Source: qxn9Zvy1at.exe |
Static PE information: certificate valid |
Source: unknown |
HTTPS traffic detected: 172.67.214.45:443 -> 192.168.2.4:49733 version: TLS 1.2 |
Source: qxn9Zvy1at.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE6DC20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
0_2_00007FF7EBE6DC20 |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE31550 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,InternetOpenW,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetConnectW,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,HttpSendRequestA,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetReadFile,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress, |
0_2_00007FF7EBE31550 |
Source: global traffic |
DNS traffic detected: DNS query: securetestconnect.app |
Source: unknown |
HTTP traffic detected: POST /connection/test HTTP/1.1Content-Type: application/jsonUser-Agent: UA/1Host: securetestconnect.appContent-Length: 99Cache-Control: no-cache |
Source: qxn9Zvy1at.exe |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629353878.0000015524989000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: qxn9Zvy1at.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y |
Source: qxn9Zvy1at.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0 |
Source: qxn9Zvy1at.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629353878.0000015524989000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.usertrust. |
Source: qxn9Zvy1at.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0# |
Source: qxn9Zvy1at.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0# |
Source: qxn9Zvy1at.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: qxn9Zvy1at.exe |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: qxn9Zvy1at.exe |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629483647.0000015524A1B000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628891408.0000015524A10000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628935115.0000015524A1A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.microsoft.c |
Source: qxn9Zvy1at.exe |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: qxn9Zvy1at.exe, qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BFD000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628918711.0000015524C03000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629585796.0000015524C04000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629353878.0000015524989000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629699590.00007FF7EBE8E000.00000004.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://securetestconnect.app/connection/test |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://securetestconnect.app/connection/testMain |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BFD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://securetestconnect.app/connection/testn |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://securetestconnect.app/f |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://securetestconnect.app/r |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629483647.0000015524A1B000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628891408.0000015524A10000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628891408.0000015524A0D000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628935115.0000015524A1A000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628842693.0000015524A06000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000003.1628842693.00000155249FF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.cloudflare.com/5xx-error-landing |
Source: qxn9Zvy1at.exe, 00000000.00000003.1628918711.0000015524C03000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/ |
Source: unknown |
Network traffic detected: HTTP traffic on port 49733 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49733 |
Source: unknown |
HTTPS traffic detected: 172.67.214.45:443 -> 192.168.2.4:49733 version: TLS 1.2 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE43D30 shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,shared_ptr,shared_ptr,GetModuleHandleA,CreatePipe,SetHandleInformation,CreateProcessA,CloseHandle,CloseHandle,NtCreateSection,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetStdHandle,ReadFile,GetCurrentProcess,CloseHandle,CloseHandle,CloseHandle,CloseHandle, |
0_2_00007FF7EBE43D30 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE43D30 |
0_2_00007FF7EBE43D30 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE6B5F0 |
0_2_00007FF7EBE6B5F0 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE5DCE4 |
0_2_00007FF7EBE5DCE4 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE64C78 |
0_2_00007FF7EBE64C78 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE6DC20 |
0_2_00007FF7EBE6DC20 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE61B30 |
0_2_00007FF7EBE61B30 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE679DC |
0_2_00007FF7EBE679DC |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE639A0 |
0_2_00007FF7EBE639A0 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE6C930 |
0_2_00007FF7EBE6C930 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE5CFA0 |
0_2_00007FF7EBE5CFA0 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE66EAC |
0_2_00007FF7EBE66EAC |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE5CDB8 |
0_2_00007FF7EBE5CDB8 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE70D88 |
0_2_00007FF7EBE70D88 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE60D6C |
0_2_00007FF7EBE60D6C |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE6735C |
0_2_00007FF7EBE6735C |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE72364 |
0_2_00007FF7EBE72364 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE6127C |
0_2_00007FF7EBE6127C |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE74248 |
0_2_00007FF7EBE74248 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE5D188 |
0_2_00007FF7EBE5D188 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE5E870 |
0_2_00007FF7EBE5E870 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE6F858 |
0_2_00007FF7EBE6F858 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE5D7D0 |
0_2_00007FF7EBE5D7D0 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE6663C |
0_2_00007FF7EBE6663C |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629718940.00007FF7EBEDF000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameCloudNetCheck.exelJ vs qxn9Zvy1at.exe |
Source: qxn9Zvy1at.exe, 00000000.00000003.1620517133.00000155250DA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCloudNetCheck.exelJ vs qxn9Zvy1at.exe |
Source: qxn9Zvy1at.exe |
Binary or memory string: OriginalFilenameCloudNetCheck.exelJ vs qxn9Zvy1at.exe |
Source: classification engine |
Classification label: mal52.troj.evad.winEXE@3/0@1/1 |
Source: qxn9Zvy1at.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
File read: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\qxn9Zvy1at.exe "C:\Users\user\Desktop\qxn9Zvy1at.exe" |
|
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" |
|
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: qxn9Zvy1at.exe |
Static PE information: certificate valid |
Source: qxn9Zvy1at.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: qxn9Zvy1at.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: qxn9Zvy1at.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: qxn9Zvy1at.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: qxn9Zvy1at.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: qxn9Zvy1at.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: qxn9Zvy1at.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: qxn9Zvy1at.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: qxn9Zvy1at.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: qxn9Zvy1at.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: qxn9Zvy1at.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: qxn9Zvy1at.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: qxn9Zvy1at.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: qxn9Zvy1at.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: Yara match |
File source: 00000000.00000003.1619237473.0000015524A16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1619549911.0000015524A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1629656340.00007FF7EBE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1617145667.00007FF7EBE31000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1620726266.0000015524BC3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1617672578.00000155249B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1620517133.0000015525031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1619140980.0000015524A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1620645632.00000155249ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.1619366078.00000155249ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE44C20 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,QueryFullProcessImageNameW,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,_Mtx_guard::~_Mtx_guard, |
0_2_00007FF7EBE44C20 |
Source: qxn9Zvy1at.exe |
Static PE information: real checksum: 0xbd572 should be: 0xb7269 |
Source: qxn9Zvy1at.exe |
Static PE information: section name: _RDATA |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE31550 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,InternetOpenW,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetConnectW,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,Concurrency::details::WorkQueue::IsStructuredEmpty,HttpSendRequestA,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetReadFile,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,MultiByteToWideChar,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,InternetCloseHandle,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress, |
0_2_00007FF7EBE31550 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Check user administrative privileges: GetTokenInformation,DecisionNodes |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE6DC20 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, |
0_2_00007FF7EBE6DC20 |
Source: qxn9Zvy1at.exe, 00000000.00000003.1628918711.0000015524C03000.00000004.00000020.00020000.00000000.sdmp, qxn9Zvy1at.exe, 00000000.00000002.1629585796.0000015524C04000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW7fvq |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629533309.0000015524BC0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW{ |
Source: qxn9Zvy1at.exe, 00000000.00000002.1629353878.00000155249FA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE5BFC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF7EBE5BFC0 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE44C20 _Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,QueryFullProcessImageNameW,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,LoadLibraryA,GetProcAddress,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,_Mtx_guard::~_Mtx_guard,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,_Mtx_guard::~_Mtx_guard, |
0_2_00007FF7EBE44C20 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE72078 GetProcessHeap, |
0_2_00007FF7EBE72078 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE5BFC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF7EBE5BFC0 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE56350 SetUnhandledExceptionFilter, |
0_2_00007FF7EBE56350 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE561AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF7EBE561AC |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE555AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00007FF7EBE555AC |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
NtCreateSection: Indirect: 0x7FF7EBE44235 |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE76860 cpuid |
0_2_00007FF7EBE76860 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: GetLocaleInfoW, |
0_2_00007FF7EBE71C34 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_00007FF7EBE71B84 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: GetLocaleInfoW, |
0_2_00007FF7EBE71A2C |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: EnumSystemLocalesW, |
0_2_00007FF7EBE68DC0 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00007FF7EBE71D60 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, |
0_2_00007FF7EBE7132C |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: GetLocaleInfoW, |
0_2_00007FF7EBE69200 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00007FF7EBE717E0 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: EnumSystemLocalesW, |
0_2_00007FF7EBE71748 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: EnumSystemLocalesW, |
0_2_00007FF7EBE71678 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Code function: 0_2_00007FF7EBE56090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00007FF7EBE56090 |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\qxn9Zvy1at.exe |
Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob |
Jump to behavior |