Play interactive tour

Edit tour

Analysis Report .exe

Overview

General Information

Sample Name:	.exe
Analysis ID:	321141
MD5:	4c0960a22153523b2626bff364cc7073
SHA1:	8596c7561f3668d544ee5cf24ac19c1c9db6c616
SHA256:	c9442156b26b8fe68a84028f85861191bff85680b1460d26b9491cbc3f3ac230
Tags:	exe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension

Yara detected AgentTesla

Yara detected AntiVM_3

Contains functionality to register a low level keyboard hook

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

.exe (PID: 6444 cmdline: 'C:\Users\user\Desktop\ .exe' MD5: 4C0960A22153523B2626BFF364CC7073)

schtasks.exe (PID: 6604 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

.exe (PID: 6752 cmdline: {path} MD5: 4C0960A22153523B2626BFF364CC7073)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "LG3xhtQljnZve", "URL: ": "http://dIhLHGXisr.net", "To: ": "supervisor@persec.gr", "ByHost: ": "mail.persec.gr:587", "Password: ": "g71iC6Xh1Q24qt", "From: ": "supervisor@persec.gr"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
.exe	MAL_RANSOM_COVID19_Apr20_1	Detects ransomware distributed in COVID-19 theme	Florian Roth	0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\apQsEpT.exe	MAL_RANSOM_COVID19_Apr20_1	Detects ransomware distributed in COVID-19 theme	Florian Roth	0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.229056659.0000000003AF5000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: .exe PID: 6752	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: .exe PID: 6752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: .exe PID: 6444	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: .exe PID: 6444	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2. .exe.510000.1.unpack	MAL_RANSOM_COVID19_Apr20_1	Detects ransomware distributed in COVID-19 theme	Florian Roth	0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
4.0. .exe.510000.0.unpack	MAL_RANSOM_COVID19_Apr20_1	Detects ransomware distributed in COVID-19 theme	Florian Roth	0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
0.0. .exe.320000.0.unpack	MAL_RANSOM_COVID19_Apr20_1	Detects ransomware distributed in COVID-19 theme	Florian Roth	0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34
4.2. .exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2. .exe.320000.0.unpack	MAL_RANSOM_COVID19_Apr20_1	Detects ransomware distributed in COVID-19 theme	Florian Roth	0x74117:$op2: 60 2E 2E 2E AF 34 34 34 B8 34 34 34 B8 34 34 34 0x73a9f:$op3: 1F 07 1A 37 85 05 05 36 83 05 05 36 83 05 05 34

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\ .exe' , ParentImage: C:\Users\user\Desktop\ .exe, ParentProcessId: 6444, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp', ProcessId: 6604

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\ .exe, NewProcessName: C:\Users\user\Desktop\ .exe, OriginalFileName: C:\Users\user\Desktop\ .exe, ParentCommandLine: 'C:\Users\user\Desktop\ .exe' , ParentImage: C:\Users\user\Desktop\ .exe, ParentProcessId: 6444, ProcessCommandLine: {path}, ProcessId: 6752

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: .exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\apQsEpT.exe

Avira: detection malicious, Label: TR/Kryptik.uduze

Found malware configuration

Show sources

Source: .exe.6752.4.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "LG3xhtQljnZve", "URL: ": "http://dIhLHGXisr.net", "To: ": "supervisor@persec.gr", "ByHost: ": "mail.persec.gr:587", "Password: ": "g71iC6Xh1Q24qt", "From: ": "supervisor@persec.gr"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\apQsEpT.exe

ReversingLabs: Detection: 41%

Multi AV Scanner detection for submitted file

Show sources

Source: .exe	Virustotal: Detection: 55%			Perma Link
Source: .exe	ReversingLabs: Detection: 41%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\apQsEpT.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: .exe

Joe Sandbox ML: detected

Source: 4.2. .exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: global traffic

TCP traffic: 192.168.2.3:49746 -> 85.25.186.211:587

Source: Joe Sandbox View

ASN Name: GD-EMEA-DC-SXB1DE GD-EMEA-DC-SXB1DE

Source: global traffic

TCP traffic: 192.168.2.3:49746 -> 85.25.186.211:587

Source: unknown

DNS traffic detected: queries for: mail.persec.gr

Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://GMgRDJ.com
Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: .exe, 00000004.00000002.483465380.0000000006570000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://dIhLHGXisr.ne
Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: http://dIhLHGXisr.net
Source: .exe, 00000004.00000003.432962878.0000000000994000.00000004.00000001.sdmp	String found in binary or memory: http://dIhLHGXisr.net1-5-21-3853321935-2125563209-4053062332-1002_Classes
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: .exe, 00000004.00000002.480546013.0000000002C91000.00000004.00000001.sdmp	String found in binary or memory: http://mail.persec.gr
Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: .exe, 00000004.00000002.480546013.0000000002C91000.00000004.00000001.sdmp	String found in binary or memory: http://persec.gr
Source: .exe, 00000000.00000002.227280957.0000000002851000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: .exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: .exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: .exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\ .exe

Code function: 4_2_00E4085C SetWindowsHookExW 0000000D,00000000,?,?

4_2_00E4085C

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\ .exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\ .exe

Jump to behavior

Source: C:\Users\user\Desktop\ .exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

Source: C:\Users\user\Desktop\ .exe	Code function: 0_2_025F0468	0_2_025F0468
Source: C:\Users\user\Desktop\ .exe	Code function: 0_2_025F3251	0_2_025F3251
Source: C:\Users\user\Desktop\ .exe	Code function: 0_2_025F1792	0_2_025F1792
Source: C:\Users\user\Desktop\ .exe	Code function: 0_2_027228AC	0_2_027228AC
Source: C:\Users\user\Desktop\ .exe	Code function: 0_2_027228A0	0_2_027228A0
Source: C:\Users\user\Desktop\ .exe	Code function: 0_2_02721458	0_2_02721458
Source: C:\Users\user\Desktop\ .exe	Code function: 0_2_02721E10	0_2_02721E10
Source: C:\Users\user\Desktop\ .exe	Code function: 0_2_02721E02	0_2_02721E02
Source: C:\Users\user\Desktop\ .exe	Code function: 0_2_02723C90	0_2_02723C90
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E06878	4_2_00E06878
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E06140	4_2_00E06140
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E03664	4_2_00E03664
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E05B08	4_2_00E05B08
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E10C58	4_2_00E10C58
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E10818	4_2_00E10818
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E135C0	4_2_00E135C0
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E1A638	4_2_00E1A638
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E1C9A0	4_2_00E1C9A0
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E1CD78	4_2_00E1CD78
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E172B8	4_2_00E172B8
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E12BE8	4_2_00E12BE8
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E2D0D9	4_2_00E2D0D9
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E299D8	4_2_00E299D8
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E236C0	4_2_00E236C0
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E22E30	4_2_00E22E30
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E21408	4_2_00E21408
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E2ABA0	4_2_00E2ABA0
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E48680	4_2_00E48680
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E4C3B0	4_2_00E4C3B0
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E41368	4_2_00E41368
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E23A90	4_2_00E23A90
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E20040	4_2_00E20040

Source: .exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: apQsEpT.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: .exe	Binary or memory string: OriginalFilename vs .exe
Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKHMZrpfhVHbupBTDgZUuRpVOwPEewuQgjBGfHK.exe4 vs .exe
Source: .exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename-^lQ.exe2 vs .exe
Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs .exe
Source: .exe, 00000000.00000002.229849312.00000000052D0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs .exe
Source: .exe, 00000000.00000002.229849312.00000000052D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs .exe
Source: .exe, 00000000.00000002.229717040.00000000051D0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs .exe
Source: .exe, 00000000.00000002.233680197.000000000D840000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs .exe
Source: .exe	Binary or memory string: OriginalFilename vs .exe
Source: .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameKHMZrpfhVHbupBTDgZUuRpVOwPEewuQgjBGfHK.exe4 vs .exe
Source: .exe, 00000004.00000002.475414380.0000000000512000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename-^lQ.exe2 vs .exe
Source: .exe, 00000004.00000002.483118570.0000000005C40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs .exe
Source: .exe, 00000004.00000002.475845812.0000000000938000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs .exe
Source: .exe, 00000004.00000002.477070900.0000000000D30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs .exe
Source: .exe	Binary or memory string: OriginalFilename-^lQ.exe2 vs .exe

Source: .exe, type: SAMPLE	Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: C:\Users\user\AppData\Roaming\apQsEpT.exe, type: DROPPED	Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 4.2. .exe.510000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 4.0. .exe.510000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 0.0. .exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
Source: 0.2. .exe.320000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_RANSOM_COVID19_Apr20_1 date = 2020-04-15, hash1 = 2779863a173ff975148cb3156ee593cb5719a0ab238ea7c9e0b0ca3b5a4a9326, author = Florian Roth, description = Detects ransomware distributed in COVID-19 theme, reference = https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/

Source: .exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: apQsEpT.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/4@2/1

Source: C:\Users\user\Desktop\ .exe

File created: C:\Users\user\AppData\Roaming\apQsEpT.exe

Jump to behavior

Source: C:\Users\user\Desktop\ .exe	Mutant created: \Sessions\1\BaseNamedObjects\BrbtmaRrqYfXTg
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01

Source: C:\Users\user\Desktop\ .exe

File created: C:\Users\user\AppData\Local\Temp\tmp88EB.tmp

Jump to behavior

Source: .exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\ .exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ .exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ .exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ .exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ .exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: .exe	Virustotal: Detection: 55%
Source: .exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\ .exe

File read: C:\Users\user\Desktop\ .exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ .exe 'C:\Users\user\Desktop\ .exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\ .exe {path}
Source: C:\Users\user\Desktop\ .exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process created: C:\Users\user\Desktop\ .exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\ .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ .exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ .exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: .exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E0B55F push edi; retn 0000h		4_2_00E0B561
Source: C:\Users\user\Desktop\ .exe	Code function: 4_2_00E2811A push 8BFFFFFFh; retf		4_2_00E28120

Source: initial sample	Static PE information: section name: .text entropy: 7.8624495092
Source: initial sample	Static PE information: section name: .text entropy: 7.8624495092

Source: C:\Users\user\Desktop\ .exe	File created: \ .exe			Jump to behavior
Source: C:\Users\user\Desktop\ .exe	File created: \ .exe			Jump to behavior

Source: C:\Users\user\Desktop\ .exe

File created: C:\Users\user\AppData\Roaming\apQsEpT.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (2112).png

Source: C:\Users\user\Desktop\ .exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .exe PID: 6444, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\ .exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\ .exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\ .exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\ .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\ .exe

Window / User API: threadDelayed 777

Jump to behavior

Source: C:\Users\user\Desktop\ .exe TID: 6568	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 6448	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 6468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7020	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7020	Thread sleep count: 777 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -59500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -59314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -58406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -87000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -57594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -57314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -56500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -83721s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -83391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -83109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -54906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -54500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -54314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -53814s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -53594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -53406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -53000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -78750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -51906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -51406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -76500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -50814s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -50094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -49220s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -73500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -48814s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -48594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -47500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -47314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -46814s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -46594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -45720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -45500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -45314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -45094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -44906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -43814s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -43314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -43094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -42906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -42500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -42220s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -41594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -40500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -39594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -38720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -38500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -38314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -38094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -37000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -36814s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -36314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -35220s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -35000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -34814s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -34314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -34094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -50109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -33220s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -31094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -30906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -30720s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -39471s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -34221s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -51814s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -51594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -75750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -49406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -48500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -48094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -47406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -70500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -45906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -44814s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -44594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -43906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -41906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -41314s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -41094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -40406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -39500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -38906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -38406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -37814s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -37594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -36906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -36500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -35406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -34906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -34500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ .exe TID: 7016	Thread sleep time: -33000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ .exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ .exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ .exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\ .exe	Last function: Thread delayed

Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: .exe, 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: .exe, 00000000.00000002.228771700.0000000002BFF000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: .exe, 00000004.00000002.476639062.0000000000B42000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ .exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ .exe

Code function: 4_2_00E00A70 LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,

4_2_00E00A70

Source: C:\Users\user\Desktop\ .exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\ .exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\ .exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Process created: C:\Users\user\Desktop\ .exe {path}			Jump to behavior

Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: .exe, 00000004.00000002.477679550.0000000001220000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Users\user\Desktop\ .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Users\user\Desktop\ .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229056659.0000000003AF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: .exe PID: 6444, type: MEMORY
Source: Yara match	File source: 4.2. .exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\ .exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\ .exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\ .exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\ .exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\ .exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\ .exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .exe PID: 6752, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229056659.0000000003AF5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: .exe PID: 6752, type: MEMORY
Source: Yara match	File source: Process Memory Space: .exe PID: 6444, type: MEMORY
Source: Yara match	File source: 4.2. .exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection12	Disable or Modify Tools1	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Obfuscated Files or Information2	Input Capture21	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing3	Credentials in Registry1	Query Registry1	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading11	NTDS	Security Software Discovery321	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion14	LSA Secrets	Virtualization/Sandbox Evasion14	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection12	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
.exe	56%	Virustotal		Browse
.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
.exe	100%	Avira	TR/Kryptik.uduze
.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\apQsEpT.exe	100%	Avira	TR/Kryptik.uduze
C:\Users\user\AppData\Roaming\apQsEpT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\apQsEpT.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2. .exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
persec.gr	0%	Virustotal		Browse
mail.persec.gr	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://GMgRDJ.com	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://mail.persec.gr	0%	Avira URL Cloud	safe
http://dIhLHGXisr.net	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://dIhLHGXisr.ne	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://persec.gr	0%	Avira URL Cloud	safe
http://dIhLHGXisr.net1-5-21-3853321935-2125563209-4053062332-1002_Classes	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
persec.gr	85.25.186.211	true	true	0%, Virustotal, Browse	unknown
mail.persec.gr	unknown	unknown	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	.exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	.exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	.exe, 00000004.00000002.480867921.0000000002CE3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	.exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false		high
http://GMgRDJ.com	.exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.persec.gr	.exe, 00000004.00000002.480546013.0000000002C91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false		high
http://dIhLHGXisr.net	.exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://dIhLHGXisr.ne	.exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.orgGETMozilla/5.0	.exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/	.exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false		high
http://persec.gr	.exe, 00000004.00000002.480546013.0000000002C91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://dIhLHGXisr.net1-5-21-3853321935-2125563209-4053062332-1002_Classes	.exe, 00000004.00000003.432962878.0000000000994000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fonts.com	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	.exe, 00000000.00000002.227280957.0000000002851000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	.exe, 00000000.00000002.233363477.000000000BC32000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	.exe, 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	.exe, 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, .exe, 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.25.186.211	unknown	Germany		8972	GD-EMEA-DC-SXB1DE	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321141
Start date:	20.11.2020
Start time:	12:35:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/4@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.6% (good quality ratio 0.6%) Quality average: 60.4% Quality standard deviation: 23.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 130 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.147.198.201, 104.43.193.48, 104.75.88.60, 51.104.139.180, 20.54.26.129, 205.185.216.42, 205.185.216.10, 40.67.251.132, 95.101.22.134, 95.101.22.125, 204.79.197.200, 13.107.21.200 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, a-0001.a-afdentry.net.trafficmanager.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:36:17	API Interceptor	794x Sleep call for process: .exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GD-EMEA-DC-SXB1DE	malware.html	Get hash	malicious	Browse	188.93.15.103
	http://your-prize-ready-lkz.live/?u=1nup806&o=0wywy2l&t=k2Dr_USAtest_PC	Get hash	malicious	Browse	188.138.111.121
	8miw6WNHCt.exe	Get hash	malicious	Browse	217.172.179.54
	gGTQ8uae5s.exe	Get hash	malicious	Browse	217.172.179.54
	ENJ5AB3B0x.exe	Get hash	malicious	Browse	217.172.179.54
	0P0cZbXEbK.exe	Get hash	malicious	Browse	217.172.179.54
	Tk8cA6bHRS.exe	Get hash	malicious	Browse	217.172.179.54
	fTAYoI22iY.exe	Get hash	malicious	Browse	217.172.179.54
	start.exe	Get hash	malicious	Browse	85.25.213.211
	uvjAwriS1c.exe	Get hash	malicious	Browse	217.172.179.54
	vAstEpls9R.exe	Get hash	malicious	Browse	217.172.179.54
	hmB9yvFv40.exe	Get hash	malicious	Browse	217.172.179.54
	ZYhucZndrm.exe	Get hash	malicious	Browse	217.172.179.54
	4WD28ZoLXN.exe	Get hash	malicious	Browse	217.172.179.54
	VLmFsICPqL.exe	Get hash	malicious	Browse	217.172.179.54
	Zped7c3dam.exe	Get hash	malicious	Browse	217.172.179.54
	idWMSrWvoE.exe	Get hash	malicious	Browse	87.230.25.43
	cK2ClsvtJE.exe	Get hash	malicious	Browse	87.230.25.43
	AXZFXiJCj3.exe	Get hash	malicious	Browse	87.230.25.43
	lHuFdWpoMA.exe	Get hash	malicious	Browse	87.230.25.43

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ .exe.log Download File
Process:	C:\Users\user\Desktop\ .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.345637324625647
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
MD5:	6C42AAF2F2FABAD2BAB70543AE48CEDB
SHA1:	8552031F83C078FE1C035191A32BA43261A63DA9
SHA-256:	51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
SHA-512:	014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp88EB.tmp Download File
Process:	C:\Users\user\Desktop\ .exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1640
Entropy (8bit):	5.184896527826423
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBxBtn:cbh47TlNQ//rydbz9I3YODOLNdq3n
MD5:	6EAB4206B94D6528E932EC3C4A938DCC
SHA1:	20BA86B7BC00D2BDD0FEDAC3C5CA48D7B8852CB0
SHA-256:	5A05D19A5B06DD9FCFBD0A0A4229A8472721905D99841944B0792E0AFC2A2D47
SHA-512:	644E57F4BB285CECEE145FD85513016EE55CE10AA0AD7A3E9EFF25F3A6C833D6832A3AAC4B3208199B1F64D48D47B3B638A15906EE5EA548FC667D36B3B142E7
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\51qhj2rq.aji\Chrome\Default\Cookies Download File
Process:	C:\Users\user\Desktop\ .exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\apQsEpT.exe Download File
Process:	C:\Users\user\Desktop\ .exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	561664
Entropy (8bit):	7.555510842518211
Encrypted:	false
SSDEEP:	12288:Y19HzS46VFkxNjZ53CBc8860iI614WNHJ6vPdJxxcaOq1MUCTdAA:Y19OzVFkxNjLyJ8ytHAvPdWA
MD5:	4C0960A22153523B2626BFF364CC7073
SHA1:	8596C7561F3668D544EE5CF24AC19C1C9DB6C616
SHA-256:	C9442156B26B8FE68A84028F85861191BFF85680B1460D26B9491CBC3F3AC230
SHA-512:	7CB0051E450BF16547B891309C8E51E51B41F3F8F95EE2F15FC5DAC0B3DA6683B74EC65942CEA03CD03F60BEDFFA2760D5B7754EB73537CFCDDAABF1B1BB68ED
Malicious:	true
Yara Hits:	Rule: MAL_RANSOM_COVID19_Apr20_1, Description: Detects ransomware distributed in COVID-19 theme, Source: C:\Users\user\AppData\Roaming\apQsEpT.exe, Author: Florian Roth
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_............................N.... ... ....@.. ....................................@.....................................S.... ............................................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B................0.......H........B......................................................................h........)......Z.........H...@.#....t........C(...HB.p..=.\| ...98..:.%:2xRw...wG.(F"....M9b.].\4`7...q...V..K.....m..i.\...B&....z...l...k......)_...q..l7.z..II..G....el..$..Y....Zb['A?....y.M..9.y.\|.`F/..N..T2....E...V.o..'...e.0..7...@..q1.~d.s[....b.T7\|..1.....L.2I...$.rnB..9.+j..(..(......Sgz..hd....#I...=..46..J._D.t.1.V.d....{?..1.`.A...:...L......*!M.}p...<2..<...n.M..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.555510842518211
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	.exe
File size:	561664
MD5:	4c0960a22153523b2626bff364cc7073
SHA1:	8596c7561f3668d544ee5cf24ac19c1c9db6c616
SHA256:	c9442156b26b8fe68a84028f85861191bff85680b1460d26b9491cbc3f3ac230
SHA512:	7cb0051e450bf16547b891309c8e51e51b41f3f8f95ee2f15fc5dac0b3da6683b74ec65942cea03cd03f60bedffa2760d5b7754eb73537cfcddaabf1b1bb68ed
SSDEEP:	12288:Y19HzS46VFkxNjZ53CBc8860iI614WNHJ6vPdJxxcaOq1MUCTdAA:Y19OzVFkxNjLyJ8ytHAvPdWA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_............................N.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	6eecccccd6d2f2f2

Static PE Info

General
Entrypoint:	0x471e4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB72EF8 [Fri Nov 20 02:50:32 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x71df8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x72000	0x18d18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6fe54	0x70000	False	0.898808070592	data	7.8624495092	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x72000	0x18d18	0x18e00	False	0.14752473304	data	4.30896630278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x72220	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x747c8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x75870	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x75cd8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0x79f00	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x8a728	0x4c	data
RT_GROUP_ICON	0x8a774	0x14	data
RT_VERSION	0x8a788	0x39e	data
RT_MANIFEST	0x8ab28	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Les loups-garous de Thiercelieux 1998
Assembly Version	27.0.0.0
InternalName	.exe
FileVersion	11.0.0.0
CompanyName	Les loups-garous de Thiercelieux
LegalTrademarks
Comments	Jeu de la barbichette
ProductName	Ptanque
ProductVersion	11.0.0.0
FileDescription	Ptanque
OriginalFilename	.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 12:38:00.977946997 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:00.997334003 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:00.997428894 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:01.926336050 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:01.926994085 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:01.946588993 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:01.946995974 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:01.968089104 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.023704052 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.045360088 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.072175980 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.072227001 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.072264910 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.072293043 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.072474957 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.073900938 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.117549896 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.123652935 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.143440962 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.195578098 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.466299057 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.486628056 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.488738060 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.509500980 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.510548115 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.553603888 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.554804087 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.574997902 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.575711012 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.618599892 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.619195938 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.639064074 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.642260075 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.642452955 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.643198967 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.643356085 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.643507004 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.643609047 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.643724918 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:02.662549973 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.662569046 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.663698912 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.663716078 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.663774014 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.663813114 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.663898945 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.671686888 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:02.725683928 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:03.741187096 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:03.761964083 CET	587	49746	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:03.762187004 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:03.903204918 CET	49746	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:03.904203892 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:03.924031973 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:03.924173117 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:04.842757940 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:04.845351934 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:04.923455954 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:04.925406933 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:04.947405100 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:04.949417114 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:04.973270893 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:04.973308086 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:04.973361969 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:04.973392010 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:04.973479986 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:04.973524094 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:04.974612951 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:04.977596045 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:04.997344017 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.002207041 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.021641016 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.025597095 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.045763969 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.048933983 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.077080011 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.077486038 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.097053051 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.097573996 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.119723082 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.121519089 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.141120911 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.145776033 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.145817995 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.145965099 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.146074057 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.146205902 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.146271944 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.146338940 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.146420956 CET	49747	587	192.168.2.3	85.25.186.211
Nov 20, 2020 12:38:05.166944027 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.167006969 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.167032957 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.167191029 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.167347908 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.167506933 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.167700052 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.168315887 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.196713924 CET	587	49747	85.25.186.211	192.168.2.3
Nov 20, 2020 12:38:05.242696047 CET	49747	587	192.168.2.3	85.25.186.211

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 20, 2020 12:36:08.970140934 CET	65110	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:09.005853891 CET	53	65110	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:13.681493998 CET	58361	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:14.671353102 CET	58361	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:14.717644930 CET	53	58361	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:15.517726898 CET	63492	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:15.544877052 CET	53	63492	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:17.256653070 CET	60831	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:17.292351961 CET	53	60831	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:17.983359098 CET	60100	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:18.019092083 CET	53	60100	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:18.801959991 CET	53195	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:18.829180956 CET	53	53195	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:21.611474991 CET	50141	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:21.638576984 CET	53	50141	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:23.167923927 CET	53023	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:23.205724955 CET	53	53023	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:24.022481918 CET	49563	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:24.049583912 CET	53	49563	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:24.834919930 CET	51352	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:24.862096071 CET	53	51352	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:25.474847078 CET	59349	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:25.502132893 CET	53	59349	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:26.763196945 CET	57084	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:26.798861027 CET	53	57084	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:27.468164921 CET	58823	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:27.495323896 CET	53	58823	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:29.045761108 CET	57568	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:29.072999954 CET	53	57568	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:31.155839920 CET	50540	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:31.193155050 CET	53	50540	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:39.031672955 CET	54366	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:39.069062948 CET	53	54366	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:40.108289003 CET	53034	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:40.135490894 CET	53	53034	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:55.898308039 CET	57762	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:55.925498962 CET	53	57762	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:58.443252087 CET	55435	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:58.470415115 CET	53	55435	8.8.8.8	192.168.2.3
Nov 20, 2020 12:36:59.801129103 CET	50713	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:36:59.838229895 CET	53	50713	8.8.8.8	192.168.2.3
Nov 20, 2020 12:37:01.485153913 CET	56132	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:37:01.512511015 CET	53	56132	8.8.8.8	192.168.2.3
Nov 20, 2020 12:37:08.559787989 CET	58987	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:37:08.595463991 CET	53	58987	8.8.8.8	192.168.2.3
Nov 20, 2020 12:37:09.859808922 CET	56579	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:37:09.897067070 CET	53	56579	8.8.8.8	192.168.2.3
Nov 20, 2020 12:37:49.360775948 CET	60633	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:37:49.387875080 CET	53	60633	8.8.8.8	192.168.2.3
Nov 20, 2020 12:37:49.887111902 CET	61292	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:37:49.914369106 CET	53	61292	8.8.8.8	192.168.2.3
Nov 20, 2020 12:38:00.741539001 CET	63619	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:38:00.805789948 CET	53	63619	8.8.8.8	192.168.2.3
Nov 20, 2020 12:38:00.840876102 CET	64938	53	192.168.2.3	8.8.8.8
Nov 20, 2020 12:38:00.891570091 CET	53	64938	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 20, 2020 12:38:00.741539001 CET	192.168.2.3	8.8.8.8	0xaf0f	Standard query (0)	mail.persec.gr	A (IP address)	IN (0x0001)
Nov 20, 2020 12:38:00.840876102 CET	192.168.2.3	8.8.8.8	0xeec7	Standard query (0)	mail.persec.gr	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 20, 2020 12:38:00.805789948 CET	8.8.8.8	192.168.2.3	0xaf0f	No error (0)	mail.persec.gr	persec.gr		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 12:38:00.805789948 CET	8.8.8.8	192.168.2.3	0xaf0f	No error (0)	persec.gr		85.25.186.211	A (IP address)	IN (0x0001)
Nov 20, 2020 12:38:00.891570091 CET	8.8.8.8	192.168.2.3	0xeec7	No error (0)	mail.persec.gr	persec.gr		CNAME (Canonical name)	IN (0x0001)
Nov 20, 2020 12:38:00.891570091 CET	8.8.8.8	192.168.2.3	0xeec7	No error (0)	persec.gr		85.25.186.211	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 20, 2020 12:38:01.926336050 CET	587	49746	85.25.186.211	192.168.2.3	220-qla.angellight.com ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 13:38:01 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 20, 2020 12:38:01.926994085 CET	49746	587	192.168.2.3	85.25.186.211	EHLO 760639
Nov 20, 2020 12:38:01.946588993 CET	587	49746	85.25.186.211	192.168.2.3	250-qla.angellight.com Hello 760639 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 20, 2020 12:38:01.946995974 CET	49746	587	192.168.2.3	85.25.186.211	STARTTLS
Nov 20, 2020 12:38:01.968089104 CET	587	49746	85.25.186.211	192.168.2.3	220 TLS go ahead
Nov 20, 2020 12:38:04.842757940 CET	587	49747	85.25.186.211	192.168.2.3	220-qla.angellight.com ESMTP Exim 4.93 #2 Fri, 20 Nov 2020 13:38:04 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 20, 2020 12:38:04.845351934 CET	49747	587	192.168.2.3	85.25.186.211	EHLO 760639
Nov 20, 2020 12:38:04.923455954 CET	587	49747	85.25.186.211	192.168.2.3	250-qla.angellight.com Hello 760639 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 20, 2020 12:38:04.925406933 CET	49747	587	192.168.2.3	85.25.186.211	STARTTLS
Nov 20, 2020 12:38:04.947405100 CET	587	49747	85.25.186.211	192.168.2.3	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: .exe PID: 6444 Parent PID: 5652

General

Start time:	12:36:12
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\ .exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ .exe'
Imagebase:	0x320000
File size:	561664 bytes
MD5 hash:	4C0960A22153523B2626BFF364CC7073
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.228870931.00000000038F5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.227599432.000000000289E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.229056659.0000000003AF5000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6604 Parent PID: 6444

General

Start time:	12:36:18
Start date:	20/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\apQsEpT' /XML 'C:\Users\user\AppData\Local\Temp\tmp88EB.tmp'
Imagebase:	0xe20000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6612 Parent PID: 6604

General

Start time:	12:36:18
Start date:	20/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: .exe PID: 6752 Parent PID: 6444

General

Start time:	12:36:19
Start date:	20/11/2020
Path:	C:\Users\user\Desktop\ .exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x510000
File size:	561664 bytes
MD5 hash:	4C0960A22153523B2626BFF364CC7073
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.475265979.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.478164785.0000000002931000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: .exe PID: 6444 Parent PID: 5652 .exeCOMMON

Executed Functions

Function 025F1792, Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4542a4c8e50df07fb6fbc8e180b2e102613d384ca28cea11fc8bf8c933c4bdc4
Instruction ID: 83909311f8a1c8ccd7ba657207481580cad3e3dd90335e0236328933bcb1a8c4
Opcode Fuzzy Hash: 4542a4c8e50df07fb6fbc8e180b2e102613d384ca28cea11fc8bf8c933c4bdc4
Instruction Fuzzy Hash: DF428F74E01229CFDB64CFA9C984B9DBBB2BF48311F5481A9D909A7365D730AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 025F0468, Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575c38f95c077a229b0cbf59124342d585a55d0cc7554df591f4e3e457e2c451
Instruction ID: 364af60a0944230d42147a9ab1a16969375903cae0b2924aa7e8f41c3e5bd56f
Opcode Fuzzy Hash: 575c38f95c077a229b0cbf59124342d585a55d0cc7554df591f4e3e457e2c451
Instruction Fuzzy Hash: 5832E374901229CFDB50DFA5C984A8EFBB2BF48315F59C599C508AB626CB30DD81CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 025F3251, Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de17d84905c776143827a62d5812cc5df74fedb9951d9069324b5b2a6eba556
Instruction ID: 3c331a57b32fd4cfb6b037bfc0cce9b64bf0dc416eb7e8d2f46daa4143edd3dd
Opcode Fuzzy Hash: 0de17d84905c776143827a62d5812cc5df74fedb9951d9069324b5b2a6eba556
Instruction Fuzzy Hash: 5132E2B4901258CFEB90DFA5C984A8DFBB2BF48215F59C5D9C508AB221CB30DD85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 027228AC, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a76e50bd1427bd281966d862cff68fffdf0d4e9d70bf223131dbb0237db879
Instruction ID: 309b1a872ecb8521d41689ac62ff6500ea821eba5582814845296c4708c25473
Opcode Fuzzy Hash: 95a76e50bd1427bd281966d862cff68fffdf0d4e9d70bf223131dbb0237db879
Instruction Fuzzy Hash: 20919275E00319CFCB04DBA4D8949DDB7BAFF89304F258659E416AB360EB70A949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 027228A0, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba6f394a165c4157bab4ca68512b3ef0162f0be5171315ff0d0072cc3cc2594
Instruction ID: 1993598d7f789fad6ec276698ac2ffe073204216906b3b250f3e69a41ccdda37
Opcode Fuzzy Hash: 7ba6f394a165c4157bab4ca68512b3ef0162f0be5171315ff0d0072cc3cc2594
Instruction Fuzzy Hash: CA81A375E00319DFCB05DFA0D8948DDB77AFF89304F258619E516AB3A0EB70A989CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02723C90, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095e0a2185c7d06b66512d429565b66bc75e446ffd5f5a58e969605fb60dbe8d
Instruction ID: 90c0f46df5857ea2ab4de8733d9f8ccabd176ddce1ce215b53283909ee4161f8
Opcode Fuzzy Hash: 095e0a2185c7d06b66512d429565b66bc75e446ffd5f5a58e969605fb60dbe8d
Instruction Fuzzy Hash: 75819235E003199FCB04DFA0D8948DDB7BAFF89304F248619E516AB364EB70A989CF50

Uniqueness

Uniqueness Score: -1.00%

Function 025FCC82, Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 025FCED6

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 47b13fb0457630576ee86f650e40a491cff0093474b90239d42099c4e398dff1
Instruction ID: 3220d2ee9d0897a9ef850863d88d2823a40c1fdfc1a822d6a8177389d8df87b5
Opcode Fuzzy Hash: 47b13fb0457630576ee86f650e40a491cff0093474b90239d42099c4e398dff1
Instruction Fuzzy Hash: 9A713371A00B098FDB64DF6AC44179ABBF5FF88304F00892AD64ADBA50DB34E845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02722840, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02723AAA

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: de71d08d850535b2796c7fae80bea458323602e2b460dc0e2f15ab63c5da320b
Instruction ID: cde3a489083c6f7c8f4daa926b7c8d40a066cdd3983200fe1d6ab65a01a2a2d7
Opcode Fuzzy Hash: de71d08d850535b2796c7fae80bea458323602e2b460dc0e2f15ab63c5da320b
Instruction Fuzzy Hash: 815103B1D00358AFDB14CFA9C884ADEBFB1FF48314F24816AE419AB210D7749849CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0272398E, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02723AAA

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6a88ba897ef57c58cd7ac61271de9b208d11dd3b0b13a7988a7327e840440cf9
Instruction ID: 67aad0773ba50a39d327e72671dec1a73f47d067c0b293d3180ccb3487c6d400
Opcode Fuzzy Hash: 6a88ba897ef57c58cd7ac61271de9b208d11dd3b0b13a7988a7327e840440cf9
Instruction Fuzzy Hash: 8251E0B1D00319AFDB14CF99C880ADEBFB5FF88304F24816AE819AB210D7749845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0272285C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02723AAA

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a783f70ba1b9df24edd5a371355907e906be7025bb766d99e1e10a93b9fae01e
Instruction ID: dba6706bfe24caec281e6991391e2ffbaa237864145b62b2359ff65abcf70249
Opcode Fuzzy Hash: a783f70ba1b9df24edd5a371355907e906be7025bb766d99e1e10a93b9fae01e
Instruction Fuzzy Hash: D251CFB1D00319AFDB14CF9AC884ADEBBB5FF48314F24816AE819AB210D7759945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 025F8D25, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 025F8DE1

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9575922b06c9c67780546df248d1502063f5b2c1fb6c39ee7bcf02867d0c544b
Instruction ID: e027028c19ad20717a12f4736ecd05a9b8155f33a9a843e3365b8ca4aed819c3
Opcode Fuzzy Hash: 9575922b06c9c67780546df248d1502063f5b2c1fb6c39ee7bcf02867d0c544b
Instruction Fuzzy Hash: EF41F3B1C0021DCFEB24CFA9C988BCEBBB5BF48308F248469D509AB251DB755945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 027229AC, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02726011

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7b779f2dec0a7b1ddb1ffa1b3c02bca8f80f6a0d576b04507c9328c676bab523
Instruction ID: 878f0134f8b74a0716418853e78f371e8b4085859de4aa1169ce2ad630a9600a
Opcode Fuzzy Hash: 7b779f2dec0a7b1ddb1ffa1b3c02bca8f80f6a0d576b04507c9328c676bab523
Instruction Fuzzy Hash: 544158B4A00215CFCB14CF99C888AABBBF5FF89314F258459E519AB321D774A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 025F7634, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 025F8DE1

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4ae11888ab6c520039b6250ab5993710e43b2f11faf186a1deb00ea8bb728b6e
Instruction ID: 2643dbf6665e3a9b87cda6075877ec19886f2d3d94299a9a9f6bbe1d6afaec68
Opcode Fuzzy Hash: 4ae11888ab6c520039b6250ab5993710e43b2f11faf186a1deb00ea8bb728b6e
Instruction Fuzzy Hash: 704102B1C0061CCFEB24DFA9C8487CEBBB5BF48308F248469D509AB250DBB56949CF94

Uniqueness

Uniqueness Score: -1.00%

Function 025FE38C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025FF176,?,?,?,?,?), ref: 025FF237

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3a8c00b82ac8641fa5a9b253adf3bc0fbc3a5e6699c9917a5f48b8ade51554a9
Instruction ID: 2d60c49aff777885996e278be6193e6ef81c8e7dc537eef82480ed381601b9f8
Opcode Fuzzy Hash: 3a8c00b82ac8641fa5a9b253adf3bc0fbc3a5e6699c9917a5f48b8ade51554a9
Instruction Fuzzy Hash: E221E4B5D00208EFDB10CFAAD984ADEBBF4FB48324F14841AE914A7750D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 025FF1A8, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025FF176,?,?,?,?,?), ref: 025FF237

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 814dbaced9d27ff15fe7cc260d4e1eb7b48f74a09366f44446633b350a15c9f2
Instruction ID: 3d67464811c7fe81ce4107df32431c5abb7ab4e947007dc9b35669f2598bf8bc
Opcode Fuzzy Hash: 814dbaced9d27ff15fe7cc260d4e1eb7b48f74a09366f44446633b350a15c9f2
Instruction Fuzzy Hash: 5421D2B5900209EFDB10CFAAD984ADEBFF8FB48324F14805AE914A7750D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 025FCF0A, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 025FCED6

Part of subcall function 025FC718: LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,025FCF51,00000800,00000000,00000000), ref: 025FD162

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 938789e78fc91216418b75f90316e1dc6c8f8ba08943f6d26e86e5168fdd7d73
Instruction ID: 3b38bcae53de7b1600c9f6f9b7e883a6d2ee2d283605dd7c57ac7847c462ef73
Opcode Fuzzy Hash: 938789e78fc91216418b75f90316e1dc6c8f8ba08943f6d26e86e5168fdd7d73
Instruction Fuzzy Hash: CC11D271A003098FDB14DB5AC8407AAFBF9BFC5315F05846BD619E7250C734A809CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 025FC718, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,025FCF51,00000800,00000000,00000000), ref: 025FD162

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 30a03ada959eb92b5547b96fe5f1c924c81d2d35c6b7a70723de8e85fb6978d7
Instruction ID: 482c3445e46f1c4d1c639f6aec5355d62e03c6aea7a8814f096c2c476be4809d
Opcode Fuzzy Hash: 30a03ada959eb92b5547b96fe5f1c924c81d2d35c6b7a70723de8e85fb6978d7
Instruction Fuzzy Hash: E81114B2D002099FDB10CF9AC844AEEFBF4FB89314F14842AE915A7600C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 025FD0F0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,025FCF51,00000800,00000000,00000000), ref: 025FD162

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9838eb3c8f7560ee009542bf93ff3b85fe22a3838c161e2662b1e92f55097666
Instruction ID: 4c0bcb8503fe1ae021181dfbf2576d4370b06d016b336ce73aa7a17b992b76ba
Opcode Fuzzy Hash: 9838eb3c8f7560ee009542bf93ff3b85fe22a3838c161e2662b1e92f55097666
Instruction Fuzzy Hash: FC1114B6D003099FDB10CF9AD944ADEFBF4FB99324F04842AD519A7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 025FCE70, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 025FCED6

Memory Dump Source

Source File: 00000000.00000002.226549479.00000000025F0000.00000040.00000001.sdmp, Offset: 025F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 46c550e07804b3a17a0435961bc7350db1c4402e9cc0fd3ab3b89b1b73cb776b
Instruction ID: 21021b6241f5bc120829bd0814aff1e1f8560aa8a23df7cbb50cdcba22699605
Opcode Fuzzy Hash: 46c550e07804b3a17a0435961bc7350db1c4402e9cc0fd3ab3b89b1b73cb776b
Instruction Fuzzy Hash: 8F11DFB6D006498FDB20CF9AD444ADEFBF4AF89224F14842AD529A7700D374A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02722894, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 02723C3D

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d16e0c86a455fd2a07ac652515a6a302e0f883cff6a9cc2803168e7988c26c18
Instruction ID: 961422a5972acc8e838e081bbd44263f16d9732de5197b4778b5a774486cd596
Opcode Fuzzy Hash: d16e0c86a455fd2a07ac652515a6a302e0f883cff6a9cc2803168e7988c26c18
Instruction Fuzzy Hash: BE1122B19002089FDB10DF8AD584BDFBBF8EB48324F10845AE915A7340C378A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02723BD9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 02723C3D

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1b4d83533ffd52ea8745c75cc7cbe0305b091f1cfb7b728c3b6742a77bf6a66e
Instruction ID: de31808090bf849b191b0d47b0d826f642ed9a4cbe9fbb481c89aa49fd6d22cc
Opcode Fuzzy Hash: 1b4d83533ffd52ea8745c75cc7cbe0305b091f1cfb7b728c3b6742a77bf6a66e
Instruction Fuzzy Hash: 9811F2B59003099FDB10CF9AD585BDEBBF8EB48324F10845AE919A7740C378A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D650, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226135785.0000000000C6D000.00000040.00000001.sdmp, Offset: 00C6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3031923847f6555474184d0b183fce17597832e542ec9a535c67bc169b6adbda
Instruction ID: bd05b57d4e3e30b5a34c7664efd78d56c4a8d3bbb90cc9e8250f30365b1d8ab2
Opcode Fuzzy Hash: 3031923847f6555474184d0b183fce17597832e542ec9a535c67bc169b6adbda
Instruction Fuzzy Hash: 59216DB1A04240DFCF15CF14D8C0F17BBA5FB88314F248969E90A4F246C336D816DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226135785.0000000000C6D000.00000040.00000001.sdmp, Offset: 00C6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40724b61baf7729ce2fb1f9c52497fd370db8c7e8e3ee7ff316c4bbd5c8554e5
Instruction ID: da2ae775c9dcf001f5f76075b8cb530ce1728d8a0222a100fb2748a924713873
Opcode Fuzzy Hash: 40724b61baf7729ce2fb1f9c52497fd370db8c7e8e3ee7ff316c4bbd5c8554e5
Instruction Fuzzy Hash: 842128B1A04244DFDB21CF14D9C0B2ABB65FB98324F24C569E8064F346C736EC46DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226192280.0000000000C7D000.00000040.00000001.sdmp, Offset: 00C7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59fb4b366b30ec38fc1bb05cf8f85dcf2c0fd4f8388bc0679fed96f73dea55b0
Instruction ID: 860592167b6b5bd17b7220763f21971a9de5635fbf9385df548dceec91aa574b
Opcode Fuzzy Hash: 59fb4b366b30ec38fc1bb05cf8f85dcf2c0fd4f8388bc0679fed96f73dea55b0
Instruction Fuzzy Hash: 6321D371904200EFDB01DF54D5C0B16BB75FF84324F24C9A9E84A4B242C736DC46CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226192280.0000000000C7D000.00000040.00000001.sdmp, Offset: 00C7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa9d919b8bad641ca228a25c59fc0352fb4ef0c23f148b205c230ad7ed69347
Instruction ID: 5259ac7a6441b1a38829128060498f96bfe494d01dd542427bac51e2e2675c5e
Opcode Fuzzy Hash: 6fa9d919b8bad641ca228a25c59fc0352fb4ef0c23f148b205c230ad7ed69347
Instruction Fuzzy Hash: AC21D075504240DFDB14DF14D9C4B16BB75FF88324F24C9A9E80E4B346C73AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226192280.0000000000C7D000.00000040.00000001.sdmp, Offset: 00C7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f54192a585b122c0695e1471f55821994e4c860c6aa58c87735ecec12840a91
Instruction ID: 0331ded190a056125be6aea84c0968f8c9271c39432ba1a88c1171aac7d39822
Opcode Fuzzy Hash: 6f54192a585b122c0695e1471f55821994e4c860c6aa58c87735ecec12840a91
Instruction Fuzzy Hash: 53217C755093808FCB02CF24D994B15BF71EF46214F28C5EAD8498B6A7C33A994ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D64B, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226135785.0000000000C6D000.00000040.00000001.sdmp, Offset: 00C6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42944e38b1aeb64e239597e7e64386f7f10e040ad6861b0b4e2143ffe08c3f18
Instruction ID: 31cf9f92456df2ee6196b73e0ba616945cb75bafd695c4850656c9f36a0224ed
Opcode Fuzzy Hash: 42944e38b1aeb64e239597e7e64386f7f10e040ad6861b0b4e2143ffe08c3f18
Instruction Fuzzy Hash: 4521D276904280DFCF16CF00D9C4B16BF72FB98314F2886A9D9490B65AC33AD956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226135785.0000000000C6D000.00000040.00000001.sdmp, Offset: 00C6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: 3556d2fc4fd3e38a24cfe4cef0554932c8262acbf2c77ec68078b0d4cffb363d
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: 7111D376904280DFCB12CF14D5C4B66BF71FB94324F28C6A9D8094B656C33AE95ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C7D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226192280.0000000000C7D000.00000040.00000001.sdmp, Offset: 00C7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction ID: 7cefc1a7b2cf2fb2dd0995f7858acc221679d3da30f6aff5272f058c8d9bfbc2
Opcode Fuzzy Hash: 10598f41ecae80e3ed7eaa2e4d93e548ce5d2277042f09e11ef5a73a669a8393
Instruction Fuzzy Hash: D6118B75904280DFCB12CF14D5C4B15BBB1FF84324F28C6AED84A4B656C33AD94ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D7C1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226135785.0000000000C6D000.00000040.00000001.sdmp, Offset: 00C6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd9d8ccd93b84c62e5f727a4378c0e91ed16979dfc9a2c04c849f9b23a2d0a6
Instruction ID: f889d4f3bc3e27ebc1de2534f930d2ce21957a95925491716acaf9b67de75d95
Opcode Fuzzy Hash: efd9d8ccd93b84c62e5f727a4378c0e91ed16979dfc9a2c04c849f9b23a2d0a6
Instruction Fuzzy Hash: C901F771E08344AAE7204A16CCC4766BB98EF54328F18845AED164F282C7789844C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D7C0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.226135785.0000000000C6D000.00000040.00000001.sdmp, Offset: 00C6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5327c0e9515c6ec5a7f1059c6763949ef27f5746729541df7c7b2dba9333832
Instruction ID: 2d20ac6044d8a2a6eb2182d9a13078daefbe858d16c04ae996b2df235664c5b1
Opcode Fuzzy Hash: c5327c0e9515c6ec5a7f1059c6763949ef27f5746729541df7c7b2dba9333832
Instruction Fuzzy Hash: BAF06271904244AFE7208A16DCC8BA2FF98EB55734F18C55AED195B682C3799844CAF1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02721E10, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77465c9ade9e2e1047700a99262b8616b35fb49f7f5766c8b1cc01b6272df655
Instruction ID: c55ff06b85744a2873727dc16309b7f446332247e73cf93715585f49abbaed48
Opcode Fuzzy Hash: 77465c9ade9e2e1047700a99262b8616b35fb49f7f5766c8b1cc01b6272df655
Instruction Fuzzy Hash: 1C12D8F1C81F468AD338CF55E89A19D3B60B744329BD26A09D2632BAD0D7B411EECF44

Uniqueness

Uniqueness Score: -1.00%

Function 02721458, Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0161d5d941d9361baa860b7d9f20aecb7925401de89d7e9051d353c21255908
Instruction ID: 65ece22090afeea8eeec6c8ae4f5d9d3a5a6d53bed58e2034e079e101f54d31f
Opcode Fuzzy Hash: a0161d5d941d9361baa860b7d9f20aecb7925401de89d7e9051d353c21255908
Instruction Fuzzy Hash: B0A17C32E0021ACFCF15DFA5C8545DEBBB2FFC4304B15856AE909AB261EB35A959CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02721E02, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.227050529.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493b984f1056286313be19eaec2f1a92f734b668b56a03f4649c4fdccce2bf15
Instruction ID: 45cba873930a19c70c83abb9ffd82beec40b7117e1f26f8c79843c75e59cb708
Opcode Fuzzy Hash: 493b984f1056286313be19eaec2f1a92f734b668b56a03f4649c4fdccce2bf15
Instruction Fuzzy Hash: 1AC14CB1C91B468BD738DF25E89A18D3B71BB45328F926A08D1232B6D0D7B410EECF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: .exe PID: 6752 Parent PID: 6444 .exeCOMMON

Executed Functions

Function 00E00A70, Relevance: 7.0, APIs: 4, Instructions: 976libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E00BCB
KiUserExceptionDispatcher.NTDLL ref: 00E0122F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 922b9ad5ebe7e1a8b353deff1bfc87e8e3529591838e60f231aaecc795ac9bff
Instruction ID: 01ebabd6e7823ea1f7cc9946e620f47a635fe41c508c70bc4a93e209d5813fd8
Opcode Fuzzy Hash: 922b9ad5ebe7e1a8b353deff1bfc87e8e3529591838e60f231aaecc795ac9bff
Instruction Fuzzy Hash: 4CA24974A00219CFCB64EF60D9586ADB7B6BF89305F2084EAD509A7350DF359E86CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E236C0, Relevance: 4.7, Strings: 1, Instructions: 3422COMMON

Download Yara Rule

Strings

YJ, xrefs: 00E239DC

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID: YJ
API String ID: 0-1941637157
Opcode ID: 323814cec10c75a942857c2aaebae791ee278e5278f3fc7f77bb209e32c4ff33
Instruction ID: 3f6ede22a397fb3d5821c50b0355da8b386382cb3dbf753689f9fdbb263bb88a
Opcode Fuzzy Hash: 323814cec10c75a942857c2aaebae791ee278e5278f3fc7f77bb209e32c4ff33
Instruction Fuzzy Hash: 5B733C31D10B598ECB11EF68C8846A9F7B1FF95304F15D79AE458BB261EB30AAC4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00E23A90, Relevance: 2.7, Instructions: 2724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6948b2f3ee238e7982f69103e30ace30dee5e51dfdb534df9de2280a9f8ca56d
Instruction ID: 83c37e05c5bcb1d0fe9cc5c2425cdc707ffa0bb46f1ede8c7eb865ca6d5fdbb5
Opcode Fuzzy Hash: 6948b2f3ee238e7982f69103e30ace30dee5e51dfdb534df9de2280a9f8ca56d
Instruction Fuzzy Hash: 3F53F971D10B198ACB11EF68C8846A9F7B1FF99304F15D79AE4587B221EB70AAC4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00E135C0, Relevance: 2.7, APIs: 1, Instructions: 1203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477534960.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ce6d4a6f5d514e44fe161f58ac6985f56933087a06c73947621a2350e6c5c6
Instruction ID: d37db8a5ae02913f3c52cc600aa6548749df4f8edf279daeec69327b17cc8434
Opcode Fuzzy Hash: b8ce6d4a6f5d514e44fe161f58ac6985f56933087a06c73947621a2350e6c5c6
Instruction Fuzzy Hash: 9BA25C70E006198FDB24DF78C8546DDB7B2AF89314F1095AAD44AFB790EF309E858B91

Uniqueness

Uniqueness Score: -1.00%

Function 00E4085C, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 00E43133

Memory Dump Source

Source File: 00000004.00000002.477596364.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 0237007d3a2f436bc2e23fc0c8ed7069601c5b444aad4958b004a77b25708d68
Instruction ID: c81dfd2c6036d0b92dc567a58552cf216a26b2d45bb32a533c4226edb96fe99b
Opcode Fuzzy Hash: 0237007d3a2f436bc2e23fc0c8ed7069601c5b444aad4958b004a77b25708d68
Instruction Fuzzy Hash: 01211571D006099FCB54CFAAD844BEEBBF5EB88314F10842AE419B7750DB74A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E20040, Relevance: 1.1, Instructions: 1102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecfc1c72b88cc32a278930c15bca8e4c7628a710c5794e9f955f736bdbf1f25
Instruction ID: 9a32fe21483f95902e6e0852632278db9dfabe48cf3ceb3d8256ad98ca1cae7d
Opcode Fuzzy Hash: 1ecfc1c72b88cc32a278930c15bca8e4c7628a710c5794e9f955f736bdbf1f25
Instruction Fuzzy Hash: B3924B70F003188FDB64DB78D855BAEB6F2EF85305F1484A8D90AAB381DF759D858B60

Uniqueness

Uniqueness Score: -1.00%

Function 00E2D0D9, Relevance: 1.0, Instructions: 1014COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638f502b044b920f6865f0e6a4acaad80745917bede4fcff499db156c704ab3e
Instruction ID: fb0eb4960eab657098f037d401324557a9fe46801ecb72cdbbf1bd4f3c8bd7e9
Opcode Fuzzy Hash: 638f502b044b920f6865f0e6a4acaad80745917bede4fcff499db156c704ab3e
Instruction Fuzzy Hash: BE82F570B08254CFEB24DB68D8557ADB7A2EF81308F24846AD606EF392DB74DC45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E299D8, Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3997d9fba316baa184bbdbdd7ee796631c553e9e49df4c85a863e8259604e1e
Instruction ID: 747aab60c35e3a5b23e15542ae6ed4bff5fdcc62977750c5ed2d48c192c53ff0
Opcode Fuzzy Hash: a3997d9fba316baa184bbdbdd7ee796631c553e9e49df4c85a863e8259604e1e
Instruction Fuzzy Hash: 2452BE70B002149FDB14DBA8D854BAEB7F2EF89304F199469E506EB392DB34DC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E22E30, Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96730ad4600255e9a1520c736558f9708377f4f5deec003b310f26fcc0ed6c3
Instruction ID: e3e542f48b888c5fb444da1e833e8214c1065effe84114d98f88b5eb00ca445b
Opcode Fuzzy Hash: b96730ad4600255e9a1520c736558f9708377f4f5deec003b310f26fcc0ed6c3
Instruction Fuzzy Hash: 0DE1E131B012149FDB14EBB8D859BAE7BB2AF84304F158469E905EB391DF34DD058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E00A91, Relevance: 6.6, APIs: 4, Instructions: 632libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E00BCB
KiUserExceptionDispatcher.NTDLL ref: 00E0122F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 7d570335d7d5e15361a9afa58168abf2a76f67cd7f69ed89e00c9dd7c215a65d
Instruction ID: b965ef726188fd1e541e461a0a21dd744168a872b852fbcc5ef2c6c316de8bf5
Opcode Fuzzy Hash: 7d570335d7d5e15361a9afa58168abf2a76f67cd7f69ed89e00c9dd7c215a65d
Instruction Fuzzy Hash: 06522974A01259CFCB24DF60D9586ACB7B6BF89305F2094EAE509A7340DF359E82CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00E00EF3, Relevance: 5.0, APIs: 3, Instructions: 465COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f281af4d6c2dfe4995d2d949b7a56abe3e36a958a4fb9d0aa512cca4d203151d
Instruction ID: e84c2fda570845c2efe238f1d7732af29b463c8456cac097ffb949f3cbd77943
Opcode Fuzzy Hash: f281af4d6c2dfe4995d2d949b7a56abe3e36a958a4fb9d0aa512cca4d203151d
Instruction Fuzzy Hash: B03226B4A00259CFCB25DF60D8546ACB7B6BF89305F2094EAD609A7340DF359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00E00F38, Relevance: 5.0, APIs: 3, Instructions: 458COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a3aced94d9c32c3ab3488e004cb4969aad591909f9e8f258d19a6a6d5219c23c
Instruction ID: c6f9254d6ee80aa194ca1c6c3c607f727c36cd01c7e5df0bf259f6adc1b04dad
Opcode Fuzzy Hash: a3aced94d9c32c3ab3488e004cb4969aad591909f9e8f258d19a6a6d5219c23c
Instruction Fuzzy Hash: 802216B4A01259CFCB24DF60D9946ACB7B6BF89305F2094EAD609A7340DF359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00E00F7D, Relevance: 4.9, APIs: 3, Instructions: 449COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ef83225bb779f55c9bfd3981d8a3c1f7ae0baa0f20fb00b1768cf1d29d271c71
Instruction ID: 42852c94256ac8f97e2e1cd40c4572d267cad36800a59a24323187871c44e025
Opcode Fuzzy Hash: ef83225bb779f55c9bfd3981d8a3c1f7ae0baa0f20fb00b1768cf1d29d271c71
Instruction Fuzzy Hash: E92216B4A00259CFCB24DF60D9946ACB7B6BF89305F2094EAD609A7340DF359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00E00FB9, Relevance: 4.9, APIs: 3, Instructions: 444COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ebfd6ec05cb4f5173b0500d7e3e002ee61dcecdb66b281f204eecdee28188fd0
Instruction ID: 242e091396dee54e86dd74998bf7a254fa71c6a96b102e2ab27107a03aad9917
Opcode Fuzzy Hash: ebfd6ec05cb4f5173b0500d7e3e002ee61dcecdb66b281f204eecdee28188fd0
Instruction Fuzzy Hash: 3A2216B4A01269CFCB24DF60D9546ACB7B6BF89305F2094EAD609A7340DF359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00E00FFE, Relevance: 4.9, APIs: 3, Instructions: 437COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7eb6eeacf7647975229675e670b1c3a48b9ff762529e1557d8cb0360ac520582
Instruction ID: 05c5a433933cc1a070b92f8071b03c58d3c28c9a3991eb3c7cb59bbbb3e3b389
Opcode Fuzzy Hash: 7eb6eeacf7647975229675e670b1c3a48b9ff762529e1557d8cb0360ac520582
Instruction Fuzzy Hash: E72226B4A01259CFCB24DF60D8946ACB7B6BF89305F2094EAD609A7340DF359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00E01043, Relevance: 4.9, APIs: 3, Instructions: 428COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: eef949e0b434e1ffdb7a0b2d3b27ae0c0101988f0ad16e457023fe386733a0a5
Instruction ID: c23c289a49b2438bb1c760d6dbc9c80b7fe571131dd81fad06f36e27c8e7756f
Opcode Fuzzy Hash: eef949e0b434e1ffdb7a0b2d3b27ae0c0101988f0ad16e457023fe386733a0a5
Instruction Fuzzy Hash: 8A2226B4A01259CFCB24DF60D9946ACB7B6BF89305F2094EAD609A7340DF359E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00E0107F, Relevance: 4.9, APIs: 3, Instructions: 423COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 84ae79aebbe93048f10c61a85eb4bcacca4a1f9e7140d1071ed62fc0760cb490
Instruction ID: 6d850e0a2cc0044b8b84b4cc5c2d7b03f39548564d0da97c7e8295c660bf4191
Opcode Fuzzy Hash: 84ae79aebbe93048f10c61a85eb4bcacca4a1f9e7140d1071ed62fc0760cb490
Instruction Fuzzy Hash: B81226B4A00259CFCB24DF60D9946ACB7B6BF89305F2094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E010C4, Relevance: 4.9, APIs: 3, Instructions: 416COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 49e54ec0847771d20323308a94daf1b0a14aaad752f842eb304d17b35419e9ad
Instruction ID: b668ae1dff1eb275e08e8257a29c556ca1500ba862c6608421920eb8e2c3f706
Opcode Fuzzy Hash: 49e54ec0847771d20323308a94daf1b0a14aaad752f842eb304d17b35419e9ad
Instruction Fuzzy Hash: D21226B0A01259CFCB24DF60D9946ACB7B6BF88305F2094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E01109, Relevance: 4.9, APIs: 3, Instructions: 407COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 98750d298ee9f4da99c5a9ad54656f6d14a507a0efa8b776039884be3997f6d9
Instruction ID: b658378bce1e059fb57212a8f1ce296c066504801a90143bca2201bc046a1493
Opcode Fuzzy Hash: 98750d298ee9f4da99c5a9ad54656f6d14a507a0efa8b776039884be3997f6d9
Instruction Fuzzy Hash: 0B1216B4A00259CFCB24DF60D9946ACB7B6BF89305F2094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E01145, Relevance: 4.9, APIs: 3, Instructions: 402COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e0dc27e6e379119c255d95e1d759ba0e55d2adf96a01837dd801863598d2daa8
Instruction ID: 3cdb47a630885d3de89388d39f1a0fa9dba453923d469d88f1dce85f04d5826b
Opcode Fuzzy Hash: e0dc27e6e379119c255d95e1d759ba0e55d2adf96a01837dd801863598d2daa8
Instruction Fuzzy Hash: 681217B4A00259CFCB24DF60D9946ACB7B6BF89305F2094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E0118A, Relevance: 4.9, APIs: 3, Instructions: 395COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cfa5ef0baf1e0b5a134fb0b4a025aeeaabf871993cbc53dd1b6d9ba82c4e1165
Instruction ID: 2d27cca8ecbc45e3a6bf695c911a5da2c0b9bde7bb0da109f471d70c4c0f4309
Opcode Fuzzy Hash: cfa5ef0baf1e0b5a134fb0b4a025aeeaabf871993cbc53dd1b6d9ba82c4e1165
Instruction Fuzzy Hash: D51217B4A00259CFCB24DF60D9946ACB7B6BF89305F2094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E011CF, Relevance: 4.9, APIs: 3, Instructions: 388COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1897e36e34716c4ae4c0a17863865d67991c54c83d5b4d331ef982da8c232c9b
Instruction ID: b09dd06925be98fcc4ef28f46c1064d8cc17fade2a047069d21e0dfad2c50ec4
Opcode Fuzzy Hash: 1897e36e34716c4ae4c0a17863865d67991c54c83d5b4d331ef982da8c232c9b
Instruction Fuzzy Hash: 4A0227B4A00259CFCB24DF60D9946ACB7B6BF89305F2094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E01214, Relevance: 4.9, APIs: 3, Instructions: 379COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E0122F
KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 57cb6fe1630a660cf5c788bbd4d6d409b25e9ccec476838827a8b6b4fe4cb222
Instruction ID: d80782490da5b9294f11fb4a82f03d42f3a2a0a83e86f728f8d509c106fabfc4
Opcode Fuzzy Hash: 57cb6fe1630a660cf5c788bbd4d6d409b25e9ccec476838827a8b6b4fe4cb222
Instruction Fuzzy Hash: AA0218B4A00259CFCB24DF60D9946ACB7B6BF89305F2094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E01250, Relevance: 3.4, APIs: 2, Instructions: 374COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a7e74f0f02f802523a5c59f044ff7f46e4afb4dba3b50707b84142edb1aa54ef
Instruction ID: a4314fe48272d9815ea27fae828145696fe0cd43bbfae946ab6778060b261bb1
Opcode Fuzzy Hash: a7e74f0f02f802523a5c59f044ff7f46e4afb4dba3b50707b84142edb1aa54ef
Instruction Fuzzy Hash: 290208B4A00259CFCB24DF60D9946ACB7B6BF89305F2094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E01295, Relevance: 3.4, APIs: 2, Instructions: 367COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b77c58da8f8fb83b7dff10bb822a2cf0ff0b6b5b9ffb0e9ccd3ad359ab323df4
Instruction ID: aab7c7cebb9a6aeca3b56124ccab69db6ec32d67bffafbecc1149fbd7cbc26ff
Opcode Fuzzy Hash: b77c58da8f8fb83b7dff10bb822a2cf0ff0b6b5b9ffb0e9ccd3ad359ab323df4
Instruction Fuzzy Hash: 680208B4A00259CFCB24DF60D9946ACB7B6BF88305F2094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E012DA, Relevance: 3.4, APIs: 2, Instructions: 358COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c5d116ebbb2745f84d2b245f4304300ef77b4f75be9bb8d81c34a387f5abe084
Instruction ID: 6cc2bc9b01bb7da993f8e75f82673098765f7e352493d1c9b8fbd542b97578c6
Opcode Fuzzy Hash: c5d116ebbb2745f84d2b245f4304300ef77b4f75be9bb8d81c34a387f5abe084
Instruction Fuzzy Hash: 82F1F9B4A00259CFCB24DF60D9546ACB7B6BF89305F2094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E01316, Relevance: 3.4, APIs: 2, Instructions: 353COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b6ec185f12bd4b9410c28f40703cd20f8a49ad5dc75ea02a3fbcdfd4b93358d4
Instruction ID: b696201807d096055ab9cf4fb94357aeef3197a0bf98e747aa24cdc3b90fa5c4
Opcode Fuzzy Hash: b6ec185f12bd4b9410c28f40703cd20f8a49ad5dc75ea02a3fbcdfd4b93358d4
Instruction Fuzzy Hash: 41F109B4A00259CFCB24DF60D9946ACB7B6BF88305F6094EAD609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E0135B, Relevance: 3.3, APIs: 2, Instructions: 346COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 289e6c8f5124faea817b6c4b683b6dcd752b342f91fe6138e42953f9d3004d59
Instruction ID: 2d900af6e6d0ed4a808e3a64a7d118dc31dba7db7475f76911265ccb758aad04
Opcode Fuzzy Hash: 289e6c8f5124faea817b6c4b683b6dcd752b342f91fe6138e42953f9d3004d59
Instruction Fuzzy Hash: 03F109B4A00259CFCB24DF60C9546ACB7B6BF88305F6094E9D609A7340DF359E82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00E013A0, Relevance: 3.3, APIs: 2, Instructions: 339COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b04148ae4442f2f4bb79aeffdc4166b0772de0b259f7c01d1dd3e0055b43c459
Instruction ID: 7dd847dd56b3e1e551d9e99a5819bc0a5d71b71fc613025b2097f8d0b7280019
Opcode Fuzzy Hash: b04148ae4442f2f4bb79aeffdc4166b0772de0b259f7c01d1dd3e0055b43c459
Instruction Fuzzy Hash: 37F1F8B4A00259CFCB24DF60C9946ACB7B6BF88305F6094E9D609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E013E5, Relevance: 3.3, APIs: 2, Instructions: 332COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 24faf750906f90de806b86624e6d23a48a4bd55567254bfbbd3a0ed187996165
Instruction ID: c1d553ff73b87e60a7e1b9b2af283c55e4e4b2c54131e1372f7a9a9a13a686c6
Opcode Fuzzy Hash: 24faf750906f90de806b86624e6d23a48a4bd55567254bfbbd3a0ed187996165
Instruction Fuzzy Hash: F7F108B4A00259CFCB24DF60C9946ACB7B6BF88305F6094E9D609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E0142A, Relevance: 3.3, APIs: 2, Instructions: 323COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7428c947bd012f617c9003f78c7a5eea4b0c7543e042de049666c14d936f8846
Instruction ID: 623fb54a08094914c468a19fb2fff049e514383e68744329a35ef195c9b3d558
Opcode Fuzzy Hash: 7428c947bd012f617c9003f78c7a5eea4b0c7543e042de049666c14d936f8846
Instruction Fuzzy Hash: 40E118B4A00259CFCB24DF60C9946ACB7B6BF88305F6094E9D609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E01466, Relevance: 3.3, APIs: 2, Instructions: 318COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e4597d78d04f302a12f19413fb30bacaa94e40217dc7c6602fae98938973491a
Instruction ID: 1762d877c7209413feba05652649ea4c3dc169bcb9a1c0565c6b83b6de40a8d2
Opcode Fuzzy Hash: e4597d78d04f302a12f19413fb30bacaa94e40217dc7c6602fae98938973491a
Instruction Fuzzy Hash: 17E118B4A00269CFCB24DF60C9546ACB7B6BF88305F6094E9D609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E014AE, Relevance: 3.3, APIs: 2, Instructions: 311COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2d99f06e7f96b7a513b6dffd17cd2233896eac2b63b60dd9c7b6019cd5247684
Instruction ID: cf6933d1e3d10a8ee62ecb904388bb810478a2da03c9bfd1cd4cc840c5c0b641
Opcode Fuzzy Hash: 2d99f06e7f96b7a513b6dffd17cd2233896eac2b63b60dd9c7b6019cd5247684
Instruction Fuzzy Hash: 85E119B4A00219CFCB24DF60C9946ADB7B6BF88305F6094E9D609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E014F6, Relevance: 3.3, APIs: 2, Instructions: 304COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bebbe38877dc93b98d9257c0df5d5d438c5449a2b03c4afdb757f96015286a08
Instruction ID: 9892cb7beb5618a1d2f5049471764c2ddca53744f7f8998bfab77948618deef3
Opcode Fuzzy Hash: bebbe38877dc93b98d9257c0df5d5d438c5449a2b03c4afdb757f96015286a08
Instruction Fuzzy Hash: 81E118B4A00229CFCB24DB60C9546ADB7B6BF88305F6094EDD609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E0153E, Relevance: 3.3, APIs: 2, Instructions: 297COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 771146c257cd03c2d88bc32261b40486e50d5cb21bd3493d856ad483f858455c
Instruction ID: 6eec675a70bddd24348238a4e70da805ba5846407234c3e5b968dd5bf7774a2a
Opcode Fuzzy Hash: 771146c257cd03c2d88bc32261b40486e50d5cb21bd3493d856ad483f858455c
Instruction Fuzzy Hash: 78D129B4A00259CFCB24DB60C9546ACB7B6BF88305F6094EDD609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E01586, Relevance: 3.3, APIs: 2, Instructions: 290COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fd659e1963abe8c7e4834c96b4e060b6ae9de7fadc2387f678698386e49077da
Instruction ID: 3d500b5decf2dc199473fdfcf702a9b01400bb2110865ad5a3de25ae3b1b9d84
Opcode Fuzzy Hash: fd659e1963abe8c7e4834c96b4e060b6ae9de7fadc2387f678698386e49077da
Instruction Fuzzy Hash: 81D11AB4A00229CFCB24DB60C9546ADB7B6BF88305F6094EDD609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E015CE, Relevance: 3.3, APIs: 2, Instructions: 283COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E015F5
KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3364c02c50d3b869bfad2a5fa2fb2ab7206cef8c7481a7f3e33434f59c92ff67
Instruction ID: 3c0b1e38d5726964887682cbc29e56deffd240f79a991be758f43484a00ebfc1
Opcode Fuzzy Hash: 3364c02c50d3b869bfad2a5fa2fb2ab7206cef8c7481a7f3e33434f59c92ff67
Instruction Fuzzy Hash: 9CD11BB4A00219CFCB24DB60C9946AD77B6BF88305F6094EDD609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E1DA18, Relevance: 2.1, APIs: 1, Instructions: 619libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E1DFCF

Memory Dump Source

Source File: 00000004.00000002.477534960.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a324326ce66f534dcc03606ebe47a8ae0ac7fe7c01ee0ef470caa1cd3b3f9cc3
Instruction ID: d078fe8886b2d396d6f92fb902ba38558d47542dbf3ed9303b20f0009d9dbcfc
Opcode Fuzzy Hash: a324326ce66f534dcc03606ebe47a8ae0ac7fe7c01ee0ef470caa1cd3b3f9cc3
Instruction Fuzzy Hash: D122C33070D3858FD70297759C58AA97FB2AF8A304F1A85EAD444DF6A3EA75CC09C721

Uniqueness

Uniqueness Score: -1.00%

Function 00E42DE0, Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 00E43133

Memory Dump Source

Source File: 00000004.00000002.477596364.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: a881e959679b0e207317df716f9cd0cf38ebd670db53578bd49cf461537463bc
Instruction ID: 33e1c5da5da63dae72c07c15efa643b67f555c645d5dfaec56973e76e08ac1d5
Opcode Fuzzy Hash: a881e959679b0e207317df716f9cd0cf38ebd670db53578bd49cf461537463bc
Instruction Fuzzy Hash: 93B1C170B093858FD702DB79981579A7FF2AF86304F1984EBE148EB692D675CC09CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00E01616, Relevance: 1.8, APIs: 1, Instructions: 276COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b69740c32999df4edcd5cef877e8988d746979fb6ee71df662bf3ebbf21c9646
Instruction ID: 22957aef2ffc6f5132f512f56b843d0ce465a8793b9b55e240ce6ca4cceb2faf
Opcode Fuzzy Hash: b69740c32999df4edcd5cef877e8988d746979fb6ee71df662bf3ebbf21c9646
Instruction Fuzzy Hash: A5C14CB4A00219CFCB24DB60C9946ADB7B6BF88305F6094EDD609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E0165E, Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f163abb2520c58ff5870d46b53b99eb5e1a1e780abe9b5d278057e9a35ea37ed
Instruction ID: 4d0acc29d44f9904a30705e6bfdab014d5d3d2670f0dc5f60b1078f83516d9dc
Opcode Fuzzy Hash: f163abb2520c58ff5870d46b53b99eb5e1a1e780abe9b5d278057e9a35ea37ed
Instruction Fuzzy Hash: 79C12BB4A00219CFCB24DB60C9946AD77B6BF88305F6094EDD609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E016A6, Relevance: 1.8, APIs: 1, Instructions: 262COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: eb52e65e8b9952369cc779a2119d999e5856dd534cd5ef5bfef8d79fdca087b9
Instruction ID: abacf39ba0afb8ee93db77ad4bb528f6b1d3a6bcf1482cc7a667042de2e6f2c9
Opcode Fuzzy Hash: eb52e65e8b9952369cc779a2119d999e5856dd534cd5ef5bfef8d79fdca087b9
Instruction Fuzzy Hash: EEC10BB4A00219CFCB24DB60C9947AD77B6BF88305F6094E9D609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E016EE, Relevance: 1.8, APIs: 1, Instructions: 255COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c29ca2b01124a5d472e76410551ec929573518306335f12cc6c939bff6c0417e
Instruction ID: 25e00140739866b849e8eae6599eb83ac6abd92513f169b8c31def4e6cadf657
Opcode Fuzzy Hash: c29ca2b01124a5d472e76410551ec929573518306335f12cc6c939bff6c0417e
Instruction Fuzzy Hash: 70B10AB4A00229CFCB24DB60C9947AD77B6BF88305F6094E9D609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E01736, Relevance: 1.7, APIs: 1, Instructions: 248COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f1bc3a5f78dbca669b89b690e63c9a506ba9257ab2e9d2f06a8094284d9fab2a
Instruction ID: fc35fd8760f7639580a8726d76697acfa3c04ee9ca8fc2d5847893a781dd7c2f
Opcode Fuzzy Hash: f1bc3a5f78dbca669b89b690e63c9a506ba9257ab2e9d2f06a8094284d9fab2a
Instruction Fuzzy Hash: F5B12AB4A00229CFCB24DB60C9947AD77B6BF88305F6094E9D609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E0177E, Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 18125d957cd90a37d73a3302730cb32f818e8b3716086c981a69d18467f4db2e
Instruction ID: 43e5ba15f48f5dbe11522a767144e766bfa05521ded4d3a195567cb1df4ec6d7
Opcode Fuzzy Hash: 18125d957cd90a37d73a3302730cb32f818e8b3716086c981a69d18467f4db2e
Instruction Fuzzy Hash: CFB13AB4A00229CFCB24DB60C9947AD77B6BF88305F6094E9D609A7340DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E017C6, Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 92a8e7272cd9209e2320114270a6af24f9855b5ea0fc665798d2db09e9702063
Instruction ID: b5f373d9c80f1eb4ac0b561eccfd5b2eee6e097816d9365b11970b2c3f90ae3c
Opcode Fuzzy Hash: 92a8e7272cd9209e2320114270a6af24f9855b5ea0fc665798d2db09e9702063
Instruction Fuzzy Hash: 67A13AB4A01229CFCB24DB60C9947AD77B6BF88305F6094E9D609A7340DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E01824, Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 584d17134024358853a9abbe3ca9e33185e2202603dd789fdfd98cb60723fdc6
Instruction ID: dd559a54b3d4effb07dc432ff65ac58880ad5f53111224955c8b30121d368ff7
Opcode Fuzzy Hash: 584d17134024358853a9abbe3ca9e33185e2202603dd789fdfd98cb60723fdc6
Instruction Fuzzy Hash: 67A12AB4A00229CFCB24DB60C9947AD77B6BF88305F6094E9D609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E0186C, Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8c6691caf522186f4aa095cf35031abe6437a1093729bceff02cc636aff95321
Instruction ID: 0afaf2dd5a09dd3d2f158ddba78f403a5e969a8555f6beaff796eb3964922f6b
Opcode Fuzzy Hash: 8c6691caf522186f4aa095cf35031abe6437a1093729bceff02cc636aff95321
Instruction Fuzzy Hash: 22913AB0A00229CFCB249B60C9947AD77B6BF88305F6094EDD609A7340DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E018B4, Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e5af75a77b0bc0124b60c78fdcc883c4a208292839c3dab7840a57bf53ee9c69
Instruction ID: 1c4fc60d4178e109f1f184bae1ae7c8c9683bc59fff3e25a079322e40857d1ab
Opcode Fuzzy Hash: e5af75a77b0bc0124b60c78fdcc883c4a208292839c3dab7840a57bf53ee9c69
Instruction Fuzzy Hash: 3E913BB4A01229CFCB24DB60C9947AD77B6BF88305F6084E9D609A7340DF359E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E018FC, Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3bd56ac3c1819249912d74d099c94b3d969e456657f0f46a9dc5def762549f07
Instruction ID: c92b53d64d67a1e05921e3df11877c624a86aaa30b9ad2b5a2994fdf86287725
Opcode Fuzzy Hash: 3bd56ac3c1819249912d74d099c94b3d969e456657f0f46a9dc5def762549f07
Instruction Fuzzy Hash: 24914AB0A002298FCB24DB60C9947AD77B6BF88305F5084EDD609A7380DF349E86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E01944, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d8160b28e8655739765f4e7e218286bf5d54fbf790fce74e1c3a572117efcbc1
Instruction ID: e1a8a50a390625d91963ced0f2998ff2dbb351c814ebfdf1f923f457e0c1e595
Opcode Fuzzy Hash: d8160b28e8655739765f4e7e218286bf5d54fbf790fce74e1c3a572117efcbc1
Instruction Fuzzy Hash: 64814CB4A002298FCB64DB64C9947AD77B6BF88305F1084EDD609A7380DF359D85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E0198C, Relevance: 1.7, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4928e080b31edbdeb41bea9fd538967d8fe129f428ec5688054b5ec448ed6080
Instruction ID: 30f81d6518d8c4d5d8aa63ad36e25225114735cae24ea7974f3e2b2ff17be129
Opcode Fuzzy Hash: 4928e080b31edbdeb41bea9fd538967d8fe129f428ec5688054b5ec448ed6080
Instruction Fuzzy Hash: 84813DB4A00229CFCB64DB64C9547AD77B6AF88305F2084EDD609A7380DF399D86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E019D4, Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b4079e0dab5818f9c00da40ce48d377e042522785be80c71d0bf734f32e8faa5
Instruction ID: 22bf64d6ce2b03a46d2c39a2efb5ff42748848042e8d8ef713bf8d3c401861f1
Opcode Fuzzy Hash: b4079e0dab5818f9c00da40ce48d377e042522785be80c71d0bf734f32e8faa5
Instruction Fuzzy Hash: 34713DB4A002298FCB64DB64C9947AD77B6BF88305F1084EDD609A7380DF399D85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E17B08, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E17B49

Memory Dump Source

Source File: 00000004.00000002.477534960.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9fede55f618831a137ed4141aae475ab87cd7591a9108128c4548c918b20d4ef
Instruction ID: c657e64e586d0d58bb10e9fac306f5145544526906cf1179775fd0e4de999acd
Opcode Fuzzy Hash: 9fede55f618831a137ed4141aae475ab87cd7591a9108128c4548c918b20d4ef
Instruction Fuzzy Hash: C4613E70A14309DBDB14DBB4D858BEEBBB2AF85704F109528D546E7390DF789885CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E01A1C, Relevance: 1.7, APIs: 1, Instructions: 174COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b990a901ed3d000c13f73f92fc8a1234023a93f2d306284471b752ac5c48577d
Instruction ID: c7e2ab25847fc29216fe2b6925ad45280c2e5191e660a88c58f51d623bca12a8
Opcode Fuzzy Hash: b990a901ed3d000c13f73f92fc8a1234023a93f2d306284471b752ac5c48577d
Instruction Fuzzy Hash: FC715EB0A00229CFCB64EB64C9587AD77B6AF88305F1484EDD609A7380DF398D85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E179B8, Relevance: 1.7, APIs: 1, Instructions: 172libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E17B49

Memory Dump Source

Source File: 00000004.00000002.477534960.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 561165f53634db2c3b68bcdfaae48d4fd613e8061b5f757d07e74796231cf958
Instruction ID: 5cbc7230263591d2e9317ec2a318fa028078ee6df76721133b1bc1a51bc6d115
Opcode Fuzzy Hash: 561165f53634db2c3b68bcdfaae48d4fd613e8061b5f757d07e74796231cf958
Instruction Fuzzy Hash: 4D51B434A09385DFD7029BB4D8586997FB1AF4B304F1684EAD084EF6A2DB35CC49CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00E01A64, Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a584ccf106e38573a5497a131625537200f982895895f5f8441d2ceedfc55623
Instruction ID: 3e9543801f8ab29c256176c03d6a01bae6d8f6c110201002363acd6ba172d2b4
Opcode Fuzzy Hash: a584ccf106e38573a5497a131625537200f982895895f5f8441d2ceedfc55623
Instruction Fuzzy Hash: 016140B0A002298FCB64DB64C9987AD77B6AF88305F1484EDD509E7380DF398D85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E01AAC, Relevance: 1.7, APIs: 1, Instructions: 160COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4386c4d3f166f15056325e9f4859e0372ce5f9be81467bd2ec3a8362c3d231b8
Instruction ID: af1841f9910fa9ce628531c76ec6f9fed655c99222ffd673bf7f96f99282c3e1
Opcode Fuzzy Hash: 4386c4d3f166f15056325e9f4859e0372ce5f9be81467bd2ec3a8362c3d231b8
Instruction Fuzzy Hash: 63515EB0A002298FCB64EB64C9587AD77B6AF88305F1484EDD909E7384DF398D85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E01AF4, Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00E01B0F

Memory Dump Source

Source File: 00000004.00000002.477506547.0000000000E00000.00000040.00000001.sdmp, Offset: 00E00000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d1ced914e769282600cfc98a614760caff9cf8fb3a7d725fb6c4de5ef6c63544
Instruction ID: e71d915955f9c12526e540b34940550090a3bbebc14f27685afb30cb4656456b
Opcode Fuzzy Hash: d1ced914e769282600cfc98a614760caff9cf8fb3a7d725fb6c4de5ef6c63544
Instruction Fuzzy Hash: C5516FB0A002298BCB64EB64C9587AD76B6AF88305F1484EDD909E7384DF398D85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00E1DF70, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00E1DFCF

Memory Dump Source

Source File: 00000004.00000002.477534960.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df39d24f3a725e84a379058f1c093cd0974239903d52c418e3487e10af46b381
Instruction ID: dccfa1a75f3e7961b7322eb24e5fd756ca5bd580c18d75db08fd3b45578c4f0e
Opcode Fuzzy Hash: df39d24f3a725e84a379058f1c093cd0974239903d52c418e3487e10af46b381
Instruction Fuzzy Hash: E2516671B002099BCB04EBB4D855AEEB7B6BF84304B14896DE916EB391DF70DC448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E40F78, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477596364.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b117d086036cb1491efe3b212d5447a8031020cf5ba36b9a28fafea9491a3e32
Instruction ID: 36fd49b2d193ad11bbc74227876d75b2fa0460a64bf1e7268f2a1d2c195d183a
Opcode Fuzzy Hash: b117d086036cb1491efe3b212d5447a8031020cf5ba36b9a28fafea9491a3e32
Instruction Fuzzy Hash: 90411371E043558FCB04DFA9D8146EEBBF4AF89314F0585BAD804B7241DB749884CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1902F, Relevance: 1.6, APIs: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 00E19144

Memory Dump Source

Source File: 00000004.00000002.477534960.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 699efb8cd8cca700df3f1dc525b21049f664e6673ad03068c142aaecb0195580
Instruction ID: af28e119e49d8ea03f2e72cbb33aa252e4362bc0893b61ab2a96370de627ea6d
Opcode Fuzzy Hash: 699efb8cd8cca700df3f1dc525b21049f664e6673ad03068c142aaecb0195580
Instruction Fuzzy Hash: DF4148B0A05349DFDB00CFA9C548ACEBFF1AF49304F1981AAD809AB352C7759885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E192A7, Relevance: 1.6, APIs: 1, Instructions: 112registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00E193B1

Memory Dump Source

Source File: 00000004.00000002.477534960.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3bd186c702b9f19b7ac2f2456e31fc892d92cc1e7489fc5fb89b5d8afda2fe65
Instruction ID: 4b1268793ee17e628ce04ab2eb168d8d262a5d941548aa896e18714fb6002b85
Opcode Fuzzy Hash: 3bd186c702b9f19b7ac2f2456e31fc892d92cc1e7489fc5fb89b5d8afda2fe65
Instruction Fuzzy Hash: CD4124B1D002589FCB20CFAAC894ADEBBF5BF49314F14806AE819FB351D7749845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E192EC, Relevance: 1.6, APIs: 1, Instructions: 91registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00E193B1

Memory Dump Source

Source File: 00000004.00000002.477534960.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b7be81c2a397d6c0faba8b6c8eaa03d2fd9d09e1a5d2758a4189aa20ab66cb67
Instruction ID: 59d8ee04aed34c4540868183e5b5f71c3b6decaeeb2143f7a79c9e4688fc8801
Opcode Fuzzy Hash: b7be81c2a397d6c0faba8b6c8eaa03d2fd9d09e1a5d2758a4189aa20ab66cb67
Instruction Fuzzy Hash: 9041EEB1D01258DFCB20CF9AC884ACEBBF5BF49314F15806AE829AB350C7709945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E192F8, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00E193B1

Memory Dump Source

Source File: 00000004.00000002.477534960.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2ff698c996332cadcc1d979275c822c73b0b0fa6dd273d7b64eed9a74ede6b2e
Instruction ID: 5cbf41174436dff44c86ddc1fd82c48bec6d2295647b69bc961516368e8812d2
Opcode Fuzzy Hash: 2ff698c996332cadcc1d979275c822c73b0b0fa6dd273d7b64eed9a74ede6b2e
Instruction Fuzzy Hash: 4731DEB1D002589FCB20CF9AC894ACEBBF5BF48714F14812AE829BB350D7709945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E19090, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 00E19144

Memory Dump Source

Source File: 00000004.00000002.477534960.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 78f723d5f82530b869f5786f0285f7e9d1104982a074815937acdfe513f2fb58
Instruction ID: 5fe306c81bf71d416f211fa69080253e99aca53b78a537bb1b4e8000992ce4d0
Opcode Fuzzy Hash: 78f723d5f82530b869f5786f0285f7e9d1104982a074815937acdfe513f2fb58
Instruction Fuzzy Hash: 9731EEB0D012499FDB14CF99C588ACEFBF5BF49304F29816AE809AB341C7759985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E4EB28, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,00E4EB09,00000800), ref: 00E4EB9A

Memory Dump Source

Source File: 00000004.00000002.477596364.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4dd993a3f60a4fa975c0326c1f4ff9963c0e07ba65eb6dc6a6069f615e6b324d
Instruction ID: dd1d72bf9dd3c4e004bd37d15f7ae91640660994ea9412e8d52f0e921511071d
Opcode Fuzzy Hash: 4dd993a3f60a4fa975c0326c1f4ff9963c0e07ba65eb6dc6a6069f615e6b324d
Instruction Fuzzy Hash: A92122B6D002488FDB10CFAAD444ADEBBF4AB89314F14856AD815B7600C3B4A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E4C4F4, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,00E4EB09,00000800), ref: 00E4EB9A

Memory Dump Source

Source File: 00000004.00000002.477596364.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4fb770d64ed2c8db5d608e4a522da474c774a3d6169293846080d186d1e343f3
Instruction ID: 8deeb33fbe5317b4328bcccc64f808f668b9a1dd70fdf009cd60b0acbd83d26b
Opcode Fuzzy Hash: 4fb770d64ed2c8db5d608e4a522da474c774a3d6169293846080d186d1e343f3
Instruction Fuzzy Hash: 461103B29002098FDB20CF9AD444BDEBBF4EB88314F14842AE915B7700C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E41048, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00E410B7

Memory Dump Source

Source File: 00000004.00000002.477596364.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c70aa31503b80d631f862555a84d79b1bbec6018de41c2468232a97a79196777
Instruction ID: 64dc41452f4de367e8d427c06c933a874c741aca39b7366b2b6bfc7db91d98ca
Opcode Fuzzy Hash: c70aa31503b80d631f862555a84d79b1bbec6018de41c2468232a97a79196777
Instruction Fuzzy Hash: 111122B1C002599FCB10CF9AD444BEEFBF4AF48324F14826AD814B7640D778A9458FE2

Uniqueness

Uniqueness Score: -1.00%

Function 00E21EC1, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

P@/l, xrefs: 00E21F47

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID: P@/l
API String ID: 0-3435874400
Opcode ID: 158c38478fb928de7333bc703077bf0193dbee1490c91b823003902902e7737d
Instruction ID: 273f44c740ca28a1f11c5878c55343e0f27831dd989fb32efa043195fbb4410e
Opcode Fuzzy Hash: 158c38478fb928de7333bc703077bf0193dbee1490c91b823003902902e7737d
Instruction Fuzzy Hash: 0431EF31B00208CFDB049F78D9196AEBBB2AF88345B148568D816EB790EF70DD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E21ED0, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

P@/l, xrefs: 00E21F47

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID: P@/l
API String ID: 0-3435874400
Opcode ID: 4d5ec638028e5837a76fc1765f278733f8efa60a1a219417aa82e81775e9e16a
Instruction ID: 0c8ba37d9c8f470a927ccdc02b4d91fc18911d51a1149b99d964a2e0eab08982
Opcode Fuzzy Hash: 4d5ec638028e5837a76fc1765f278733f8efa60a1a219417aa82e81775e9e16a
Instruction Fuzzy Hash: E231BE31B00208CFDB14AB78D8146AEBBF2AF88245B148568D816EB790EF70DD458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E23578, Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

_, xrefs: 00E23566

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 4f980b0d485998772ff3a46b318c110594f64c90e3a1490b038c40f4775493a3
Instruction ID: 53a70e1dbdb4dde895fa181eb588c1b102cf7c5f1511b942bc97ef5b8c0726c5
Opcode Fuzzy Hash: 4f980b0d485998772ff3a46b318c110594f64c90e3a1490b038c40f4775493a3
Instruction Fuzzy Hash: 82112B72F002219FCB04DBB898096DEBFE4EF44320F1405E6E149EB391EB3486058BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00E2CAD1, Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad466c6237aa7747df2be597fa47865c38ed43d65146fe5cbf6a724ab491e0a
Instruction ID: e5a887e584b0104ffb5e10e21853bf140f134520212325d24809aebb8d7bce98
Opcode Fuzzy Hash: dad466c6237aa7747df2be597fa47865c38ed43d65146fe5cbf6a724ab491e0a
Instruction Fuzzy Hash: 6E917035B043148FDB04ABB8D8647AE7BF3AF89344F254429E50ADB794EF749C068B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A798, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d77ddd9c3a39736f56fd857f1a3fd72b24b39fb02859b18e9d679571dd0eb2f
Instruction ID: b9c921e6d15a1abb304ab146400365243bf29952b3de47a9208d4d11864bc315
Opcode Fuzzy Hash: 1d77ddd9c3a39736f56fd857f1a3fd72b24b39fb02859b18e9d679571dd0eb2f
Instruction Fuzzy Hash: 0EA17C71A00259DFCF09CFA4D944ADDBBB2FF89304F18856AE815AB261D730AC55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2EE79, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088d6152bf1f12fd427b986e6c6cd7d5c9ec69c606fc6e39e1a40d409388a3cb
Instruction ID: d995d4ab89fbcd5358e7e47b99232db37095489ff8232864a1864d4eaafec550
Opcode Fuzzy Hash: 088d6152bf1f12fd427b986e6c6cd7d5c9ec69c606fc6e39e1a40d409388a3cb
Instruction Fuzzy Hash: 9C81EE30B002548FDB14AB78C86976EBAE2AF85304F19C47DE40AAF792DF70DC4587A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2CB30, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1faf2a036c2936ebd93d2570330cb55f91b51cb78e7944bbe352271a4fed413
Instruction ID: 188a0580adc1c2599dcc135670a08666d102136968a0cc1487c32c8198eb53ca
Opcode Fuzzy Hash: a1faf2a036c2936ebd93d2570330cb55f91b51cb78e7944bbe352271a4fed413
Instruction Fuzzy Hash: E4716F30B003148FDB549BB8D8647BE7AF6AFC8304F254429E506EB794EF749C468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A478, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cffa5cd33a3e19f1fa8efe07c42bcb5560c3103d5927a0a5fa7b8528961b02d
Instruction ID: 76e1a5c5f48abf84100f315a529177ab5dee8c92bc05496a18181f78c38ab2a1
Opcode Fuzzy Hash: 8cffa5cd33a3e19f1fa8efe07c42bcb5560c3103d5927a0a5fa7b8528961b02d
Instruction Fuzzy Hash: 5B7139307102158FCB14DF28D898ABE7BE6AF59344B1D50A9E912EB3B1DB74DC81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E20016, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8359656541594630324322cea50dffcaea1f444e9960247cd87eee7c86a93f37
Instruction ID: 47f6a32fd06c199b1a26f8e087b2d9849a0c4e6e0d35654ffed6210b3fe56343
Opcode Fuzzy Hash: 8359656541594630324322cea50dffcaea1f444e9960247cd87eee7c86a93f37
Instruction Fuzzy Hash: 0C517974E00358CFDB14AFB4E95869EBBB2AF89305F1044A9D909EB391EF348D458F60

Uniqueness

Uniqueness Score: -1.00%

Function 00E2DE1F, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b21111ce708c89997c6750a97fd0f5912f1748ab90316ce51a984294be1c1d
Instruction ID: 6c9bd45cd941935ae2373549290c4a1096648885febd7864e82663b2c3d0762f
Opcode Fuzzy Hash: b8b21111ce708c89997c6750a97fd0f5912f1748ab90316ce51a984294be1c1d
Instruction Fuzzy Hash: 1C514971E047698FEB11CFA5C940AEDFBF2AF89304F249259E906BB651D370AD85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00E2CE1C, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b517c80e4df935205a34fff52b21f82b89b72cb66eb05ab85d6d7943cfed28
Instruction ID: 7ea3269e7e37c57fd920f323a7b43d257f811c11ddbc3c2b1241c07cbc74634e
Opcode Fuzzy Hash: 08b517c80e4df935205a34fff52b21f82b89b72cb66eb05ab85d6d7943cfed28
Instruction Fuzzy Hash: AF414035B003158FDB549BB4D8297BE7AF6AF88704F244428D906EB794EF748C42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A8EB, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6db21444d79df9caa086bc4066fd4267900a719ffbb895642922875a57da84
Instruction ID: e742414fd48073f45c35dabe932583197335c7e4036d24f5c44bac129b4a0b70
Opcode Fuzzy Hash: cb6db21444d79df9caa086bc4066fd4267900a719ffbb895642922875a57da84
Instruction Fuzzy Hash: AB41E171A04259DFCF11CFA4E840ADEBFB2EF89314F098165E915AB291D330ED55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477166432.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37345d4cbf90ce1aa08817c2017b0d0e787ee7a1593d5acdbf899c316a16176b
Instruction ID: 6d0f6b150203c5eeb2d0abc90d191b374318ba6baaf14b29d8653b735eb32e3c
Opcode Fuzzy Hash: 37345d4cbf90ce1aa08817c2017b0d0e787ee7a1593d5acdbf899c316a16176b
Instruction Fuzzy Hash: 182125B1504244EFDF11DF14D8C0B2ABF66FB98329F2485A9EC054B246D336D85ADBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D6D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477225675.0000000000D6D000.00000040.00000001.sdmp, Offset: 00D6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a46664214ae10201203f8cfc9dcb1c15606e7dfa8d27fb9c631a68e49062f1
Instruction ID: 730fbb2832007ca2b20ca2ae13ed96ef6195f312d268b5b9f82e6f15607558e4
Opcode Fuzzy Hash: d9a46664214ae10201203f8cfc9dcb1c15606e7dfa8d27fb9c631a68e49062f1
Instruction Fuzzy Hash: 5321F275A04240DFDB14CF14E8C4B26BB66FB88324F24C969E8494B346C73AD84BCAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E23708, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986cedcceb5c0213c3e99c6420d8abf86269233a28868545d56c2017d2935c88
Instruction ID: 1d7ddf03dc9ec4268014cec480ba1e3aeb6d972ccb127bdc1c20b6ff01694096
Opcode Fuzzy Hash: 986cedcceb5c0213c3e99c6420d8abf86269233a28868545d56c2017d2935c88
Instruction Fuzzy Hash: 29219C20F0819046DB2D9634A68435D6B429B8231CF2CD9AAD0595E6C7D77BC94B8752

Uniqueness

Uniqueness Score: -1.00%

Function 00D6D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477225675.0000000000D6D000.00000040.00000001.sdmp, Offset: 00D6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d75ca724b22c31e207caf8f3e1d063808087f49bf82875c7b9403955aae4ab
Instruction ID: 6d57905de9329d7e7bdf0bf6022454062b41c0783ee62fcfffb21078e44128ab
Opcode Fuzzy Hash: b1d75ca724b22c31e207caf8f3e1d063808087f49bf82875c7b9403955aae4ab
Instruction Fuzzy Hash: 062180755093C08FCB02CF24D994B15BF72EB46314F28C5EBD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A9D0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4509fa753163159336ea3f9fc0d9e576973dbf166cd346c9b2edceaf66af492c
Instruction ID: 898ff6db99dcf5dc03df9df55fe1b35989511e20d5d186a738939e477ecd18ea
Opcode Fuzzy Hash: 4509fa753163159336ea3f9fc0d9e576973dbf166cd346c9b2edceaf66af492c
Instruction Fuzzy Hash: 5811E671600215DFDB10CF58D940B9EBBF2EF89314F089265E519BB292D371F850C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477166432.0000000000D5D000.00000040.00000001.sdmp, Offset: 00D5D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction ID: 84ae36b019730475f85f0eefb72b49c9017346a44e6e31c1e65ead0d2871a8ce
Opcode Fuzzy Hash: 99d004d151982520d82b782d4735647871151bc0f40ac205a76a03d9cb8f3c13
Instruction Fuzzy Hash: 4E11AF76404284CFCF12CF10D5C4B16BF62FB94325F2886A9DC094B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E2C9FF, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf15cb3a92bc65a4847e4d85f965c1014e1dc83e0143102a18b165046ec5cf5a
Instruction ID: 8e2ed2e4216f41e9659aa8ae4e9b86b9ded803f9a7c3d44801352861aab0c52c
Opcode Fuzzy Hash: bf15cb3a92bc65a4847e4d85f965c1014e1dc83e0143102a18b165046ec5cf5a
Instruction Fuzzy Hash: 2B11A375F002289FCB41FBB8D9456AEB7F2AF8C3007148569D509E7355EB309D018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E21DF8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13784bebc3c6289e0ce13259bb090c9185896574a0c37c9d38fc1067da65b05c
Instruction ID: bb6162ec96e4526a084cb8775c365dc5fd0ccf713fc5e62d72c877264667ec8c
Opcode Fuzzy Hash: 13784bebc3c6289e0ce13259bb090c9185896574a0c37c9d38fc1067da65b05c
Instruction Fuzzy Hash: F1119E75F002189FCB80EFB8D84959DBBF1FB8C2017108469E90AE7344EF309D028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E21E00, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7755ba4150221f3753e8392aa00e1231e5077d74d999a3b19a526bf2ba859971
Instruction ID: 60bd2115dae211f87c26935071180a5b13556376147f3a735bd6d7cc864ee0d0
Opcode Fuzzy Hash: 7755ba4150221f3753e8392aa00e1231e5077d74d999a3b19a526bf2ba859971
Instruction Fuzzy Hash: 94117075B002189F8B40EFB9D84599EBBF5FB8C2157108469E90AE7354EF309D028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2CA10, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0e8b301aeeca629472cf1d368a9d71230e14fe29357aa50de9c55daa3867f7
Instruction ID: c068f048a70d256bd4047e1b4127efa68b34d1c9b8e95a0036780f2ea9f95fea
Opcode Fuzzy Hash: 9a0e8b301aeeca629472cf1d368a9d71230e14fe29357aa50de9c55daa3867f7
Instruction Fuzzy Hash: FE116174F002288F8B40EB7DD8419AEB7F6BB883107108569E50AE7354EB349D018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E22D10, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78de01be604427b3d7bd3d3563132a163c45c88a494dee95a13a0420d90274bc
Instruction ID: e45e2a8b417d2ea714d8456a2b414364a53eecb801ab6a3d1804688c98d8ece1
Opcode Fuzzy Hash: 78de01be604427b3d7bd3d3563132a163c45c88a494dee95a13a0420d90274bc
Instruction Fuzzy Hash: C8116174F042289F8B40FBBDE84599EB7F6BB882107108569E609E7354EF349E018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E22D0F, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b729fc2786c814143cf1ddb8281603209c04646a8cbfbc61fa6c62dc26ab9f89
Instruction ID: 1e9f97efb386f3c98c594c7143c9a70699634172c37d1ce5bcf6dce1800a3191
Opcode Fuzzy Hash: b729fc2786c814143cf1ddb8281603209c04646a8cbfbc61fa6c62dc26ab9f89
Instruction Fuzzy Hash: 39116174F002289F8B40EBBDE945A9E77F2BF882007108569D609E7354EB349E018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A788, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4caadfda3c4418efbf7efa08301fa5dfc48b2bc3d69fc5bfacd1753b3f709e2
Instruction ID: fe0005f1cfde79dc10ce6704f7446db793e1d49a5091a648aecbb42c3bf3a6eb
Opcode Fuzzy Hash: a4caadfda3c4418efbf7efa08301fa5dfc48b2bc3d69fc5bfacd1753b3f709e2
Instruction Fuzzy Hash: 41012575A0022C9FCF04CF98D9058DDBBB9FF88310F05802AE906BB254D7749A19CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E23588, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7641ec0c7970a0edeb17219d14d7c8829fc237b4b35dafc354c2df9dc4acee53
Instruction ID: 28f03d5ded26fd48edd235b8ce5df1faf829ac2526f020ad104066ed1e721ad5
Opcode Fuzzy Hash: 7641ec0c7970a0edeb17219d14d7c8829fc237b4b35dafc354c2df9dc4acee53
Instruction Fuzzy Hash: C3F0A771F002189FCB40ABBCA8096EF7AF9EF88360B100935E409E3340EE348E0187E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E21E61, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fec46911c4693baaa621fb6b2382a2ae6baa63c7c9ac4ad64b217562fb88d8
Instruction ID: d42764a1775cbccc6cc191f6ee582d0620d41e589edb95cbe57e49c4b75246c1
Opcode Fuzzy Hash: e9fec46911c4693baaa621fb6b2382a2ae6baa63c7c9ac4ad64b217562fb88d8
Instruction Fuzzy Hash: 87E06D39B101189F8F44EBB8E8494DC77F2FB8C31570044A5EA0AE7354DF349D028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2CA6F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d418fb242669c991ac880204e043523b44d5afc9b759be1fd5c785d5f6d2776
Instruction ID: e57cf33b698c2df6a757bca6ffca304e376844f65c0c70c8e42ae748837790bb
Opcode Fuzzy Hash: 2d418fb242669c991ac880204e043523b44d5afc9b759be1fd5c785d5f6d2776
Instruction Fuzzy Hash: 2BE0ED35F011288B8F44FBB9E8455DD73F2BBC8315B1440A9E60AE7354DE349D018B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E22D6F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29908986f9d2e218b876ea1f54a81d131cf111e9c2499ec20c8eac03bc6b2b8
Instruction ID: c9f6cbd8b9c641409b2304d0406258613f5e8603011dfcdcd52c6758dfddd970
Opcode Fuzzy Hash: b29908986f9d2e218b876ea1f54a81d131cf111e9c2499ec20c8eac03bc6b2b8
Instruction Fuzzy Hash: 3CE0ED35F041289B8F44FBB9E8555DD73F2BB88314B1440A8E60AE7354DE349D018B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E21204, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.477564441.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e147fc2dd91bf56944ef87591da8a79bc0d1992ef50f52e70b377c17ccad84f
Instruction ID: e52ff5f14a67432a12d0c66774bb40c248686467e2102088f15701eca9abf1c4
Opcode Fuzzy Hash: 4e147fc2dd91bf56944ef87591da8a79bc0d1992ef50f52e70b377c17ccad84f
Instruction Fuzzy Hash: 78A002363049005B8748E715D9619DFE3A37FE4218B74C62D50A943664DB309C1D8657

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report .exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre