CNn.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: QNx8Bu7CNn.exe, NetworkArithmeticGame/Form1.cs.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.0.QNx8Bu7CNn.exe.f00000.0.unpack, NetworkArithmeticGame/Form1.cs.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_00E70841 push eax; retf 1_2_00E7084E
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_060418AA push es; ret 1_2_060418C4
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06041CC8 push esp; iretd 1_2_06041CC9
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_060418F6 push es; ret 1_2_06041910
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06042177 push edi; retn 0000h1_2_06042179
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_0604D97A push 8B000003h; iretd 1_2_0604D984
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5292, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exe TID: 5332Thread sleep time: -41226s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exe TID: 5312Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exe TID: 2892Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exe TID: 3148Thread sleep count: 9707 > 30Jump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWindow / User API: threadDelayed 9707Jump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeThread delayed: delay time: 41226Jump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE6HARDWARE\Description\System"SystemBiosVersion
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware VideoBiosVersion
                Source: QNx8Bu7CNn.exe, 00000000.00000002.264767023.000000000174B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu8M
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \\.\ROOT\cimv2DSOFTWARE\VMware, Inc.\VMware Tools
                Source: QNx8Bu7CNn.exe, 00000001.00000003.301268672.0000000000DAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCapsBBS\8A
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\NSYSTEM\ControlSet001\Services\Disk\Enum
                Source: QNx8Bu7CNn.exe, 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeCode function: 1_2_06046A30 LdrInitializeThunk,1_2_06046A30
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeMemory written: C:\Users\user\Desktop\QNx8Bu7CNn.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeProcess created: C:\Users\user\Desktop\QNx8Bu7CNn.exe C:\Users\user\Desktop\QNx8Bu7CNn.exeJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Users\user\Desktop\QNx8Bu7CNn.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Users\user\Desktop\QNx8Bu7CNn.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5292, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5840, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\QNx8Bu7CNn.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: Yara matchFile source: 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5840, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47e9d28.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.0.QNx8Bu7CNn.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47b5708.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.47b5708.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QNx8Bu7CNn.exe.477f2e8.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5292, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: QNx8Bu7CNn.exe PID: 5840, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception111
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Exfiltration Over Alternative Protocol                		1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		1
                Input Capture                		1
                Process Discovery                		Remote Desktop Protocol1
                Input Capture                		Exfiltration Over Bluetooth1
                Non-Application Layer Protocol                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		1
                Credentials in Registry                		131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Archive Collected Data                		Automated Exfiltration11
                Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model2
                Data from Local System                		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common11
                Software Packing                		Cached Domain Credentials114
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                QNx8Bu7CNn.exe27%ReversingLabs
                QNx8Bu7CNn.exe32%VirustotalBrowse
                QNx8Bu7CNn.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                1.0.QNx8Bu7CNn.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                ftp.valvulasthermovalve.cl17%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://pzxuZU.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                ftp://ftp.valvulasthermovalve.cl/cva19491100%URL Reputationphishing
                http://uZTc8nGgAr9KT9EFaKnD.net0%Avira URL Cloudsafe
                http://ftp.valvulasthermovalve.cl100%Avira URL Cloudphishing

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ftp.valvulasthermovalve.cl
                		190.107.177.239
                		truefalseunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.apache.org/licenses/LICENSE-2.0QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://ftp.valvulasthermovalve.clQNx8Bu7CNn.exe, 00000001.00000002.510640859.0000000002C75000.00000004.00000800.00020000.00000000.sdmptrue
                      • Avira URL Cloud: phishing
                      		unknown
                      http://www.fontbureau.com/designers/?QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwQNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://uZTc8nGgAr9KT9EFaKnD.netQNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, QNx8Bu7CNn.exe, 00000001.00000002.510594948.0000000002C69000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pzxuZU.comQNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://DynDns.comDynDNSnamejidpasswordPsi/PsiQNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8QNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fonts.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQNx8Bu7CNn.exe, 00000001.00000002.510594948.0000000002C69000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comQNx8Bu7CNn.exe, 00000000.00000002.280625866.00000000073A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      ftp://ftp.valvulasthermovalve.cl/cva19491QNx8Bu7CNn.exe, 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmptrue
                                      • URL Reputation: phishing
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      190.107.177.239
                                      		ftp.valvulasthermovalve.clChile
                                      		265831SOCCOMERCIALWIRENETCHILELTDACLfalse

                                      General Information

                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                      Analysis ID:715065
                                      Start date and time:2022-10-03 15:48:08 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 8m 50s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:QNx8Bu7CNn.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:13
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 43
                                      • Number of non-executed functions: 4
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 8.238.190.126, 8.238.85.254, 8.248.131.254, 67.26.139.254, 8.253.207.120, 93.184.221.240
                                      • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      15:49:11API Interceptor723x Sleep call for process: QNx8Bu7CNn.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      190.107.177.239QyAJFzyka2.exeGet hashmaliciousBrowse
                                        hC3zQ1NRT3.exeGet hashmaliciousBrowse
                                          lYi0I802x2.exeGet hashmaliciousBrowse
                                            9A3oPRj6U2.exeGet hashmaliciousBrowse
                                              009384776536.exeGet hashmaliciousBrowse
                                                gWN0nuC3bn.exeGet hashmaliciousBrowse
                                                  F9k462AqBk.exeGet hashmaliciousBrowse
                                                    17EB96SrWs.exeGet hashmaliciousBrowse
                                                      vnoUgxRbMZ.exeGet hashmaliciousBrowse
                                                        N8ihaHfSIA.exeGet hashmaliciousBrowse
                                                          pZKw21nRwV.exeGet hashmaliciousBrowse
                                                            d9hbF78BDX.exeGet hashmaliciousBrowse
                                                              V3MatrPPOJ.exeGet hashmaliciousBrowse
                                                                p4ElV7tvcQ.exeGet hashmaliciousBrowse
                                                                  864ctmEE5a.exeGet hashmaliciousBrowse
                                                                    cqlO8U1e5r.exeGet hashmaliciousBrowse
                                                                      Ym7MG6cRfQ.exeGet hashmaliciousBrowse
                                                                        sYyYnIX0Rb.exeGet hashmaliciousBrowse
                                                                          gz0mI1F8o4.exeGet hashmaliciousBrowse
                                                                            I0qYdvPcOw.exeGet hashmaliciousBrowse

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              ftp.valvulasthermovalve.clQyAJFzyka2.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              hC3zQ1NRT3.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              lYi0I802x2.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              9A3oPRj6U2.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              009384776536.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              gWN0nuC3bn.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              F9k462AqBk.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              17EB96SrWs.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              vnoUgxRbMZ.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              N8ihaHfSIA.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              pZKw21nRwV.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              d9hbF78BDX.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              V3MatrPPOJ.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              p4ElV7tvcQ.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              864ctmEE5a.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              cqlO8U1e5r.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              Ym7MG6cRfQ.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              sYyYnIX0Rb.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              gz0mI1F8o4.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              I0qYdvPcOw.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              SOCCOMERCIALWIRENETCHILELTDACLQyAJFzyka2.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              hC3zQ1NRT3.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              lYi0I802x2.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              9A3oPRj6U2.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              009384776536.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              gWN0nuC3bn.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              F9k462AqBk.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              17EB96SrWs.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              vnoUgxRbMZ.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239
                                                                              8DjKJy19fW.exeGet hashmaliciousBrowse
                                                                              • 138.117.148.153
                                                                              X3VTSsbYNU.exeGet hashmaliciousBrowse
                                                                              • 138.117.148.153
                                                                              4c4Dt7ag0O.exeGet hashmaliciousBrowse
                                                                              • 138.117.148.153
                                                                              VyyuC2FGJI.exeGet hashmaliciousBrowse
                                                                              • 138.117.148.153
                                                                              wvzo8Sq723.exeGet hashmaliciousBrowse
                                                                              • 138.117.148.153
                                                                              DsWSNwlsAx.exeGet hashmaliciousBrowse
                                                                              • 138.117.148.153
                                                                              vBw1ZPDusq.exeGet hashmaliciousBrowse
                                                                              • 138.117.148.153
                                                                              cyDwUwwvmT.exeGet hashmaliciousBrowse
                                                                              • 138.117.148.153
                                                                              JVZ08AtT9r.exeGet hashmaliciousBrowse
                                                                              • 138.117.148.153
                                                                              gatOVsgmze.exeGet hashmaliciousBrowse
                                                                              • 138.117.148.153
                                                                              N8ihaHfSIA.exeGet hashmaliciousBrowse
                                                                              • 190.107.177.239

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QNx8Bu7CNn.exe.log

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\QNx8Bu7CNn.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1308
                                                                              Entropy (8bit):5.345811588615766
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                              MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                              SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                              SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                              SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                              Malicious:true
                                                                              Reputation:high, very likely benign file
                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):6.560020608920164
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              File name:QNx8Bu7CNn.exe
                                                                              File size:909824
                                                                              MD5:9a9cb1f7f37aa3955cfb4d8991583e31
                                                                              SHA1:8d63b02db5ce9bb9bb1691ab4a5282d18078191a
                                                                              SHA256:943089ba13faf44a75c9624e2b68af1f561d5567bb4ba7cf4a2596b129da6a2b
                                                                              SHA512:d018ecbd1cb1cea36a4e24e30525e64a1e44d0505859de1dcb93511d2e5a77f508ed0284114387da67dfcb0294d5bd15e5cf9d8629adc99e013660affa2dbac4
                                                                              SSDEEP:12288:kK4HTNWk67oi/z0xXi5nv9OZT5fEKD501+owI73IskA2IaBunfuEhp+0:ME4xgv9OjbD/owE3IsH2cnmS
                                                                              TLSH:2F15D02107E19B0BC0525374CDD2C3B0AFE84EB5E6B5C2874FE9FD9BB5771AAAA00145
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f.:c..............0.................. ........@.. .......................@............@................................

                                                                              File Icon

                                                                              Icon Hash:00828e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4df4c2
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x633AA966 [Mon Oct 3 09:20:38 2022 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xdf4700x4f.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x608.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xdd4c80xdd600False0.6838815905561829data6.567722609504779IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xe00000x6080x800False0.3310546875data3.444132612113464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0xe20000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_VERSION0xe00900x378data
                                                                              RT_MANIFEST0xe04180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Network Behavior

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 3, 2022 15:49:31.703001976 CEST4970321192.168.2.7190.107.177.239
                                                                              Oct 3, 2022 15:49:31.954325914 CEST2149703190.107.177.239192.168.2.7
                                                                              Oct 3, 2022 15:49:31.954523087 CEST4970321192.168.2.7190.107.177.239
                                                                              Oct 3, 2022 15:49:31.960650921 CEST4970321192.168.2.7190.107.177.239
                                                                              Oct 3, 2022 15:49:32.201725006 CEST2149703190.107.177.239192.168.2.7
                                                                              Oct 3, 2022 15:49:32.201850891 CEST4970321192.168.2.7190.107.177.239
                                                                              Oct 3, 2022 15:49:32.207669973 CEST2149703190.107.177.239192.168.2.7
                                                                              Oct 3, 2022 15:49:32.207695961 CEST2149703190.107.177.239192.168.2.7
                                                                              Oct 3, 2022 15:49:32.207709074 CEST2149703190.107.177.239192.168.2.7
                                                                              Oct 3, 2022 15:49:32.207739115 CEST4970321192.168.2.7190.107.177.239
                                                                              Oct 3, 2022 15:49:32.207787037 CEST4970321192.168.2.7190.107.177.239
                                                                              Oct 3, 2022 15:49:32.207787037 CEST4970321192.168.2.7190.107.177.239

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 3, 2022 15:49:31.417812109 CEST5575253192.168.2.78.8.8.8
                                                                              Oct 3, 2022 15:49:31.685353041 CEST53557528.8.8.8192.168.2.7

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Oct 3, 2022 15:49:31.417812109 CEST192.168.2.78.8.8.80xa279Standard query (0)ftp.valvulasthermovalve.clA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Oct 3, 2022 15:49:31.685353041 CEST8.8.8.8192.168.2.70xa279No error (0)ftp.valvulasthermovalve.cl190.107.177.239A (IP address)IN (0x0001)false

                                                                              FTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Oct 3, 2022 15:49:32.201725006 CEST2149703190.107.177.239192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.
                                                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.
                                                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login
                                                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 100 allowed.220-Local time is now 09:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                              Oct 3, 2022 15:49:32.207695961 CEST2149703190.107.177.239192.168.2.7220 Logout.

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:15:49:01
                                                                              Start date:03/10/2022
                                                                              Path:C:\Users\user\Desktop\QNx8Bu7CNn.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\QNx8Bu7CNn.exe
                                                                              Imagebase:0xf00000
                                                                              File size:909824 bytes
                                                                              MD5 hash:9A9CB1F7F37AA3955CFB4D8991583E31
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.278449042.000000000477F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.266177518.0000000003426000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              General

                                                                              Target ID:1
                                                                              Start time:15:49:13
                                                                              Start date:03/10/2022
                                                                              Path:C:\Users\user\Desktop\QNx8Bu7CNn.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\QNx8Bu7CNn.exe
                                                                              Imagebase:0x500000
                                                                              File size:909824 bytes
                                                                              MD5 hash:9A9CB1F7F37AA3955CFB4D8991583E31
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.262156014.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.507516330.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:11%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:89
                                                                                Total number of Limit Nodes:10
                                                                                execution_graph 12764 160c130 DuplicateHandle 12765 160c1c6 12764->12765 12766 16043c8 12767 16043da 12766->12767 12772 16044d8 12767->12772 12770 1604405 12773 16044fd 12772->12773 12781 16045c8 12773->12781 12785 16045d8 12773->12785 12774 16043e6 12777 1603f58 12774->12777 12778 1603f63 12777->12778 12793 1605a68 12778->12793 12780 1606e04 12780->12770 12782 16045ff 12781->12782 12783 16046dc 12782->12783 12789 16041ac 12782->12789 12787 16045ff 12785->12787 12786 16046dc 12786->12786 12787->12786 12788 16041ac CreateActCtxA 12787->12788 12788->12786 12790 1605668 CreateActCtxA 12789->12790 12792 160572b 12790->12792 12794 1605a73 12793->12794 12797 1605acc 12794->12797 12796 160703d 12796->12780 12798 1605ad7 12797->12798 12801 1605afc 12798->12801 12800 160711a 12800->12796 12802 1605b07 12801->12802 12805 1605b2c 12802->12805 12804 160720a 12804->12800 12806 1605b37 12805->12806 12808 160791e 12806->12808 12811 1609ae0 12806->12811 12807 160795c 12807->12804 12808->12807 12815 160bc33 12808->12815 12819 1609b08 12811->12819 12824 1609b18 12811->12824 12812 1609af6 12812->12808 12816 160bc61 12815->12816 12817 160bc85 12816->12817 12842 160bdf0 12816->12842 12817->12807 12820 1609b16 12819->12820 12821 1609ad9 12819->12821 12827 1609c10 12820->12827 12821->12812 12822 1609b27 12822->12812 12826 1609c10 2 API calls 12824->12826 12825 1609b27 12825->12812 12826->12825 12828 1609c23 12827->12828 12829 1609c3b 12828->12829 12834 1609e98 12828->12834 12829->12822 12830 1609c33 12830->12829 12831 1609e38 GetModuleHandleW 12830->12831 12832 1609e65 12831->12832 12832->12822 12835 1609eac 12834->12835 12836 1609ed1 12835->12836 12838 1609660 12835->12838 12836->12830 12839 160a078 LoadLibraryExW 12838->12839 12841 160a0f1 12839->12841 12841->12836 12843 160bdfd 12842->12843 12844 160be37 12843->12844 12846 160b6ac 12843->12846 12844->12817 12847 160b6b7 12846->12847 12849 160c728 12847->12849 12850 160b794 12847->12850 12849->12849 12851 160b79f 12850->12851 12852 1605b2c 2 API calls 12851->12852 12853 160c797 12851->12853 12852->12853 12857 160e510 12853->12857 12863 160e528 12853->12863 12854 160c7d0 12854->12849 12859 160e5a5 12857->12859 12860 160e559 12857->12860 12858 160e565 12858->12854 12859->12854 12860->12858 12861 160e9a8 LoadLibraryExW GetModuleHandleW 12860->12861 12862 160e998 LoadLibraryExW GetModuleHandleW 12860->12862 12861->12859 12862->12859 12865 160e5a5 12863->12865 12866 160e559 12863->12866 12864 160e565 12864->12854 12865->12854 12866->12864 12867 160e9a8 LoadLibraryExW GetModuleHandleW 12866->12867 12868 160e998 LoadLibraryExW GetModuleHandleW 12866->12868 12867->12865 12868->12865 12869 160bf08 GetCurrentProcess 12870 160bf82 GetCurrentThread 12869->12870 12871 160bf7b 12869->12871 12872 160bfb8 12870->12872 12873 160bfbf GetCurrentProcess 12870->12873 12871->12870 12872->12873 12874 160bff5 12873->12874 12875 160c01d GetCurrentThreadId 12874->12875 12876 160c04e 12875->12876

                                                                                Executed Functions

                                                                                Function 0160BF08 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32 ref: 0160BF68
                                                                                • GetCurrentThread.KERNEL32 ref: 0160BFA5
                                                                                • GetCurrentProcess.KERNEL32 ref: 0160BFE2
                                                                                • GetCurrentThreadId.KERNEL32 ref: 0160C03B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: Current$ProcessThread
                                                                                • String ID:
                                                                                • API String ID: 2063062207-0
                                                                                • Opcode ID: 5a7e0c483dc91ab87640a3395081e516db653261320501303185899479fffea1
                                                                                • Instruction ID: e5fff6c2d9b56544b42056f7f70bea157ab710a2d93d4ead28b38641d8861303
                                                                                • Opcode Fuzzy Hash: 5a7e0c483dc91ab87640a3395081e516db653261320501303185899479fffea1
                                                                                • Instruction Fuzzy Hash: 435153B49006498FDB14CFAAD988BAEBFF1EB88304F208159E019A7390D735A944CF65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01609C10 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 312 1609c10-1609c25 call 1607674 315 1609c27-1609c35 call 1609e98 312->315 316 1609c3b-1609c3f 312->316 315->316 322 1609d70-1609e30 315->322 317 1609c41-1609c4b 316->317 318 1609c53-1609c94 316->318 317->318 323 1609ca1-1609caf 318->323 324 1609c96-1609c9e 318->324 361 1609e32-1609e35 322->361 362 1609e38-1609e63 GetModuleHandleW 322->362 326 1609cb1-1609cb6 323->326 327 1609cd3-1609cd5 323->327 324->323 328 1609cc1 326->328 329 1609cb8-1609cbf call 1609604 326->329 330 1609cd8-1609cdf 327->330 335 1609cc3-1609cd1 328->335 329->335 331 1609ce1-1609ce9 330->331 332 1609cec-1609cf3 330->332 331->332 336 1609d00-1609d09 call 1609614 332->336 337 1609cf5-1609cfd 332->337 335->330 342 1609d16-1609d1b 336->342 343 1609d0b-1609d13 336->343 337->336 345 1609d39-1609d46 342->345 346 1609d1d-1609d24 342->346 343->342 351 1609d48-1609d66 345->351 352 1609d69-1609d6f 345->352 346->345 347 1609d26-1609d36 call 1609624 call 1609634 346->347 347->345 351->352 361->362 363 1609e65-1609e6b 362->363 364 1609e6c-1609e80 362->364 363->364
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01609E56
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 470b4176f1cf1d0cbf6eff6de34e2955d497f62d28072eac5f39880f3d955008
                                                                                • Instruction ID: 535e2eb47b185e5ee4f7733eda10aae943bd3c5251c874bee87fd326d02f3d1d
                                                                                • Opcode Fuzzy Hash: 470b4176f1cf1d0cbf6eff6de34e2955d497f62d28072eac5f39880f3d955008
                                                                                • Instruction Fuzzy Hash: AF71F471A00B058FD729DF29D84475BBBF6BF88704F008929D59ADBB91DB34E806CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0160565F Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 367 160565f-1605666 368 1605668-1605729 CreateActCtxA 367->368 370 1605732-160578c 368->370 371 160572b-1605731 368->371 378 160579b-160579f 370->378 379 160578e-1605791 370->379 371->370 380 16057b0 378->380 381 16057a1-16057ad 378->381 379->378 383 16057b1 380->383 381->380 383->383
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 01605719
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: ae0325b1a8771fd02c322bf0bbc30a3f93312689f11e2b07a8d0aa060e7e95a3
                                                                                • Instruction ID: 7fa53616c48d65f0101d9df833add0d2265bfe8b5df68ab34e2da1908a067c6d
                                                                                • Opcode Fuzzy Hash: ae0325b1a8771fd02c322bf0bbc30a3f93312689f11e2b07a8d0aa060e7e95a3
                                                                                • Instruction Fuzzy Hash: AE411271C04668CFDB24CFAAC884BDEBBB1FF88304F248169D409AB251DB746946CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 016041AC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 384 16041ac-1605729 CreateActCtxA 387 1605732-160578c 384->387 388 160572b-1605731 384->388 395 160579b-160579f 387->395 396 160578e-1605791 387->396 388->387 397 16057b0 395->397 398 16057a1-16057ad 395->398 396->395 400 16057b1 397->400 398->397 400->400
                                                                                APIs
                                                                                • CreateActCtxA.KERNEL32(?), ref: 01605719
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: Create
                                                                                • String ID:
                                                                                • API String ID: 2289755597-0
                                                                                • Opcode ID: 5f67d04e23c42c85609c225c5efd544ddddaed89a5693db1aeda91b67b632997
                                                                                • Instruction ID: 478482c7ee2940576344197e08288b4801a1450edd725c28dc884070234818e5
                                                                                • Opcode Fuzzy Hash: 5f67d04e23c42c85609c225c5efd544ddddaed89a5693db1aeda91b67b632997
                                                                                • Instruction Fuzzy Hash: 1841F171C04668CFDB24CFA9C884B9EBBB1FF88304F248159D509AB251DB746946CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0160C129 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 401 160c129-160c1c4 DuplicateHandle 402 160c1c6-160c1cc 401->402 403 160c1cd-160c1ea 401->403 402->403
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160C1B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: efa502ee42c06274505446fba634805cccf60c93badddc32f0bcf4c16bf5e3f9
                                                                                • Instruction ID: c21eb283c3c93810495ce224da3bc72784d351c9eceb37e62b5d7412b16c98f8
                                                                                • Opcode Fuzzy Hash: efa502ee42c06274505446fba634805cccf60c93badddc32f0bcf4c16bf5e3f9
                                                                                • Instruction Fuzzy Hash: 6721E4B6900208DFDB10CFA9D884ADEBBF4FB48324F14845AE914B7350D374AA45CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0160C130 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 406 160c130-160c1c4 DuplicateHandle 407 160c1c6-160c1cc 406->407 408 160c1cd-160c1ea 406->408 407->408
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160C1B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 52d1dc9e440778f55ac5954f0d49b7e63bcb04cbfe070d52f7b2594c837b58ca
                                                                                • Instruction ID: 5a3876c536d1291f8fbfeff4f4102192ec9f2afd719ee215111249ce97dd1bc6
                                                                                • Opcode Fuzzy Hash: 52d1dc9e440778f55ac5954f0d49b7e63bcb04cbfe070d52f7b2594c837b58ca
                                                                                • Instruction Fuzzy Hash: 3C21F3B59002089FDB10CFAAD884ADEBFF8FB48320F14845AE918A3350C374A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01609660 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 411 1609660-160a0b8 413 160a0c0-160a0ef LoadLibraryExW 411->413 414 160a0ba-160a0bd 411->414 415 160a0f1-160a0f7 413->415 416 160a0f8-160a115 413->416 414->413 415->416
                                                                                APIs
                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01609ED1,00000800,00000000,00000000), ref: 0160A0E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 51dc6f6cd8f8214ae0f227719caf9aa9e5289fe665a84df04d6e2d090e9a27ed
                                                                                • Instruction ID: 5ed510bdb456df9e85f78ac01bc90c34166ab1828c774c69d6fac3d33fdce44b
                                                                                • Opcode Fuzzy Hash: 51dc6f6cd8f8214ae0f227719caf9aa9e5289fe665a84df04d6e2d090e9a27ed
                                                                                • Instruction Fuzzy Hash: 431103B69043098FDB14CF9AC844BDEBBF4EB48354F14842EE51AA7240C375A945CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0160A070 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 419 160a070-160a0b8 421 160a0c0-160a0ef LoadLibraryExW 419->421 422 160a0ba-160a0bd 419->422 423 160a0f1-160a0f7 421->423 424 160a0f8-160a115 421->424 422->421 423->424
                                                                                APIs
                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01609ED1,00000800,00000000,00000000), ref: 0160A0E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 43734f9a3330db86b858ff1d22617f4ae2ff4e5debf6fe51a824dc6be957ae21
                                                                                • Instruction ID: 31c83b7b8df5a706b41f86a31961fb7b76e71c0419a463971df1c6405d4912ab
                                                                                • Opcode Fuzzy Hash: 43734f9a3330db86b858ff1d22617f4ae2ff4e5debf6fe51a824dc6be957ae21
                                                                                • Instruction Fuzzy Hash: 0D1103B69043499FDB14CF9AC844BDEFBF4AB48314F14842ED559A7200C775A945CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01609DF0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 427 1609df0-1609e30 428 1609e32-1609e35 427->428 429 1609e38-1609e63 GetModuleHandleW 427->429 428->429 430 1609e65-1609e6b 429->430 431 1609e6c-1609e80 429->431 430->431
                                                                                APIs
                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01609E56
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 9369930b41dcd0631e4ef1167b74136659a7adbd44d8a41b9cb774fb65188a10
                                                                                • Instruction ID: e33804269cfc9a94bb8b2b33d3056e649d4f5d057e38a52b05f966a240c1cd98
                                                                                • Opcode Fuzzy Hash: 9369930b41dcd0631e4ef1167b74136659a7adbd44d8a41b9cb774fb65188a10
                                                                                • Instruction Fuzzy Hash: 44110FB6D002498FDB14CF9AC844BDFFBF5AF88324F14841AD569A7200C374A946CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0158D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.263854623.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_158d000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f8876d57876c61d5f39066bdfd7906ea43cced879baf20087ec438b056ecdaf3
                                                                                • Instruction ID: b2f3a584ae5d4985341dac36bb0095f90b94c1f89b85a77aef904f8c2c4a70c2
                                                                                • Opcode Fuzzy Hash: f8876d57876c61d5f39066bdfd7906ea43cced879baf20087ec438b056ecdaf3
                                                                                • Instruction Fuzzy Hash: 992138B1504244DFDB01EF48D9C0B6ABBF5FB88324F24C568D9055F296C376E846C7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0159D01C Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.263889698.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_159d000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 559dabf0652602d4d70763df88be11a91f6721a54bb14571d0d36fa366f9c876
                                                                                • Instruction ID: 8e2494aff3085f5fe88c97886236b36d371bfad8f8814d826b27db3a800e69ac
                                                                                • Opcode Fuzzy Hash: 559dabf0652602d4d70763df88be11a91f6721a54bb14571d0d36fa366f9c876
                                                                                • Instruction Fuzzy Hash: 6B2103B1608240DFDF15CF54D8C4B2ABBB5FB88354F24C969D90A4F246D33AD806CA62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0159D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.263889698.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_159d000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8d139b0e5775cbc96bc8e4cfb0b43d1eb356969b01da442415bd0398e62afdf1
                                                                                • Instruction ID: addb0d6f4e24a35a89da1b357d116fbd63783a98c4d4a54b622e2f179a9e346e
                                                                                • Opcode Fuzzy Hash: 8d139b0e5775cbc96bc8e4cfb0b43d1eb356969b01da442415bd0398e62afdf1
                                                                                • Instruction Fuzzy Hash: AF21C8B5504244DFDF05DF54D9C4B29BBB5FB84324F24C9ADD9094F246C33AD846CA62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0159D006 Relevance: .1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.263889698.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_159d000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: afca7853b88ceff499960e5516411726f9edd07493c7d5ca65fb78bd18bbd61f
                                                                                • Instruction ID: f274f9091d9f98ba6d695e39e1050b5f716f9fa32c95bc6df78ef0d56368a046
                                                                                • Opcode Fuzzy Hash: afca7853b88ceff499960e5516411726f9edd07493c7d5ca65fb78bd18bbd61f
                                                                                • Instruction Fuzzy Hash: C2219F755093808FDB03CF24D990B15BF71FB46214F28C5EAD8498F6A7C33A980ACB62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0158D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.263854623.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_158d000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9514fc1bb1cc25f491de601e40aa317d03148fdbbbb3ea0ae0adc63f208d9b49
                                                                                • Instruction ID: 92d14eb51ce3e6e55d94f9f08cd4a7300f3955ec0d384589ea23063df6d89a95
                                                                                • Opcode Fuzzy Hash: 9514fc1bb1cc25f491de601e40aa317d03148fdbbbb3ea0ae0adc63f208d9b49
                                                                                • Instruction Fuzzy Hash: 9C11D272504240DFDB02DF48D5C0B5ABFB1FB84320F24C2A9D8050B666C37AD456CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0159D1CF Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.263889698.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_159d000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3554de7e29e871378acaf3a08429c0d2c12c29cff4e332b9d7dcf7fca9d36d6a
                                                                                • Instruction ID: 260d7e300d2a6507584593f1ca09f26ea1306a8e78828e0ed7d987b2491e7094
                                                                                • Opcode Fuzzy Hash: 3554de7e29e871378acaf3a08429c0d2c12c29cff4e332b9d7dcf7fca9d36d6a
                                                                                • Instruction Fuzzy Hash: B4118B75904280DFDF12CF54D5C4B19BBB1FB84224F28C6A9D8494B696C33AD84ACB62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0158D745 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.263854623.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_158d000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 118b8dafcdc4f6ff8352ce605befeed5458adba69f582af0dd09ae75c3215814
                                                                                • Instruction ID: 27f581d4dd316b763a7a3403b87491e8de084977da9e05802bf437e3498f9dc2
                                                                                • Opcode Fuzzy Hash: 118b8dafcdc4f6ff8352ce605befeed5458adba69f582af0dd09ae75c3215814
                                                                                • Instruction Fuzzy Hash: 0701FC711083C09AE7107E55DDC4B6ABBE8FF41274F08C52AEA05AE2C7D3799840C6B1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0158D744 Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.263854623.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_158d000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1395990afa8896fd1881b440f27fb57710f21e498ea709b73bc085d23eb10d7a
                                                                                • Instruction ID: e25ffd1018d04bf1e936647c6c97e43c8681a9174d37a646b892c5101f036aa8
                                                                                • Opcode Fuzzy Hash: 1395990afa8896fd1881b440f27fb57710f21e498ea709b73bc085d23eb10d7a
                                                                                • Instruction Fuzzy Hash: 0FF0C2725043849AE7109E1ADC84B66FFE8EB81274F18C05AED089F287C3789844CAB0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 0160E9F0 Relevance: .3, Instructions: 315COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 45c9da7f1b1b1fe07ef5d0740d88252236182b3ce394bd14d604d2b8b69df3f0
                                                                                • Instruction ID: 3df7c163fc9d8f292ac88de4fc0333e221eec35fff34d9dd84a2850ae3c13e87
                                                                                • Opcode Fuzzy Hash: 45c9da7f1b1b1fe07ef5d0740d88252236182b3ce394bd14d604d2b8b69df3f0
                                                                                • Instruction Fuzzy Hash: EA12E9F18117468BE330EF64E89C299BB61F745328F904328D2652FAD9D7B4934ACF44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0160CA4C Relevance: .3, Instructions: 265COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0e4b2e99ff41d5990a0f8a4c3ab2caede66e0b482a40f0b97378360a4c1f1bee
                                                                                • Instruction ID: c7538963278bccc9da7f455c3e35268fe81ac48938fef06dd9319a793afc2a76
                                                                                • Opcode Fuzzy Hash: 0e4b2e99ff41d5990a0f8a4c3ab2caede66e0b482a40f0b97378360a4c1f1bee
                                                                                • Instruction Fuzzy Hash: 7BA17132E0061A8FCF1ADFA5C8445DEBBB3FF85300B1585AAE905AB261DB71E955CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0160E9E3 Relevance: .2, Instructions: 223COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.264071462.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1600000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2369f073763c0b349f4c1d5b1a79ca09087d078e12607d9c659935a7f34394e0
                                                                                • Instruction ID: cd964bf321db859bdac8a3960c9b33725d928eba8f2c41185ea2841136c2c868
                                                                                • Opcode Fuzzy Hash: 2369f073763c0b349f4c1d5b1a79ca09087d078e12607d9c659935a7f34394e0
                                                                                • Instruction Fuzzy Hash: 48C13FB18117458FE730EF64E89C299BBB1FB85328F504328D1616FAD8D7B4964ACF84
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Execution Graph

                                                                                Execution Coverage:9.7%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:3%
                                                                                Total number of Nodes:134
                                                                                Total number of Limit Nodes:15
                                                                                execution_graph 37265 6046a30 37266 6046a41 37265->37266 37267 6046a64 LdrInitializeThunk 37265->37267 37269 6046ad3 37267->37269 37217 e74540 37218 e74554 37217->37218 37221 e7478a 37218->37221 37219 e7455d 37222 e74793 37221->37222 37227 e74986 37221->37227 37232 e7496c 37221->37232 37237 e7485f 37221->37237 37242 e74870 37221->37242 37222->37219 37228 e74999 37227->37228 37229 e749ab 37227->37229 37247 e74c67 37228->37247 37252 e74c78 37228->37252 37233 e7491f 37232->37233 37234 e749ab 37233->37234 37235 e74c67 2 API calls 37233->37235 37236 e74c78 2 API calls 37233->37236 37235->37234 37236->37234 37238 e74864 37237->37238 37239 e749ab 37238->37239 37240 e74c67 2 API calls 37238->37240 37241 e74c78 2 API calls 37238->37241 37240->37239 37241->37239 37243 e748b4 37242->37243 37244 e749ab 37243->37244 37245 e74c67 2 API calls 37243->37245 37246 e74c78 2 API calls 37243->37246 37245->37244 37246->37244 37248 e74c86 37247->37248 37257 e74cbb 37248->37257 37261 e74cc8 37248->37261 37249 e74c96 37249->37229 37253 e74c86 37252->37253 37255 e74cbb RtlEncodePointer 37253->37255 37256 e74cc8 RtlEncodePointer 37253->37256 37254 e74c96 37254->37229 37255->37254 37256->37254 37258 e74d02 37257->37258 37259 e74d2c RtlEncodePointer 37258->37259 37260 e74d55 37258->37260 37259->37260 37260->37249 37262 e74d02 37261->37262 37263 e74d2c RtlEncodePointer 37262->37263 37264 e74d55 37262->37264 37263->37264 37264->37249 37270 e7add0 37271 e7adee 37270->37271 37274 e79dc0 37271->37274 37273 e7ae25 37275 e7c8f0 LoadLibraryA 37274->37275 37277 e7c9cc 37275->37277 37143 6049a18 37144 6049a29 37143->37144 37146 6049a4c 37143->37146 37145 6049a79 37146->37145 37151 6044e60 37146->37151 37148 6049af8 37165 6044eb0 37148->37165 37152 6044e94 37151->37152 37153 6044e71 37151->37153 37152->37153 37156 6044e60 3 API calls 37152->37156 37157 6044eb0 3 API calls 37152->37157 37177 6044f4e 37152->37177 37183 6045168 37152->37183 37189 6044e4f 37152->37189 37203 60451d0 37152->37203 37153->37148 37154 60451a2 37154->37148 37155 6044ed0 37155->37154 37162 60459b0 RegQueryValueExW 37155->37162 37209 6045748 37155->37209 37213 6045746 37155->37213 37156->37155 37157->37155 37162->37155 37167 6044ed0 37165->37167 37168 6044e60 3 API calls 37165->37168 37169 6044eb0 3 API calls 37165->37169 37170 60451d0 3 API calls 37165->37170 37171 6044f4e 3 API calls 37165->37171 37172 6044e4f 3 API calls 37165->37172 37173 6045168 3 API calls 37165->37173 37166 60451a2 37167->37166 37174 60459b0 RegQueryValueExW 37167->37174 37175 6045746 RegOpenKeyExW 37167->37175 37176 6045748 RegOpenKeyExW 37167->37176 37168->37167 37169->37167 37170->37167 37171->37167 37172->37167 37173->37167 37174->37167 37175->37167 37176->37167 37179 6044f09 37177->37179 37178 60451a2 37178->37155 37179->37178 37180 60459b0 RegQueryValueExW 37179->37180 37181 6045746 RegOpenKeyExW 37179->37181 37182 6045748 RegOpenKeyExW 37179->37182 37180->37179 37181->37179 37182->37179 37185 6044f09 37183->37185 37184 60451a2 37184->37155 37185->37184 37186 6045746 RegOpenKeyExW 37185->37186 37187 6045748 RegOpenKeyExW 37185->37187 37188 60459b0 RegQueryValueExW 37185->37188 37186->37185 37187->37185 37188->37185 37190 6044e53 37189->37190 37191 6044e71 37189->37191 37190->37191 37197 6044e60 3 API calls 37190->37197 37198 6044eb0 3 API calls 37190->37198 37199 60451d0 3 API calls 37190->37199 37200 6044f4e 3 API calls 37190->37200 37201 6044e4f 3 API calls 37190->37201 37202 6045168 3 API calls 37190->37202 37191->37155 37192 60451a2 37192->37155 37193 6044ed0 37193->37192 37194 60459b0 RegQueryValueExW 37193->37194 37195 6045746 RegOpenKeyExW 37193->37195 37196 6045748 RegOpenKeyExW 37193->37196 37194->37193 37195->37193 37196->37193 37197->37193 37198->37193 37199->37193 37200->37193 37201->37193 37202->37193 37205 60451e7 37203->37205 37204 60451ee 37204->37155 37205->37204 37206 6045746 RegOpenKeyExW 37205->37206 37207 6045748 RegOpenKeyExW 37205->37207 37208 60459b0 RegQueryValueExW 37205->37208 37206->37205 37207->37205 37208->37205 37210 604579a RegOpenKeyExW 37209->37210 37212 604580e 37210->37212 37214 604579a RegOpenKeyExW 37213->37214 37216 604580e 37214->37216 37216->37216 37278 60486f8 37279 6048709 37278->37279 37280 604872c 37278->37280 37284 6049000 37280->37284 37291 6048feb 37280->37291 37281 60487d3 37285 60490d4 37284->37285 37287 604901f 37284->37287 37288 6049071 37285->37288 37289 6049000 RegQueryValueExW 37285->37289 37290 6048feb RegQueryValueExW 37285->37290 37287->37288 37299 60459b0 37287->37299 37288->37281 37289->37288 37290->37288 37292 6049000 37291->37292 37293 60490d4 37292->37293 37296 604901f 37292->37296 37295 6049071 37293->37295 37297 6049000 RegQueryValueExW 37293->37297 37298 6048feb RegQueryValueExW 37293->37298 37294 60459b0 RegQueryValueExW 37294->37296 37295->37281 37296->37294 37296->37295 37297->37295 37298->37295 37300 60459c1 37299->37300 37301 60459e4 RegQueryValueExW 37299->37301 37300->37287 37303 6045acb 37301->37303

                                                                                Executed Functions

                                                                                Function 0526F200 Relevance: 3.5, Strings: 2, Instructions: 1038COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: XcLl$XcLl
                                                                                • API String ID: 0-3856365118
                                                                                • Opcode ID: e970fae31d10ea16eea656f3f67009d427b21730a10ec7940a016cebd368e86f
                                                                                • Instruction ID: c1e4bfe18382182fbb23dfc5e904b6e0091cba7fd63eef53449a30b63e9fb3fd
                                                                                • Opcode Fuzzy Hash: e970fae31d10ea16eea656f3f67009d427b21730a10ec7940a016cebd368e86f
                                                                                • Instruction Fuzzy Hash: B4820030B142059FDF24DB64D994BAEBBE2BF89304F158069E50AEB395DB34DC81CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 06046A30 Relevance: 1.7, APIs: 1, Instructions: 211libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2033 6046a30-6046a3f 2034 6046a64-6046acc LdrInitializeThunk 2033->2034 2035 6046a41-6046a4b 2033->2035 2044 6046ad3-6046adf 2034->2044 2036 6046a60-6046a63 2035->2036 2037 6046a4d-6046a5e 2035->2037 2037->2036 2045 6046ae5-6046aee 2044->2045 2046 6046cfd-6046d10 2044->2046 2048 6046af4-6046b09 2045->2048 2049 6046d32 2045->2049 2047 6046d37-6046d3b 2046->2047 2050 6046d46-6046dbb 2047->2050 2051 6046d3d 2047->2051 2053 6046b23-6046b3e 2048->2053 2054 6046b0b-6046b1e 2048->2054 2049->2047 2051->2050 2068 6046b40-6046b4a 2053->2068 2069 6046b4c 2053->2069 2056 6046cd1-6046cd5 2054->2056 2058 6046cd7 2056->2058 2059 6046ce0-6046ce9 2056->2059 2058->2059 2065 6046d2d 2059->2065 2066 6046ceb-6046cf7 2059->2066 2065->2049 2066->2045 2066->2046 2070 6046b51-6046b53 2068->2070 2069->2070 2071 6046b55-6046b68 2070->2071 2072 6046b6d-6046c08 2070->2072 2071->2056 2090 6046c16 2072->2090 2091 6046c0a-6046c14 2072->2091 2092 6046c1b-6046c1d 2090->2092 2091->2092 2093 6046c1f-6046c21 2092->2093 2094 6046c7b-6046ccf 2092->2094 2095 6046c23-6046c2d 2093->2095 2096 6046c2f 2093->2096 2094->2056 2098 6046c34-6046c36 2095->2098 2096->2098 2098->2094 2099 6046c38-6046c79 2098->2099 2099->2094
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514285790.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_6040000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 09e1c2e90018d979356e5018203ec23032f1a40d0fe7d64149d91c684c567ae0
                                                                                • Instruction ID: 0eeb2f94c8b5aa9b7b7fee28603fe2c9640cf91caba7139b8d402d6325188817
                                                                                • Opcode Fuzzy Hash: 09e1c2e90018d979356e5018203ec23032f1a40d0fe7d64149d91c684c567ae0
                                                                                • Instruction Fuzzy Hash: 02816D70A50209CFDB64EFB4C9586AEBBF2EF45304F108839D406AB351EB759D46CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 060459B0 Relevance: 1.6, APIs: 1, Instructions: 111registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2110 60459b0-60459bf 2111 60459e4-6045a69 2110->2111 2112 60459c1-60459cb 2110->2112 2118 6045a71-6045a7b 2111->2118 2119 6045a6b-6045a6e 2111->2119 2113 60459e0-60459e3 2112->2113 2114 60459cd-60459de 2112->2114 2114->2113 2120 6045a87-6045ac9 RegQueryValueExW 2118->2120 2121 6045a7d-6045a85 2118->2121 2119->2118 2122 6045ad2-6045b0c 2120->2122 2123 6045acb-6045ad1 2120->2123 2121->2120 2127 6045b16 2122->2127 2128 6045b0e 2122->2128 2123->2122 2129 6045b17 2127->2129 2128->2127 2129->2129
                                                                                APIs
                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06045AB9
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514285790.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_6040000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID:
                                                                                • API String ID: 3660427363-0
                                                                                • Opcode ID: e2a8027e6cb5f9068a6449ea9566f323b6da0b20ea4af8de04c2bbdd400c83ee
                                                                                • Instruction ID: 129fc01a172232d8a8f0405167dbcbccea2d0566ebe160271f32d1bf3747789c
                                                                                • Opcode Fuzzy Hash: e2a8027e6cb5f9068a6449ea9566f323b6da0b20ea4af8de04c2bbdd400c83ee
                                                                                • Instruction Fuzzy Hash: ED4113B1E002589FCB61DFA9C984ADEBFF5BF48304F15806AE819AB740D7349905CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E7C8E4 Relevance: 1.6, APIs: 1, Instructions: 90libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2130 e7c8e4-e7c947 2131 e7c980-e7c9ca LoadLibraryA 2130->2131 2132 e7c949-e7c953 2130->2132 2139 e7c9d3-e7ca04 2131->2139 2140 e7c9cc-e7c9d2 2131->2140 2132->2131 2133 e7c955-e7c957 2132->2133 2134 e7c97a-e7c97d 2133->2134 2135 e7c959-e7c963 2133->2135 2134->2131 2137 e7c967-e7c976 2135->2137 2138 e7c965 2135->2138 2137->2137 2142 e7c978 2137->2142 2138->2137 2143 e7ca06-e7ca0a 2139->2143 2144 e7ca14 2139->2144 2140->2139 2142->2134 2143->2144 2146 e7ca0c 2143->2146 2147 e7ca15 2144->2147 2146->2144 2147->2147
                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(?), ref: 00E7C9BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.507272578.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_e70000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 01fd9f07cb10bb7fe820daf678127328d9fef5dfa937611d21f117d7dd598edd
                                                                                • Instruction ID: c7b32196ad6dc8123dd55c4f74d8bfec4235640252feebf3b55d138aa6502cad
                                                                                • Opcode Fuzzy Hash: 01fd9f07cb10bb7fe820daf678127328d9fef5dfa937611d21f117d7dd598edd
                                                                                • Instruction Fuzzy Hash: C43132B1D002498FCB14CFA8C4857AEBBB5BB48314F24852EE85AB7380D7749885CF92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E79DC0 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2148 e79dc0-e7c947 2150 e7c980-e7c9ca LoadLibraryA 2148->2150 2151 e7c949-e7c953 2148->2151 2158 e7c9d3-e7ca04 2150->2158 2159 e7c9cc-e7c9d2 2150->2159 2151->2150 2152 e7c955-e7c957 2151->2152 2153 e7c97a-e7c97d 2152->2153 2154 e7c959-e7c963 2152->2154 2153->2150 2156 e7c967-e7c976 2154->2156 2157 e7c965 2154->2157 2156->2156 2161 e7c978 2156->2161 2157->2156 2162 e7ca06-e7ca0a 2158->2162 2163 e7ca14 2158->2163 2159->2158 2161->2153 2162->2163 2165 e7ca0c 2162->2165 2166 e7ca15 2163->2166 2165->2163 2166->2166
                                                                                APIs
                                                                                • LoadLibraryA.KERNELBASE(?), ref: 00E7C9BA
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.507272578.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_e70000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 0c65e0bc48074b04145f367017ffffc2e249e466cba4050f484d2390a846d5c4
                                                                                • Instruction ID: afa834011911cb08d25a96a0695979d7ca36387b0f3017b16b016ee8e73e3086
                                                                                • Opcode Fuzzy Hash: 0c65e0bc48074b04145f367017ffffc2e249e466cba4050f484d2390a846d5c4
                                                                                • Instruction Fuzzy Hash: F03114B1D002499FDB14CFA9C44579EBBF5BB48314F24952DE81AB7380D7749881CF95
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 06045748 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2786 6045748-6045798 2787 60457a0-604580c RegOpenKeyExW 2786->2787 2788 604579a-604579d 2786->2788 2790 6045815-604584d 2787->2790 2791 604580e-6045814 2787->2791 2788->2787 2795 6045860 2790->2795 2796 604584f-6045858 2790->2796 2791->2790 2797 6045861 2795->2797 2796->2795 2797->2797
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 060457FC
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514285790.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_6040000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID:
                                                                                • API String ID: 71445658-0
                                                                                • Opcode ID: 2fb9ea9ae12f01284648dacc5a926361d943b8180c0bde6cadba218c9706b27d
                                                                                • Instruction ID: 8dc95338ee151e96efccafcffb33e96404408cac0f1f0ba09470f0a291757e38
                                                                                • Opcode Fuzzy Hash: 2fb9ea9ae12f01284648dacc5a926361d943b8180c0bde6cadba218c9706b27d
                                                                                • Instruction Fuzzy Hash: 8131E0B1D05249CFDB10CF99C584A8EFFF5BF48304F28816EE809AB201C7B59985CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 06045746 Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2798 6045746-6045798 2799 60457a0-604580c RegOpenKeyExW 2798->2799 2800 604579a-604579d 2798->2800 2802 6045815-604584d 2799->2802 2803 604580e-6045814 2799->2803 2800->2799 2807 6045860 2802->2807 2808 604584f-6045858 2802->2808 2803->2802 2809 6045861 2807->2809 2808->2807 2809->2809
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 060457FC
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514285790.0000000006040000.00000040.00000800.00020000.00000000.sdmp, Offset: 06040000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_6040000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID:
                                                                                • API String ID: 71445658-0
                                                                                • Opcode ID: 45f77c43c7f8e8f022958e5eadb055e77dc7243058c6637cbd841e4a9c35c02a
                                                                                • Instruction ID: c4bc2c18630c51a8a40564aa30a178a319bfde585d8113a35da3ba71123e3d41
                                                                                • Opcode Fuzzy Hash: 45f77c43c7f8e8f022958e5eadb055e77dc7243058c6637cbd841e4a9c35c02a
                                                                                • Instruction Fuzzy Hash: E131E0B1D01249CFDB10CF99C584A8EFFF5BF48304F28816EE809AB200C7759985CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E74CBB Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2810 e74cbb-e74d0a 2813 e74d10 2810->2813 2814 e74d0c-e74d0e 2810->2814 2815 e74d15-e74d20 2813->2815 2814->2815 2816 e74d22-e74d53 RtlEncodePointer 2815->2816 2817 e74d81-e74d8e 2815->2817 2819 e74d55-e74d5b 2816->2819 2820 e74d5c-e74d7c 2816->2820 2819->2820 2820->2817
                                                                                APIs
                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 00E74D42
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.507272578.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_e70000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: EncodePointer
                                                                                • String ID:
                                                                                • API String ID: 2118026453-0
                                                                                • Opcode ID: c90f5b6fe7da42b39555e2e545daecfeb2b9cc49c4bb23626ac61c63d866b9f5
                                                                                • Instruction ID: cfda59136e7e78e9c2a64301cbe90ac86b73fcd0f4496bef0412a1347273449a
                                                                                • Opcode Fuzzy Hash: c90f5b6fe7da42b39555e2e545daecfeb2b9cc49c4bb23626ac61c63d866b9f5
                                                                                • Instruction Fuzzy Hash: F1215BB1904349CFDB20DFA9D4487DEBBF4EB45324F14802AD549A7A41CB785946CFA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00E74CC8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 3446 e74cc8-e74d0a 3449 e74d10 3446->3449 3450 e74d0c-e74d0e 3446->3450 3451 e74d15-e74d20 3449->3451 3450->3451 3452 e74d22-e74d53 RtlEncodePointer 3451->3452 3453 e74d81-e74d8e 3451->3453 3455 e74d55-e74d5b 3452->3455 3456 e74d5c-e74d7c 3452->3456 3455->3456 3456->3453
                                                                                APIs
                                                                                • RtlEncodePointer.NTDLL(00000000), ref: 00E74D42
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.507272578.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_e70000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID: EncodePointer
                                                                                • String ID:
                                                                                • API String ID: 2118026453-0
                                                                                • Opcode ID: 13a82be78cd1ebadd8af83bf169d35e991d722118b7a920de65e1c556dfbadf6
                                                                                • Instruction ID: 902f2bac49075bf1a5c345336dd276e5af625d0ec0fffb0f60ff292556ee28c5
                                                                                • Opcode Fuzzy Hash: 13a82be78cd1ebadd8af83bf169d35e991d722118b7a920de65e1c556dfbadf6
                                                                                • Instruction Fuzzy Hash: 8D118CB1900309CFCB20DFA9D40879EBBF8FB44314F10802AD549B3A40CB386944CFA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00CBDA00 Relevance: 1.1, Instructions: 1094COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.504232267.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_cbd000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 35df145285da4ff23446e299d9f3a42835abfa74e9bab946d7177ec9a015299f
                                                                                • Instruction ID: 9b1335417604e9162771248c01647e23ccd6408e60733dc2cefddcbd3c3bccef
                                                                                • Opcode Fuzzy Hash: 35df145285da4ff23446e299d9f3a42835abfa74e9bab946d7177ec9a015299f
                                                                                • Instruction Fuzzy Hash: F642DF3056F7C18FE3034B3698B46917F719F13248B5A81EBC581CA4B7DA1E942EDB62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526E6C8 Relevance: .4, Instructions: 402COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2e3441791f9eb2d6e61aa7356abc7b9416ca9cd28b05660b80da75d638092298
                                                                                • Instruction ID: c5d542aa181173107748327d8d0a978cda16b03484deb5a141f934c0300d321a
                                                                                • Opcode Fuzzy Hash: 2e3441791f9eb2d6e61aa7356abc7b9416ca9cd28b05660b80da75d638092298
                                                                                • Instruction Fuzzy Hash: FEF10F79A14615CFCB15CF58D588DAEB7FAFF88310B1680A9E505AB361DB31EC81CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526E3F0 Relevance: .2, Instructions: 222COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eb7f33b9f3acf96cd3e011610337f4cde35a2ca0483ccbec1e9be18f3aec6da8
                                                                                • Instruction ID: da18fbffa07a166e480cb2e2c33f31e78520b8919212d480d307f7926fa76b99
                                                                                • Opcode Fuzzy Hash: eb7f33b9f3acf96cd3e011610337f4cde35a2ca0483ccbec1e9be18f3aec6da8
                                                                                • Instruction Fuzzy Hash: C171D1347142158FCB29EB34D8A4A7E77ABFF84640B164469E10ADB391DE34DC81CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526EDE0 Relevance: .2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 35b45caf6eac8c0501749681a0157c4f5475b1687955d4707f2dfe118a93d4e9
                                                                                • Instruction ID: 8a03a0506cc9d814c7aaf3350a0ef4744a8226bce54c3b0cc18da46592767baa
                                                                                • Opcode Fuzzy Hash: 35b45caf6eac8c0501749681a0157c4f5475b1687955d4707f2dfe118a93d4e9
                                                                                • Instruction Fuzzy Hash: BE819435A14216DFCB14CF68D884EAEBBB9FF45310F0680A9E8199B361D731EC81CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526F060 Relevance: .1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 53af0addc23af5106e265a18928a2fd0327754c210f48a29baffc3bedc1e7625
                                                                                • Instruction ID: 425176b17319c0dd3e8e92a11c13b66fb2afabe1aedafcf16bacb3fc561512f4
                                                                                • Opcode Fuzzy Hash: 53af0addc23af5106e265a18928a2fd0327754c210f48a29baffc3bedc1e7625
                                                                                • Instruction Fuzzy Hash: FC31AD31314145CFDB19DF25E928A7A3BE2EF89340F108069F84ADB399DB34CC428BA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526E6B8 Relevance: .1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 26329638c2bf4644a0bbf93ec863a44b4041931d48591a6900a890e30e1a0c56
                                                                                • Instruction ID: 8246ef0520822351b27e0ad624663e91d1b5aa2d00f6fdfbe663fd6bb5f2dc72
                                                                                • Opcode Fuzzy Hash: 26329638c2bf4644a0bbf93ec863a44b4041931d48591a6900a890e30e1a0c56
                                                                                • Instruction Fuzzy Hash: 8631B379E106058FCB05CF68C8849AEBBB6BF88310B168199E915DB3A5DB30AD41CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00CAD4D8 Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.504029796.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_cad000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 24892a3e29cba79b2893c480ca34c2504d65ef0c73d8d328c9833640f384c91e
                                                                                • Instruction ID: e27116d7f27be2c847fba3bb1d679cabedf184cfde12d914303c885e58c2cf85
                                                                                • Opcode Fuzzy Hash: 24892a3e29cba79b2893c480ca34c2504d65ef0c73d8d328c9833640f384c91e
                                                                                • Instruction Fuzzy Hash: 992145F1A04241DFCB04CF04C9C4B26BBA5FB8832CF248568E9074B606C336DD46DBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00CAD3EC Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.504029796.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_cad000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a16f4bb32bd244f73d8d9c4c5dab6657292dc4c8277a939dec6fcbc64aedf670
                                                                                • Instruction ID: 73efcfe50b9957d2bc2aa414b2971c3d1b68b81c8a72479ed42c3c7a41c47427
                                                                                • Opcode Fuzzy Hash: a16f4bb32bd244f73d8d9c4c5dab6657292dc4c8277a939dec6fcbc64aedf670
                                                                                • Instruction Fuzzy Hash: 3E2125B1508245DFDB04DF14D9C0B26BBA5FB9C328F24C579E90B4BA46C336E846DBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00CBE3DC Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.504232267.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_cbd000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 969611a5c8c73888f43e47be2d183be2d2e84c2429e8573ca62fba1c2b4d28f6
                                                                                • Instruction ID: d2559b6f52a620e19ddcf42fac156369ba9e8866a9965e8e7675303a1f8a4ccf
                                                                                • Opcode Fuzzy Hash: 969611a5c8c73888f43e47be2d183be2d2e84c2429e8573ca62fba1c2b4d28f6
                                                                                • Instruction Fuzzy Hash: 022134B1608240DFDB00CF50D9C4BA6BBA5FB88724F24C56DE90A4B246C33ADC46CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526F052 Relevance: .1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 62d89124c27b77621f76955acaff88b8c1ee6d4fa5dca27c0c6991a0335e068e
                                                                                • Instruction ID: 0156f810041a52267266e8f630517bc1c511c715de00212c4920a35e0f883703
                                                                                • Opcode Fuzzy Hash: 62d89124c27b77621f76955acaff88b8c1ee6d4fa5dca27c0c6991a0335e068e
                                                                                • Instruction Fuzzy Hash: 691100726041068FCB15DF59F954AAAB7B2FF84360F108026E40ADB359DB318C42CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526F1FA Relevance: .1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5ffe3143dc5081b7c180376a600d0a2d02bdc165c5867d17bf8371a7811a8236
                                                                                • Instruction ID: c83e68ac5b2807ec5662b44b234216eb2858ccca3767e9c158faf202f8a7a29a
                                                                                • Opcode Fuzzy Hash: 5ffe3143dc5081b7c180376a600d0a2d02bdc165c5867d17bf8371a7811a8236
                                                                                • Instruction Fuzzy Hash: EA113635F141148BDF24DA64A2819AEB7B2FFC5264B1484BAC9095F648DA32CC82CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526E510 Relevance: .1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cc3a95b63d5e0acc0f56ced2648e40ab651f3c4a50419c954847cf5a4c43ce11
                                                                                • Instruction ID: 747095bd044d97a12d48369df44246ac439aebb879f8a25a73f85f61fd0881d8
                                                                                • Opcode Fuzzy Hash: cc3a95b63d5e0acc0f56ced2648e40ab651f3c4a50419c954847cf5a4c43ce11
                                                                                • Instruction Fuzzy Hash: 97112E35B10208DBDB149F55D954AEEBBBAFF8C610F154029E916A7390DA71EC50CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00CAD4D3 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.504029796.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_cad000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9514fc1bb1cc25f491de601e40aa317d03148fdbbbb3ea0ae0adc63f208d9b49
                                                                                • Instruction ID: 636387dc6636c771e062441fa5ae709bac4b175b729b99c14b0a280f32178472
                                                                                • Opcode Fuzzy Hash: 9514fc1bb1cc25f491de601e40aa317d03148fdbbbb3ea0ae0adc63f208d9b49
                                                                                • Instruction Fuzzy Hash: 8311D3B6904281CFCB11CF14D9C4B16BF71FB99328F24C6A9D8060B616C33AD956CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00CAD3E7 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.504029796.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_cad000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9514fc1bb1cc25f491de601e40aa317d03148fdbbbb3ea0ae0adc63f208d9b49
                                                                                • Instruction ID: ca6f8ef2640ae5601417d1cbaa2703e7ad6710167e90c99d20815dfd72a3573d
                                                                                • Opcode Fuzzy Hash: 9514fc1bb1cc25f491de601e40aa317d03148fdbbbb3ea0ae0adc63f208d9b49
                                                                                • Instruction Fuzzy Hash: 6A11D376504280DFCB11CF10D9C4B16BF72FB99324F24C6A9D80A4BA16C33AE956CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526EFA8 Relevance: .1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 32b22f0be7bc1ff1bf366b158e5dee8c53f4c3d6992ee5e9c941eef7154d7345
                                                                                • Instruction ID: a2c3408b1f894a0549179478f376960814634d334e4cdb67b54a111e513005d2
                                                                                • Opcode Fuzzy Hash: 32b22f0be7bc1ff1bf366b158e5dee8c53f4c3d6992ee5e9c941eef7154d7345
                                                                                • Instruction Fuzzy Hash: 55116AB1E0021ACFCF04DFA9D8546EEBBFAFF48340F00842AE855E3245D6748A45CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526E3E9 Relevance: .0, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ba57d41f978b76fbbf60259e27e4290665a96c8713d7a9018f763a856f32832e
                                                                                • Instruction ID: 4f854463c1c86253ef080a62b800fac40abc0601037c05526f56253be6de5fbd
                                                                                • Opcode Fuzzy Hash: ba57d41f978b76fbbf60259e27e4290665a96c8713d7a9018f763a856f32832e
                                                                                • Instruction Fuzzy Hash: 75C0127761C0205AD224509EBD84AA3474DE7C52B56270177F11CE3500E452CC8101A0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0526E5BD Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4fff069d21f4a9340aa6904a7ae52848fded4ac3b3b349574e6f8931739ab2f8
                                                                                • Instruction ID: 61177af8716e13fa45c3bd1d5d341fcaf40c451f721b7ed42b637c6ca8a6c11e
                                                                                • Opcode Fuzzy Hash: 4fff069d21f4a9340aa6904a7ae52848fded4ac3b3b349574e6f8931739ab2f8
                                                                                • Instruction Fuzzy Hash: 72D0673AB101089F8B059F98E8549EDF776FB98225B048116FA15A3660C6319961DB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 0526B6C8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000001.00000002.514004541.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_1_2_5260000_QNx8Bu7CNn.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Gl$Gl$Gl$Gl
                                                                                • API String ID: 0-1215202952
                                                                                • Opcode ID: 22faddaf02fad96dd0eeb6258709870a82e2235abbfccb33c823cf33dc50fdf7
                                                                                • Instruction ID: 4978f26f649a91351af99540b21323d694cd0855683970db00bc592895881190
                                                                                • Opcode Fuzzy Hash: 22faddaf02fad96dd0eeb6258709870a82e2235abbfccb33c823cf33dc50fdf7
                                                                                • Instruction Fuzzy Hash: 26015E367340118F8B25CB2DC451D6A73EABF8A760715416AE50ACB360DA71DC8287E2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%