Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Trojan.MulDrop15.61980.13868.3384

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.3384 (renamed file extension from 3384 to exe)
Analysis ID:	323839
MD5:	0998148d355b1e7bad7b44558aa4c125
SHA1:	5d062cb98564c1f2bc821c0a3e81b228780f77f7
SHA256:	8ef317f2278fbe6a533e8f78b932698e986280d2f4a6716aaaaa4dc5692222a8
Tags:	AgentTesla
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Modifies the hosts file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe (PID: 1740 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe' MD5: 0998148D355B1E7BAD7B44558AA4C125)

SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe (PID: 5936 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe MD5: 0998148D355B1E7BAD7B44558AA4C125)

SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe (PID: 5664 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe MD5: 0998148D355B1E7BAD7B44558AA4C125)

vlc.exe (PID: 6248 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 0998148D355B1E7BAD7B44558AA4C125)

vlc.exe (PID: 6828 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 0998148D355B1E7BAD7B44558AA4C125)

vlc.exe (PID: 6888 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 0998148D355B1E7BAD7B44558AA4C125)

vlc.exe (PID: 6896 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 0998148D355B1E7BAD7B44558AA4C125)

vlc.exe (PID: 6904 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 0998148D355B1E7BAD7B44558AA4C125)

vlc.exe (PID: 6536 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe' MD5: 0998148D355B1E7BAD7B44558AA4C125)

vlc.exe (PID: 6996 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe MD5: 0998148D355B1E7BAD7B44558AA4C125)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "qRlQv5b8v4k0m", "URL: ": "http://5YdEMfw1vYcxQtIJ.com", "To: ": "bmmc@novget.com", "ByHost: ": "novget.com:587", "Password: ": "fTUctjBYd8i", "From: ": "bmmc@novget.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.301432064.0000000002C68000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.484731635.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.301127275.0000000002BC1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.316498806.0000000003851000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.301544638.0000000003B41000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.252002961.0000000002C61000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.316335903.0000000002978000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.484715731.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.484733374.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.494562870.0000000003276000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.252121672.0000000002D02000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vlc.exe PID: 6248	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vlc.exe PID: 6996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vlc.exe PID: 6996	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vlc.exe PID: 6536	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 1740	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 5664	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 5664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vlc.exe PID: 6904	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: vlc.exe PID: 6904	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.vlc.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
20.2.vlc.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.5664.2.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "qRlQv5b8v4k0m", "URL: ": "http://5YdEMfw1vYcxQtIJ.com", "To: ": "bmmc@novget.com", "ByHost: ": "novget.com:587", "Password: ": "fTUctjBYd8i", "From: ": "bmmc@novget.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Virustotal: Detection: 30%			Perma Link
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	ReversingLabs: Detection: 31%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Joe Sandbox ML: detected

Source: 2.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 20.2.vlc.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 19.2.vlc.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49743 -> 167.88.170.2:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49745 -> 167.88.170.2:587

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Joe Sandbox View	IP Address: 184.73.247.141 184.73.247.141
Source: Joe Sandbox View	IP Address: 184.73.247.141 184.73.247.141

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.498331561.000000000348A000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.499427077.00000000034E3000.00000004.00000001.sdmp	String found in binary or memory: http://5YdEMfw1vYcxQtIJ.com
Source: vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: http://HReuFq.com
Source: vlc.exe, 00000013.00000002.492517745.00000000030AC000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000003.472294046.00000000015B6000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.499968225.00000000067C5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000003.472294046.00000000015B6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidation
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.494298446.000000000325B000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.499968225.00000000067C5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: vlc.exe, 00000013.00000002.492517745.00000000030AC000.00000004.00000001.sdmp	String found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218382193.0000000005C30000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikipN
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.499127131.00000000034D6000.00000004.00000001.sdmp	String found in binary or memory: http://novget.com
Source: vlc.exe, 00000013.00000002.499968225.00000000067C5000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: vlc.exe	String found in binary or memory: http://schemas.microso
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.492364241.0000000003098000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220143406.0000000005C12000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220201223.0000000005C12000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220201223.0000000005C12000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comon
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220143406.0000000005C12000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comq
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220143406.0000000005C12000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comyrlS
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225289437.0000000005C34000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224595210.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.223959100.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/N
Source: vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.223854426.0000000005C52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/O
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225560487.0000000005C4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers9
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224188865.0000000005C52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersE
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225123261.0000000005C52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225457522.0000000005C52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersk
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224188865.0000000005C52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersz
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224595210.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFN
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225289437.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224549941.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comL.TTF
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.230794690.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comaT
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225588787.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsF
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225487535.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcom
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225487535.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225289437.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comditom
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225289437.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed7
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224198483.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessedf
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.223821132.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comique
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225009614.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitud
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.230975135.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitum
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224595210.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtu
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224146770.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueed
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225588787.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comvT
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.226940473.0000000005C33000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221786965.0000000005C34000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220932324.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Liha
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222098114.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221333628.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/R
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/T
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222098114.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0t
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222987089.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222098114.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/T
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222098114.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/m
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/l
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/m
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220785926.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/r-t
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222469453.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220932324.0000000005C34000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/uheT
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.229992289.0000000005C1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222024096.0000000005C56000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.219300688.0000000005C1A000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.219300688.0000000005C1A000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krU
Source: vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218760455.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.neta_
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218827779.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netalik
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218760455.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netez
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218760455.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netivh
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218760455.0000000005C2B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netsiv-u
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220143406.0000000005C12000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220143406.0000000005C12000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.3
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.492479441.00000000030A6000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.492364241.0000000003098000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.492479441.00000000030A6000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: vlc.exe, 00000013.00000002.492479441.00000000030A6000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org4$l8
Source: vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.484715731.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000006.00000002.301432064.0000000002C68000.00000004.00000001.sdmp, vlc.exe, 0000000B.00000002.316498806.0000000003851000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.484731635.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000014.00000002.484733374.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	String found in binary or memory: https://discord.com/
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	String found in binary or memory: https://discord.com/4
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	String found in binary or memory: https://discord.com/8
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.494298446.000000000325B000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.499968225.00000000067C5000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.484715731.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000006.00000002.301432064.0000000002C68000.00000004.00000001.sdmp, vlc.exe, 0000000B.00000002.316498806.0000000003851000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.484731635.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000014.00000002.484733374.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.251609553.00000000010EB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 0_2_010AC284	0_2_010AC284
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 0_2_010AE640	0_2_010AE640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 0_2_010AE650	0_2_010AE650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 0_2_0742C398	0_2_0742C398
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 0_2_0742BAC8	0_2_0742BAC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 0_2_0742B780	0_2_0742B780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06843FE8	2_2_06843FE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06841448	2_2_06841448
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06847308	2_2_06847308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_0684B9B0	2_2_0684B9B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_0684ED98	2_2_0684ED98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06848A30	2_2_06848A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06846278	2_2_06846278
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_068493A0	2_2_068493A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06872618	2_2_06872618
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_0687F780	2_2_0687F780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06871FE0	2_2_06871FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_0687EB0C	2_2_0687EB0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_0687D738	2_2_0687D738
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_0687AB78	2_2_0687AB78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_0687BA88	2_2_0687BA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_0687CFF8	2_2_0687CFF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06878FF8	2_2_06878FF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5DFE0	2_2_06A5DFE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A593E8	2_2_06A593E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A50040	2_2_06A50040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A54D80	2_2_06A54D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5B130	2_2_06A5B130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5D158	2_2_06A5D158
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A555C7	2_2_06A555C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A555D0	2_2_06A555D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5B123	2_2_06A5B123
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_00ECC284	6_2_00ECC284
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_00ECE640	6_2_00ECE640
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_00ECE650	6_2_00ECE650
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C30448	6_2_06C30448
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C32D38	6_2_06C32D38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C36158	6_2_06C36158
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06D6BAC8	6_2_06D6BAC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06D6C398	6_2_06D6C398
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06D6B780	6_2_06D6B780
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_00DEC284	11_2_00DEC284
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_00DEE650	11_2_00DEE650
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_00DEE640	11_2_00DEE640
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_06B4BAC8	11_2_06B4BAC8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_06B4C398	11_2_06B4C398
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_06B4B780	11_2_06B4B780
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_07260428	11_2_07260428
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_0726BAA0	11_2_0726BAA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_072647C1	11_2_072647C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_072647D0	11_2_072647D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_07265920	11_2_07265920
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_0726591E	11_2_0726591E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_072601B0	11_2_072601B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 11_2_0726019F	11_2_0726019F

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vlc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@17/7@6/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Virustotal: Detection: 30%
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe'
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 0_2_074230F8 push 00C364D1h; ret	0_2_07423135
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06849711 push eax; iretd	2_2_068497B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_068776BF push es; iretd	2_2_068776FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06877E3F push edi; retn 0000h	2_2_06877E41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06871093 push es; ret	2_2_06871094
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_068710A3 push es; ret	2_2_068710D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5E5B8 pushad ; ret	2_2_06A5E63A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5CAF8 push edx; ret	2_2_06A5CAFA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5CAFB push edx; ret	2_2_06A5CB02
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5E63B pushad ; ret	2_2_06A5E642
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5CB9B push ebx; ret	2_2_06A5CBA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5CB53 push ebx; ret	2_2_06A5CB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5D0F8 push esi; ret	2_2_06A5D0FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5D0FB push esi; ret	2_2_06A5D102
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5C84B push ecx; ret	2_2_06A5C852
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5ED9B pushad ; ret	2_2_06A5EDA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5CD01 push esp; ret	2_2_06A5CD02
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5E500 pushad ; ret	2_2_06A5E502
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5ED03 push eax; ret	2_2_06A5ED09
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5E50B pushad ; ret	2_2_06A5E552
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Code function: 2_2_06A5E553 pushad ; ret	2_2_06A5E55A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C35E81 push ebp; retn 0006h	6_2_06C35E82
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C357B0 push eax; retn 0006h	6_2_06C357B2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C325AD push eax; retn 0006h	6_2_06C325C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C38297 push 0000007Dh; ret	6_2_06C3832E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C35A68 push edx; retn 0006h	6_2_06C35A6A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C35A70 push edx; retn 0006h	6_2_06C35A72
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C35A78 push edx; retn 0006h	6_2_06C35AD2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C37218 pushad ; retn 0006h	6_2_06C3721A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C37311 pushad ; retn 0006h	6_2_06C37312
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Code function: 6_2_06C3731B pushad ; retn 0006h	6_2_06C37332

Source: initial sample	Static PE information: section name: .text entropy: 7.96249614821
Source: initial sample	Static PE information: section name: .text entropy: 7.96249614821

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: vlc.exe.0.dr, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: vlc.exe.0.dr, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.900000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 0.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.900000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 0.0.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.900000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 0.0.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.900000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 1.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.380000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 1.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.380000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 1.0.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.380000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 1.0.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.380000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 2.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.df0000.1.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 2.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.df0000.1.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 2.0.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.df0000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 2.0.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.df0000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 6.0.vlc.exe.720000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 6.0.vlc.exe.720000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 6.2.vlc.exe.720000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 6.2.vlc.exe.720000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 11.2.vlc.exe.450000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 11.2.vlc.exe.450000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 11.0.vlc.exe.450000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 11.0.vlc.exe.450000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 16.0.vlc.exe.310000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 16.0.vlc.exe.310000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 16.2.vlc.exe.310000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 16.2.vlc.exe.310000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 17.0.vlc.exe.160000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 17.0.vlc.exe.160000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 17.2.vlc.exe.160000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 17.2.vlc.exe.160000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 18.2.vlc.exe.210000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 18.2.vlc.exe.210000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 18.0.vlc.exe.210000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 18.0.vlc.exe.210000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 19.2.vlc.exe.a30000.1.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 19.2.vlc.exe.a30000.1.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 19.0.vlc.exe.a30000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 19.0.vlc.exe.a30000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 20.2.vlc.exe.870000.1.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 20.2.vlc.exe.870000.1.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'
Source: 20.0.vlc.exe.870000.0.unpack, c2Fo1FUEUu0RWAsNqc/iCBtguA2vUiZwpErbx.cs	High entropy of concatenated method names: '.ctor', 'iCBAtgu2v', 'biZUwpErb', 'zU2qFo1FE', 'Dispose', 'bu0cRWAsN', 'blGCQ2p59jBKi6Eh09', 'RpJlS91oerHo5WgUoj', 'TIaY7n381CVUDcgeVK', 'sGHUJcud3rxknBYegI'
Source: 20.0.vlc.exe.870000.0.unpack, fq3MQHL5s4kEV6MXwJ/wguCTMihOcuL6dhVxS.cs	High entropy of concatenated method names: 'phVuxSLq3', 'JQHa5s4kE', 'u6MeXwJd3', 'bV72wWdrn', 'XqVjTEeoe', 'aRvfP3EdK', '.ctor', '.cctor', 'LaN6iW2wc6kNZSQa9K', 'Tslsx4RPCSl2jSVmPP'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.252002961.0000000002C61000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.301273221.0000000002C05000.00000004.00000001.sdmp, vlc.exe, 0000000B.00000002.316006335.00000000028D1000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Window / User API: threadDelayed 3753	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Window / User API: threadDelayed 6071	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Window / User API: threadDelayed 2626
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Window / User API: threadDelayed 7218
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Window / User API: threadDelayed 3672
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Window / User API: threadDelayed 6165

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe TID: 5808	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe TID: 2168	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe TID: 6384	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe TID: 6388	Thread sleep count: 3753 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe TID: 6388	Thread sleep count: 6071 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6252	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6540	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 6640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 7056	Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 7060	Thread sleep count: 2626 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 7060	Thread sleep count: 7218 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 780	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 3016	Thread sleep count: 3672 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 3016	Thread sleep count: 6165 > 30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior

Source: vlc.exe, 0000000B.00000002.316006335.00000000028D1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000003.472294046.00000000015B6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Code function: 2_2_06847FB8 LdrInitializeThunk,

2_2_06847FB8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Jump to behavior

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.492478031.0000000001AC0000.00000002.00000001.sdmp, vlc.exe, 00000013.00000002.491073913.00000000019C0000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.491597533.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.492478031.0000000001AC0000.00000002.00000001.sdmp, vlc.exe, 00000013.00000002.491073913.00000000019C0000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.491597533.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.492478031.0000000001AC0000.00000002.00000001.sdmp, vlc.exe, 00000013.00000002.491073913.00000000019C0000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.491597533.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.492478031.0000000001AC0000.00000002.00000001.sdmp, vlc.exe, 00000013.00000002.491073913.00000000019C0000.00000002.00000001.sdmp, vlc.exe, 00000014.00000002.491597533.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe

Code function: 11_2_0726A300 GetUserNameA,

11_2_0726A300

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.301432064.0000000002C68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.484731635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.301127275.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.316498806.0000000003851000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.301544638.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252002961.0000000002C61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.316335903.0000000002978000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.484715731.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.484733374.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252121672.0000000002D02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6248, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 1740, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 5664, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6904, type: MEMORY
Source: Yara match	File source: 2.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.494562870.0000000003276000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 5664, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6904, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000006.00000002.301432064.0000000002C68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.484731635.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.301127275.0000000002BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.316498806.0000000003851000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.301544638.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252002961.0000000002C61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.316335903.0000000002978000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.484715731.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.484733374.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252121672.0000000002D02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6248, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6996, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6536, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 1740, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 5664, type: MEMORY
Source: Yara match	File source: Process Memory Space: vlc.exe PID: 6904, type: MEMORY
Source: Yara match	File source: 2.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.vlc.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	Registry Run Keys / Startup Folder11	Process Injection112	File and Directory Permissions Modification1	OS Credential Dumping2	Account Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder11	Disable or Modify Tools1	Input Capture1	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Credentials in Registry1	System Information Discovery124	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing3	NTDS	Query Registry1	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery321	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion14	Cached Domain Credentials	Virtualization/Sandbox Evasion14	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Network Configuration Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	30%	Virustotal		Browse
SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	31%	ReversingLabs	ByteCode-MSIL.Infostealer.Maslog
SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe	31%	ReversingLabs	ByteCode-MSIL.Infostealer.Maslog

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
20.2.vlc.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
19.2.vlc.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

Source	Detection	Scanner	Label	Link
novget.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.typography.netalik	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.fontbureau.comessedf	0%	Avira URL Cloud	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
https://discord.com/	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comditom	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.sandoll.co.krU	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/r-t	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/uheT	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.carterandcone.comyrlS	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Liha	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.fontbureau.comique	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/T	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/R	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/N	0%	Avira URL Cloud	safe
http://www.fontbureau.comaT	0%	Avira URL Cloud	safe
http://www.carterandcone.comq	0%	Avira URL Cloud	safe
http://novget.com	0%	Avira URL Cloud	safe
https://api.ipify.org4$l8	0%	Avira URL Cloud	safe
http://5YdEMfw1vYcxQtIJ.com	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://discord.com/4	0%	Avira URL Cloud	safe
https://discord.com/8	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/p	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/p	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/p	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/m	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/l	0%	Avira URL Cloud	safe
http://www.typography.netsiv-u	0%	Avira URL Cloud	safe
http://HReuFq.com	0%	Avira URL Cloud	safe
http://www.carterandcone.comon	0%	Avira URL Cloud	safe
http://www.fontbureau.comitud	0%	Avira URL Cloud	safe
http://www.typography.netez	0%	Avira URL Cloud	safe
http://www.fontbureau.comI.TTF	0%	Avira URL Cloud	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0t	0%	Avira URL Cloud	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.fontbureau.comFN	0%	Avira URL Cloud	safe
http://www.typography.netivh	0%	Avira URL Cloud	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
http://schemas.microso	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comcom	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elb097307-934924932.us-east-1.elb.amazonaws.com	184.73.247.141	true	false		high
novget.com	167.88.170.2	true	true	0%, Virustotal, Browse	unknown
api.ipify.org	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.typography.netalik	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218827779.0000000005C2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.comessedf	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224198483.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comalsF	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225588787.0000000005C34000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comditom	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225289437.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krU	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.219300688.0000000005C1A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/r-t	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/uheT	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220932324.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224595210.0000000005C34000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comyrlS	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220143406.0000000005C12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Liha	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220932324.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220143406.0000000005C12000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.492364241.0000000003098000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.484715731.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000006.00000002.301432064.0000000002C68000.00000004.00000001.sdmp, vlc.exe, 0000000B.00000002.316498806.0000000003851000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.484731635.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000014.00000002.484733374.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comique	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.223821132.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.226940473.0000000005C33000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/T	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/R	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221333628.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/N	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222098114.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comaT	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.230794690.0000000005C33000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comq	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220143406.0000000005C12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/N	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.223959100.0000000005C34000.00000004.00000001.sdmp	false		high
http://novget.com	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.499127131.00000000034D6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org4$l8	vlc.exe, 00000013.00000002.492479441.00000000030A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://5YdEMfw1vYcxQtIJ.com	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.498331561.000000000348A000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.499427077.00000000034E3000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false		high
https://discord.com/4	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/t	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222469453.0000000005C34000.00000004.00000001.sdmp	false		unknown
https://discord.com/8	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/p	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220785926.0000000005C2B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/m	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/l	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netsiv-u	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218760455.0000000005C2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://HReuFq.com	vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comon	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220201223.0000000005C12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comitud	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225009614.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netez	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218760455.0000000005C2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comI.TTF	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225289437.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comn-u	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220201223.0000000005C12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersE	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224188865.0000000005C52000.00000004.00000001.sdmp	false		high
http://www.tiro.com	vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://elb097307-934924932.us-east-1.elb.amazonaws.com	vlc.exe, 00000013.00000002.492517745.00000000030AC000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/O	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.223854426.0000000005C52000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0t	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222098114.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220143406.0000000005C12000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersP	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225123261.0000000005C52000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comFN	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224595210.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netivh	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218760455.0000000005C2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.orgGETMozilla/5.0	vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.microso	vlc.exe	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.492479441.00000000030A6000.00000004.00000001.sdmp	false		high
http://fontfabrik.com	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersk	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225457522.0000000005C52000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comcom	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225487535.0000000005C34000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/m	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222098114.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.219300688.0000000005C1A000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comvT	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225588787.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/T	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222098114.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersz	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224188865.0000000005C52000.00000004.00000001.sdmp	false		high
http://www.zhongyicts.com.cno.3	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.220143406.0000000005C12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.sakkal.com	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222024096.0000000005C56000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comoitum	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.230975135.0000000005C33000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comueed	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224146770.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.492364241.0000000003098000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.492479441.00000000030A6000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225289437.0000000005C34000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://en.wikipN	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218382193.0000000005C30000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comtu	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224595210.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comessed7	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225289437.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comL.TTF	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.224549941.0000000005C34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.222987089.0000000005C34000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comd	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225487535.0000000005C34000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://api.ipify.org	vlc.exe, 00000013.00000002.492517745.00000000030AC000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.neta_	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.218760455.0000000005C2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.monotype.	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.229992289.0000000005C1B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.484715731.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000006.00000002.301432064.0000000002C68000.00000004.00000001.sdmp, vlc.exe, 0000000B.00000002.316498806.0000000003851000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.484731635.0000000000402000.00000040.00000001.sdmp, vlc.exe, 00000014.00000002.484733374.0000000000402000.00000040.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221084547.0000000005C34000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.221786965.0000000005C34000.00000004.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers9	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000003.225560487.0000000005C4E000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers8	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.255170523.0000000005D00000.00000002.00000001.sdmp, vlc.exe, 00000006.00000002.305594390.0000000005B10000.00000002.00000001.sdmp, vlc.exe, 0000000B.00000002.320206271.0000000005890000.00000002.00000001.sdmp	false		high
https://secure.comodo.com/CPS0	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.494298446.000000000325B000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.499968225.00000000067C5000.00000004.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, vlc.exe, 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, vlc.exe, 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
184.73.247.141	unknown	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323839
Start date:	27.11.2020
Start time:	16:08:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.3384 (renamed file extension from 3384 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@17/7@6/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0% (good quality ratio 0%) Quality average: 82% Quality standard deviation: 11%
HCA Information:	Successful, ratio: 97% Number of executed functions: 203 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.147.198.201, 40.88.32.150, 51.11.168.160, 23.210.248.85, 20.54.26.129, 51.104.144.132, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:09:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
16:09:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vlc "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"
16:09:29	API Interceptor	670x Sleep call for process: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe modified
16:09:47	API Interceptor	984x Sleep call for process: vlc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
184.73.247.141	WeBU3HLcSGLmmDb.exe	Get hash	malicious	Browse	api.ipify.org/
	phy__1__31629__2649094674__1605642612.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	h5I9F5YQyX.exe	Get hash	malicious	Browse	api.ipify.org/
	14RP4w9CuA.exe	Get hash	malicious	Browse	api.ipify.org/
	FACTURA PENDIENTE.exe	Get hash	malicious	Browse	api.ipify.org/
	Swift Copy_G3181992.exe	Get hash	malicious	Browse	api.ipify.org/
	Haruko Industrial Supply offer.exe	Get hash	malicious	Browse	api.ipify.org/
	SKM__C20192910887888001990.pdf.exe	Get hash	malicious	Browse	api.ipify.org/
	5fNtovgDmX.exe	Get hash	malicious	Browse	api.ipify.org/
	1104_83924.xlsb	Get hash	malicious	Browse	api.ipify.org/
	OZmn6gKEgi.exe	Get hash	malicious	Browse	api.ipify.org/
	E099874321.exe	Get hash	malicious	Browse	api.ipify.org/
	BL2648372240.xls.exe	Get hash	malicious	Browse	api.ipify.org/
	ZAzoeb7NY6.exe	Get hash	malicious	Browse	api.ipify.org/
	7Pkuj1axGK.exe	Get hash	malicious	Browse	api.ipify.org/
	35pDlzhl45.exe	Get hash	malicious	Browse	api.ipify.org/
	B3T7eh73ok.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	Payment.exe	Get hash	malicious	Browse	api.ipify.org/
	pqE2Ika4EY.exe	Get hash	malicious	Browse	api.ipify.org/
	QN27UyUjZ5.exe	Get hash	malicious	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
novget.com	Bjtr3wfVjY.exe	Get hash	malicious	Browse	167.88.170.2
	l2aaJwiUce.exe	Get hash	malicious	Browse	167.88.170.2
	7Z50XcJvKchMDzU.exe	Get hash	malicious	Browse	167.88.170.2
elb097307-934924932.us-east-1.elb.amazonaws.com	SecuriteInfo.com.Trojan.PWS.Stealer.29618.24275.exe	Get hash	malicious	Browse	54.225.169.28
	SecuriteInfo.com.Trojan.MulDrop15.61981.23282.exe	Get hash	malicious	Browse	54.235.142.93
	ORDER.exe	Get hash	malicious	Browse	54.243.164.148
	swift copy.exe	Get hash	malicious	Browse	23.21.42.25
	26-11-20_Dhl_Signed_document-pdf.exe	Get hash	malicious	Browse	54.225.220.115
	Arrivalnotice2020pdf.exe	Get hash	malicious	Browse	174.129.214.20
	lxpo.exe	Get hash	malicious	Browse	54.204.14.42
	guy1.exe	Get hash	malicious	Browse	54.225.66.103
	guy2.exe	Get hash	malicious	Browse	54.243.161.145
	PO_0012009.xlsx	Get hash	malicious	Browse	23.21.252.4
	5C.exe	Get hash	malicious	Browse	54.225.169.28
	INV-6367-20_pdf.exe	Get hash	malicious	Browse	54.225.66.103
	#A06578987.xlsm	Get hash	malicious	Browse	54.204.14.42
	SecuriteInfo.com.Variant.Bulz.233365.3916.exe	Get hash	malicious	Browse	23.21.252.4
	https://sugar-stirring-mockingbird.glitch.me/#comp@hansi.at	Get hash	malicious	Browse	54.225.169.28
	INVOICE.xlsx	Get hash	malicious	Browse	54.204.14.42
	PR24869408-V2.PDF.exe	Get hash	malicious	Browse	174.129.214.20
	Inquiry_pdf.exe	Get hash	malicious	Browse	23.21.42.25
	98650107.pdf.exe	Get hash	malicious	Browse	23.21.42.25
	#U00d6deme Onay#U0131 Makbuzu.exe	Get hash	malicious	Browse	174.129.214.20

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	Direct Deposit.xlsx	Get hash	malicious	Browse	34.231.129.212
	Direct Deposit.xlsx	Get hash	malicious	Browse	52.205.236.122
	Direct Deposit.xlsx	Get hash	malicious	Browse	52.205.236.122
	SecuriteInfo.com.Trojan.PWS.Stealer.29618.24275.exe	Get hash	malicious	Browse	54.225.169.28
	SecuriteInfo.com.Trojan.MulDrop15.61981.23282.exe	Get hash	malicious	Browse	54.235.142.93
	ORDER.exe	Get hash	malicious	Browse	54.243.164.148
	swift copy.exe	Get hash	malicious	Browse	23.21.42.25
	26-11-20_Dhl_Signed_document-pdf.exe	Get hash	malicious	Browse	54.225.220.115
	Direct Deposit.xlsx	Get hash	malicious	Browse	34.231.129.212
	Direct Deposit.xlsx	Get hash	malicious	Browse	52.205.236.122
	https://is.gd/NLY8Sb	Get hash	malicious	Browse	35.174.78.146
	Arrivalnotice2020pdf.exe	Get hash	malicious	Browse	174.129.214.20
	guy1.exe	Get hash	malicious	Browse	54.225.66.103
	guy2.exe	Get hash	malicious	Browse	54.243.161.145
	https://34.75.2o2.lol/XYWNc0aW9uPWwNsaWNrJngVybD1ovndHRwnczovL3NleY3wVyZWQtbG9naW4ubmV0nL3BhZ2VzLzQyY2FkNTJhZmU3YSZyZWNpcGllbnRfaWQ9NzM2OTg3ODg4JmNhbXBhaWduX3J1bl9pZD0zOTM3OTcz	Get hash	malicious	Browse	3.215.226.95
	https://bit.do/fLppr	Get hash	malicious	Browse	54.83.52.76
	PO_0012009.xlsx	Get hash	malicious	Browse	23.21.252.4
	https://webnavigator.co/?adprovider=AppFocus1&source=d-cp11560482685&group=cg60&device=c&keyword=&creative=477646941053&adposition=none&placement=www.123homeschool4me.com&target=segment_be_a_7802457135858218830&sl=&caid=11560482685&gw=1&test=%3a%2f%2fmail	Get hash	malicious	Browse	54.90.26.145
	https://m365.eu.vadesecure.com/safeproxy/v4?f=xQsVwKRZoQHMcJWN90zqnir6G6pZJkmZJBUJoNEfoN5w0NIk94-OeCH1NldcAqKsz75KalR9dIZlPCJr1Ux0xQ&i=dKwbScfh0hAXC0Inkkq0sM5FeXPK9I7Ny4D2nAPOiEibKJwP2etJDqX8WzAoEu0mklzE6wT-r8I8OtTRdIg8Sg&k=EPqM&r=_vxI1MPLJP9RjHYc6dmEH2aQYLnm7iSEcU9gx_WNg2_vrJo8MeAqNzNCqHX9DNrQ&s=dbc75c7ed54466f34eeae3fd3b1612b20fb815efc99933570f78acd79467623c&u=https%3A%2F%2Femail.utest.com%2Fls%2Fclick%3Fupn%3DlGjzeq3i4yih7CYyWDD2uGWEioaO303Ya1CTzgGY6ZFHmgV-2FF-2FEWXdAYvLiLIvET2r-2BfuQ5qIL56xFMZkA-2F-2BXKhuWb2hSemZwMxFmG0rDjjP9tlrcROzWmQSAh2kMQamb79I1cx4-2Fvjhww3n8oZQi-2FnOhlQdbGdNxKrX28q7P-2FPufa0AAvr-2FvNJcD-2FrxpMHjDG9dPJU0WEGqi12uVZQLCz-2BjYAJF5yCzK-2FjUezEn2d6sv-2BTETl96ejjfG9yQ2VbdWqGp_snpiKdUCY2bDrEnMsWMAnz6f3HkWPd0oUIj3WsKz0V4NahNEm-2BJ9rDW2-2Fib8wsclxoRuHsrv-2B0aoCVw0ftXwGZJTPgQ4k6DZXQjAqFeejOYe-2FRbaSc1Yf5Xj5PUa6lKqmFYNWSkevePONwyMaBGxV4NDGtgMbAc7jyOEWYDUniHPiY87Lpiw631423FED14OvXIfrL7S45QvDvK6-2Fc04r-2B65lMxyCebYSr-2FOr4bCpGQ-3D	Get hash	malicious	Browse	52.202.11.207
	https://webmail-re5rere.web.app/?emailtoken=test@test.com&domain=test.com	Get hash	malicious	Browse	34.236.142.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SecuriteInfo.com.Trojan.PWS.Stealer.29618.24275.exe	Get hash	malicious	Browse	184.73.247.141
	Purchase Order.exe	Get hash	malicious	Browse	184.73.247.141
	SecuriteInfo.com.Trojan.MulDrop15.61981.23282.exe	Get hash	malicious	Browse	184.73.247.141
	ORDER.exe	Get hash	malicious	Browse	184.73.247.141
	Mixtec New Order And Price List Requsting Form_pdf.exe	Get hash	malicious	Browse	184.73.247.141
	swift copy.exe	Get hash	malicious	Browse	184.73.247.141
	26-11-20_Dhl_Signed_document-pdf.exe	Get hash	malicious	Browse	184.73.247.141
	Arrivalnotice2020pdf.exe	Get hash	malicious	Browse	184.73.247.141
	SecuriteInfo.com.Mal.Generic-S.26042.exe	Get hash	malicious	Browse	184.73.247.141
	guy1.exe	Get hash	malicious	Browse	184.73.247.141
	guy2.exe	Get hash	malicious	Browse	184.73.247.141
	Exodus.exe	Get hash	malicious	Browse	184.73.247.141
	INV-6367-20_pdf.exe	Get hash	malicious	Browse	184.73.247.141
	#A06578987.xlsm	Get hash	malicious	Browse	184.73.247.141
	Order 51897.exe	Get hash	malicious	Browse	184.73.247.141
	PR24869408-V2.PDF.exe	Get hash	malicious	Browse	184.73.247.141
	98650107.pdf.exe	Get hash	malicious	Browse	184.73.247.141
	#U00d6deme Onay#U0131 Makbuzu.exe	Get hash	malicious	Browse	184.73.247.141
	Izezma64.dll	Get hash	malicious	Browse	184.73.247.141
	fuxenm32.dll	Get hash	malicious	Browse	184.73.247.141

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe.log Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1391
Entropy (8bit):	5.344111348947579
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4W:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzh
MD5:	E87C60A24438CC611338EA5ACB433A0A
SHA1:	E0C6A7D5CFE32BB2178E71DEE79971A51697B7DD
SHA-256:	80DAB47D7A9E233A692D10ACAF5793E34911836D36DB2E11BB7C5D42DE39782A
SHA-512:	3DBD6773153DC9D05558ED491A92C9B4B72D594263D7BD2D06BDDCF09BE55477D35041145219A5E9A46B38575E5B60DA91C6870B2CA29A83388695AD389B8EBF
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vlc.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	5.344111348947579
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4W:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzh
MD5:	E87C60A24438CC611338EA5ACB433A0A
SHA1:	E0C6A7D5CFE32BB2178E71DEE79971A51697B7DD
SHA-256:	80DAB47D7A9E233A692D10ACAF5793E34911836D36DB2E11BB7C5D42DE39782A
SHA-512:	3DBD6773153DC9D05558ED491A92C9B4B72D594263D7BD2D06BDDCF09BE55477D35041145219A5E9A46B38575E5B60DA91C6870B2CA29A83388695AD389B8EBF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	518656
Entropy (8bit):	7.090523037661616
Encrypted:	false
SSDEEP:	12288:5gMuIpvMHWB2naHLmFGlZ09FQFFFFFFFFFFFFFFFFFFFFFRYH8txxxxxxxxxxxxc:mICE2n+jZIFqy
MD5:	0998148D355B1E7BAD7B44558AA4C125
SHA1:	5D062CB98564C1F2BC821C0A3E81B228780F77F7
SHA-256:	8EF317F2278FBE6A533E8F78B932698E986280D2F4A6716AAAAA4DC5692222A8
SHA-512:	0F824BC00379FF7F0E48C9D9E9ADFF8D38A6424B07B9E81528156747A628603E85E986DCBC618BF739FA06CCECA6343519D24C80C2B397A7887CDCAC0A0F8F32
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+._...........................^.... ........@.. .......................@............@.....................................K........&................... ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc....&.......(..................@..@.reloc....... ......................@..B................@.......H........1..87......n....h..s...........................................0..t........(....8B...8........E....?...........8:....(.... .....:....&8.....(....8.....(.... .....:....&8.....(.... ....8.....0..@....... ........8........E..................../...............8....8.... ....8....s......8....8.... ....8..........(....r...p................(.......(..................(.......o....t....}.... ....(....9K...& ....8@...s...... ....(....9...&8 .....(....8]... ...... ....8....*

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\drivers\etc\hosts Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	11
Entropy (8bit):	2.663532754804255
Encrypted:	false
SSDEEP:	3:iLE:iLE
MD5:	B24D295C1F84ECBFB566103374FB91C5
SHA1:	6A750D3F8B45C240637332071D34B403FA1FF55A
SHA-256:	4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
SHA-512:	9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	..127.0.0.1

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.090523037661616
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
File size:	518656
MD5:	0998148d355b1e7bad7b44558aa4c125
SHA1:	5d062cb98564c1f2bc821c0a3e81b228780f77f7
SHA256:	8ef317f2278fbe6a533e8f78b932698e986280d2f4a6716aaaaa4dc5692222a8
SHA512:	0f824bc00379ff7f0e48c9d9e9adff8d38a6424b07b9e81528156747a628603e85e986dcbc618bf739fa06cceca6343519d24c80c2b397a7887cdcac0a0f8f32
SSDEEP:	12288:5gMuIpvMHWB2naHLmFGlZ09FQFFFFFFFFFFFFFFFFFFFFFRYH8txxxxxxxxxxxxc:mICE2n+jZIFqy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+._.....................*......^.... ........@.. .......................@............@................................

File Icon


Icon Hash:	d098909eaab2a282

Static PE Info

General
Entrypoint:	0x43dc5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FC02BDB [Thu Nov 26 22:27:39 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3dc10	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e000	0x426c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3bc64	0x3be00	False	0.969386090814	data	7.96249614821	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x3e000	0x426c8	0x42800	False	0.409991042058	data	5.87126152063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x3e4c0	0x3acd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x41f90	0x668	data
RT_ICON	0x425f8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 4287137928, next used block 12320655
RT_ICON	0x428e0	0x1e8	data
RT_ICON	0x42ac8	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x42bf0	0x662a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x4921c	0xea8	data
RT_ICON	0x4a0c4	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15987957, next used block 16184308
RT_ICON	0x4a96c	0x6c8	data
RT_ICON	0x4b034	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x4b59c	0x6014	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x515b0	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 2533359616, next used block 620756992
RT_ICON	0x61dd8	0x94a8	data
RT_ICON	0x6b280	0x67e8	data
RT_ICON	0x71a68	0x5488	data
RT_ICON	0x76ef0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16777215, next used block 520093696
RT_ICON	0x7b118	0x25a8	data
RT_ICON	0x7d6c0	0x10a8	data
RT_ICON	0x7e768	0x988	data
RT_ICON	0x7f0f0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x7f558	0x11e	data
RT_VERSION	0x7f678	0x3f8	data
RT_MANIFEST	0x7fa70	0xc55	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright (c) 2020 Discord Inc. All rights reserved.
Assembly Version	0.0.52.0
InternalName	Jqeofcirr6.exe
FileVersion	0.0.52.0
CompanyName	Discord Inc.
Comments	Discord - https://discord.com/
ProductName	Discord - https://discord.com/
ProductVersion	0.0.52.0
FileDescription	Discord - https://discord.com/
OriginalFilename	Jqeofcirr6.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/27/20-16:11:05.994110	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49743	587	192.168.2.3	167.88.170.2
11/27/20-16:11:11.304820	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49745	587	192.168.2.3	167.88.170.2

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 16:10:52.158862114 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:10:52.263959885 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:10:52.264108896 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:10:52.360889912 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:10:52.463006020 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:10:52.463107109 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:10:52.463140011 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:10:52.463161945 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:10:52.463205099 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:10:52.463321924 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:10:52.463380098 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:10:52.464363098 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:10:52.501524925 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:10:52.603996038 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:10:52.646924973 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:10:52.883559942 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:10:53.026262045 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:10:53.222007036 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:10:53.272025108 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:11:04.340401888 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:11:04.442574024 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:11:04.442604065 CET	443	49742	184.73.247.141	192.168.2.3
Nov 27, 2020 16:11:04.442673922 CET	49742	443	192.168.2.3	184.73.247.141
Nov 27, 2020 16:11:04.442713022 CET	49742	443	192.168.2.3	184.73.247.141

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 16:08:53.528259039 CET	55984	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:08:53.555396080 CET	53	55984	8.8.8.8	192.168.2.3
Nov 27, 2020 16:08:54.346304893 CET	64185	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:08:54.373559952 CET	53	64185	8.8.8.8	192.168.2.3
Nov 27, 2020 16:08:55.077522993 CET	65110	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:08:55.104626894 CET	53	65110	8.8.8.8	192.168.2.3
Nov 27, 2020 16:08:55.727773905 CET	58361	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:08:55.754899025 CET	53	58361	8.8.8.8	192.168.2.3
Nov 27, 2020 16:08:56.383045912 CET	63492	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:08:56.410063982 CET	53	63492	8.8.8.8	192.168.2.3
Nov 27, 2020 16:08:57.223372936 CET	60831	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:08:57.250415087 CET	53	60831	8.8.8.8	192.168.2.3
Nov 27, 2020 16:08:58.022825956 CET	60100	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:08:58.058121920 CET	53	60100	8.8.8.8	192.168.2.3
Nov 27, 2020 16:08:58.771238089 CET	53195	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:08:58.806698084 CET	53	53195	8.8.8.8	192.168.2.3
Nov 27, 2020 16:08:59.474934101 CET	50141	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:08:59.501928091 CET	53	50141	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:00.408293962 CET	53023	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:00.435436964 CET	53	53023	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:01.230299950 CET	49563	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:01.257329941 CET	53	49563	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:01.880844116 CET	51352	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:01.908000946 CET	53	51352	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:02.573705912 CET	59349	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:02.600739002 CET	53	59349	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:03.226224899 CET	57084	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:03.265074968 CET	53	57084	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:03.861419916 CET	58823	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:03.888498068 CET	53	58823	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:09.480675936 CET	57568	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:09.516343117 CET	53	57568	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:10.691750050 CET	50540	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:10.718745947 CET	53	50540	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:11.561167955 CET	54366	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:11.596489906 CET	53	54366	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:18.477480888 CET	53034	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:18.504587889 CET	53	53034	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:21.647043943 CET	57762	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:21.685254097 CET	53	57762	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:40.545411110 CET	55435	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:40.588783026 CET	53	55435	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:52.954413891 CET	50713	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:52.981622934 CET	53	50713	8.8.8.8	192.168.2.3
Nov 27, 2020 16:09:56.917171001 CET	56132	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:09:56.954147100 CET	53	56132	8.8.8.8	192.168.2.3
Nov 27, 2020 16:10:28.759417057 CET	58987	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:10:28.786559105 CET	53	58987	8.8.8.8	192.168.2.3
Nov 27, 2020 16:10:30.345846891 CET	56579	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:10:30.381548882 CET	53	56579	8.8.8.8	192.168.2.3
Nov 27, 2020 16:10:51.953882933 CET	60633	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:10:51.980912924 CET	53	60633	8.8.8.8	192.168.2.3
Nov 27, 2020 16:10:52.011595964 CET	61292	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:10:52.038728952 CET	53	61292	8.8.8.8	192.168.2.3
Nov 27, 2020 16:11:04.332662106 CET	63619	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:11:04.384574890 CET	53	63619	8.8.8.8	192.168.2.3
Nov 27, 2020 16:11:08.244714022 CET	64938	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:11:08.271965027 CET	53	64938	8.8.8.8	192.168.2.3
Nov 27, 2020 16:11:08.275780916 CET	61946	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:11:08.303155899 CET	53	61946	8.8.8.8	192.168.2.3
Nov 27, 2020 16:11:09.849248886 CET	64910	53	192.168.2.3	8.8.8.8
Nov 27, 2020 16:11:09.884805918 CET	53	64910	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 27, 2020 16:10:51.953882933 CET	192.168.2.3	8.8.8.8	0x8481	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:52.011595964 CET	192.168.2.3	8.8.8.8	0xf6b0	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:04.332662106 CET	192.168.2.3	8.8.8.8	0xc01f	Standard query (0)	novget.com	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.244714022 CET	192.168.2.3	8.8.8.8	0xc777	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.275780916 CET	192.168.2.3	8.8.8.8	0xa647	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:09.849248886 CET	192.168.2.3	8.8.8.8	0x4321	Standard query (0)	novget.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 27, 2020 16:10:51.980912924 CET	8.8.8.8	192.168.2.3	0x8481	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 16:10:51.980912924 CET	8.8.8.8	192.168.2.3	0x8481	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 16:10:51.980912924 CET	8.8.8.8	192.168.2.3	0x8481	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		184.73.247.141	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:51.980912924 CET	8.8.8.8	192.168.2.3	0x8481	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.42.25	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:51.980912924 CET	8.8.8.8	192.168.2.3	0x8481	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:51.980912924 CET	8.8.8.8	192.168.2.3	0x8481	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.220.115	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:51.980912924 CET	8.8.8.8	192.168.2.3	0x8481	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:51.980912924 CET	8.8.8.8	192.168.2.3	0x8481	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.182.194	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:51.980912924 CET	8.8.8.8	192.168.2.3	0x8481	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.164.148	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:51.980912924 CET	8.8.8.8	192.168.2.3	0x8481	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.252.4	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:52.038728952 CET	8.8.8.8	192.168.2.3	0xf6b0	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 16:10:52.038728952 CET	8.8.8.8	192.168.2.3	0xf6b0	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 16:10:52.038728952 CET	8.8.8.8	192.168.2.3	0xf6b0	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		174.129.214.20	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:52.038728952 CET	8.8.8.8	192.168.2.3	0xf6b0	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.204.14.42	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:52.038728952 CET	8.8.8.8	192.168.2.3	0xf6b0	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.42.25	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:52.038728952 CET	8.8.8.8	192.168.2.3	0xf6b0	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.142.93	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:52.038728952 CET	8.8.8.8	192.168.2.3	0xf6b0	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.220.115	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:52.038728952 CET	8.8.8.8	192.168.2.3	0xf6b0	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.169.28	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:52.038728952 CET	8.8.8.8	192.168.2.3	0xf6b0	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.182.194	A (IP address)	IN (0x0001)
Nov 27, 2020 16:10:52.038728952 CET	8.8.8.8	192.168.2.3	0xf6b0	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:04.384574890 CET	8.8.8.8	192.168.2.3	0xc01f	No error (0)	novget.com		167.88.170.2	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.271965027 CET	8.8.8.8	192.168.2.3	0xc777	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 16:11:08.271965027 CET	8.8.8.8	192.168.2.3	0xc777	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 16:11:08.271965027 CET	8.8.8.8	192.168.2.3	0xc777	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.169.28	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.271965027 CET	8.8.8.8	192.168.2.3	0xc777	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.182.194	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.271965027 CET	8.8.8.8	192.168.2.3	0xc777	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.271965027 CET	8.8.8.8	192.168.2.3	0xc777	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.204.14.42	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.271965027 CET	8.8.8.8	192.168.2.3	0xc777	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.271965027 CET	8.8.8.8	192.168.2.3	0xc777	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.271965027 CET	8.8.8.8	192.168.2.3	0xc777	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.42.25	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.271965027 CET	8.8.8.8	192.168.2.3	0xc777	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.126.66	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.303155899 CET	8.8.8.8	192.168.2.3	0xa647	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 16:11:08.303155899 CET	8.8.8.8	192.168.2.3	0xa647	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 16:11:08.303155899 CET	8.8.8.8	192.168.2.3	0xa647	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.169.28	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.303155899 CET	8.8.8.8	192.168.2.3	0xa647	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.182.194	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.303155899 CET	8.8.8.8	192.168.2.3	0xa647	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.303155899 CET	8.8.8.8	192.168.2.3	0xa647	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.204.14.42	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.303155899 CET	8.8.8.8	192.168.2.3	0xa647	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.66.103	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.303155899 CET	8.8.8.8	192.168.2.3	0xa647	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.303155899 CET	8.8.8.8	192.168.2.3	0xa647	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.42.25	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:08.303155899 CET	8.8.8.8	192.168.2.3	0xa647	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.126.66	A (IP address)	IN (0x0001)
Nov 27, 2020 16:11:09.884805918 CET	8.8.8.8	192.168.2.3	0x4321	No error (0)	novget.com		167.88.170.2	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 27, 2020 16:10:52.464363098 CET	184.73.247.141	443	192.168.2.3	49742	CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue Jan 19 01:00:00 CET 2010	Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Tue Jan 19 00:59:59 CET 2038	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
					CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Feb 12 01:00:00 CET 2014	Mon Feb 12 00:59:59 CET 2029
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Jan 19 01:00:00 CET 2010	Tue Jan 19 00:59:59 CET 2038

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 1740 Parent PID: 5712

General

Start time:	16:08:57
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe'
Imagebase:	0x900000
File size:	518656 bytes
MD5 hash:	0998148D355B1E7BAD7B44558AA4C125
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.252002961.0000000002C61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.252121672.0000000002D02000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 5936 Parent PID: 1740

General

Start time:	16:09:12
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Imagebase:	0x380000
File size:	518656 bytes
MD5 hash:	0998148D355B1E7BAD7B44558AA4C125
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 5664 Parent PID: 1740

General

Start time:	16:09:12
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Imagebase:	0xdf0000
File size:	518656 bytes
MD5 hash:	0998148D355B1E7BAD7B44558AA4C125
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.493762678.0000000003221000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.484715731.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.494562870.0000000003276000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 6248 Parent PID: 3388

General

Start time:	16:09:23
Start date:	27/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Imagebase:	0x720000
File size:	518656 bytes
MD5 hash:	0998148D355B1E7BAD7B44558AA4C125
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.301432064.0000000002C68000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.301127275.0000000002BC1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.301544638.0000000003B41000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 31%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 6536 Parent PID: 3388

General

Start time:	16:09:31
Start date:	27/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Imagebase:	0x450000
File size:	518656 bytes
MD5 hash:	0998148D355B1E7BAD7B44558AA4C125
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.316498806.0000000003851000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.316335903.0000000002978000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 6828 Parent PID: 6248

General

Start time:	16:09:34
Start date:	27/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x310000
File size:	518656 bytes
MD5 hash:	0998148D355B1E7BAD7B44558AA4C125
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 6888 Parent PID: 6248

General

Start time:	16:09:35
Start date:	27/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x160000
File size:	518656 bytes
MD5 hash:	0998148D355B1E7BAD7B44558AA4C125
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 6896 Parent PID: 6248

General

Start time:	16:09:36
Start date:	27/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x210000
File size:	518656 bytes
MD5 hash:	0998148D355B1E7BAD7B44558AA4C125
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 6904 Parent PID: 6248

General

Start time:	16:09:36
Start date:	27/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0xa30000
File size:	518656 bytes
MD5 hash:	0998148D355B1E7BAD7B44558AA4C125
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.484731635.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.491667671.0000000002FE1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vlc.exe PID: 6996 Parent PID: 6536

General

Start time:	16:09:43
Start date:	27/11/2020
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe
Imagebase:	0x870000
File size:	518656 bytes
MD5 hash:	0998148D355B1E7BAD7B44558AA4C125
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.492574404.0000000002E21000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.484733374.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 1740 Parent PID: 5712 SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exeCOMMON

Executed Functions

Function 0742BAC8, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257065789.0000000007420000.00000040.00000001.sdmp, Offset: 07420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf1c77df88ecd9a55fb951bc84b5014272302e04afa0770637718c0e8d8f8f1
Instruction ID: 5b73526f0035c47536e7ae7e89232b515c0fe2c2ed818633c36363f275570356
Opcode Fuzzy Hash: dbf1c77df88ecd9a55fb951bc84b5014272302e04afa0770637718c0e8d8f8f1
Instruction Fuzzy Hash: 31B15EF0E002199FDB10CFA9C8857EEBBF2EF88304F54852AD815A7754EB749856DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0742C398, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257065789.0000000007420000.00000040.00000001.sdmp, Offset: 07420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5438e2eb00a38e8a8669b7a745e16d2be7ea3242f30dc254d0afddc0287e383
Instruction ID: c6148b35e0bf43172722d3d3d4fdf5e180d8d7d0f775486347411668759d52f9
Opcode Fuzzy Hash: d5438e2eb00a38e8a8669b7a745e16d2be7ea3242f30dc254d0afddc0287e383
Instruction Fuzzy Hash: 79B171B0E002298FDB10CFA8C9C17EEBBF2AF48354F64812AD415E7354DB749896DB95

Uniqueness

Uniqueness Score: -1.00%

Function 010AB758, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 010AB7C8
GetCurrentThread.KERNEL32 ref: 010AB805
GetCurrentProcess.KERNEL32 ref: 010AB842
GetCurrentThreadId.KERNEL32 ref: 010AB89B

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d14e702378b53a1dfaa40b3d369cb560b3a99445259606b1fb214eb7c68d1225
Instruction ID: b54c97e5cffc455588e58b0c357f83083df32ef25e55f5b36755a5472a2d636c
Opcode Fuzzy Hash: d14e702378b53a1dfaa40b3d369cb560b3a99445259606b1fb214eb7c68d1225
Instruction Fuzzy Hash: E45174B0A006498FDB54CFA9D9887EEBFF1BF88314F258599E459A7391CB345844CF22

Uniqueness

Uniqueness Score: -1.00%

Function 010AB768, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 010AB7C8
GetCurrentThread.KERNEL32 ref: 010AB805
GetCurrentProcess.KERNEL32 ref: 010AB842
GetCurrentThreadId.KERNEL32 ref: 010AB89B

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 22efc3e9272a63a0211d1fbb4fa289a86b2112e173762f59de06e4b975978a9e
Instruction ID: 0314b465ffaa21e8b53190ce02ea8411aa7a951e0a7dfb2fe16abcf124c9c8e6
Opcode Fuzzy Hash: 22efc3e9272a63a0211d1fbb4fa289a86b2112e173762f59de06e4b975978a9e
Instruction Fuzzy Hash: 775164B09006488FDB54CFA9D988BDEBFF1BF48314F258499E559A7390DB346844CF62

Uniqueness

Uniqueness Score: -1.00%

Function 010A9470, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010A96B6

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e83a0195cf3d4d0f5e72a652853fb955e8f212411e85d8b167a4597808724727
Instruction ID: 31d656b354b4f85931f5ba1d1ad4823559f6a839033ae1935f2f4f6e84846a33
Opcode Fuzzy Hash: e83a0195cf3d4d0f5e72a652853fb955e8f212411e85d8b167a4597808724727
Instruction Fuzzy Hash: C97147B0A00B058FD764DFAAD4517AABBF1FF88214F44892DD586DBA50DB34E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010AFDCD, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010AFEEA

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ed2edbdf04ae7e03c0fde25362c2ea6492771e50cdb4fa6bfff21ca5840f401f
Instruction ID: 6532bef59812fe8003d3119461bcfcab77491900a3afda1594012e965f6b1131
Opcode Fuzzy Hash: ed2edbdf04ae7e03c0fde25362c2ea6492771e50cdb4fa6bfff21ca5840f401f
Instruction Fuzzy Hash: EB51E0B1D003499FDB14CFA9C884ADEBFF5BF48314F64812AE919AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010AFDD8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010AFEEA

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e0bd56db0b3cbd5c39d2b4b65de09406a98388950ff4e7f66be2d03908eba567
Instruction ID: ccec88a415f43cf76ba8e774e0739dd5ebec4c1577a8a0329fb9c409cd6f0276
Opcode Fuzzy Hash: e0bd56db0b3cbd5c39d2b4b65de09406a98388950ff4e7f66be2d03908eba567
Instruction Fuzzy Hash: C541CEB1D00309AFDB14CF9AC884ADEBFF5BF48314F64812AE919AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010A5384, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010A5441

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1a032bbed4539b650cf78328212e7b0d061ab655d39acea585feaa7c6cddb8a4
Instruction ID: 5555fc8c51d68c6541fa95cd79403a20a5a099d0acad9e1997b72d33d1fa1c64
Opcode Fuzzy Hash: 1a032bbed4539b650cf78328212e7b0d061ab655d39acea585feaa7c6cddb8a4
Instruction Fuzzy Hash: D6411271D04619CFDB24CFA9C884BCEBBF5BF89309F2080A9D409AB251DB795946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010A3E08, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 010A5441

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4284e361caeef191c614f85002ada8734d51d47b1cba03ce419f7d15e4870d17
Instruction ID: 4a47950609de35b8aefd48caa7563a995399478843639bdea7affc495ef329a0
Opcode Fuzzy Hash: 4284e361caeef191c614f85002ada8734d51d47b1cba03ce419f7d15e4870d17
Instruction Fuzzy Hash: 18410271D04718CBDB24CFA9C884BDEBBF5BF48309F608069D509AB251DBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 074293ED, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 074294C2

Memory Dump Source

Source File: 00000000.00000002.257065789.0000000007420000.00000040.00000001.sdmp, Offset: 07420000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a4badb62f49469f4521d2580a0d72fe58290bb870861ccd8d06a878103b2e5e2
Instruction ID: 35eb4fb75f99636b5709b04c7f86189c1edb6ef428ae4ca2e2f0a25ed5902e59
Opcode Fuzzy Hash: a4badb62f49469f4521d2580a0d72fe58290bb870861ccd8d06a878103b2e5e2
Instruction Fuzzy Hash: 853132B1D042699FCB10CFA8C8847DEBBF1BB08314F54852AE815B7380D774A486CF96

Uniqueness

Uniqueness Score: -1.00%

Function 051D2440, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 051D2501

Memory Dump Source

Source File: 00000000.00000002.253510174.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a480fa5a6a7a756d0105e495393910631574a92e4f748aeb99fc8dbee37af27d
Instruction ID: 0a22c364b503fe0e9464fa3c0a2e6c7193668874ebf3bc626a591fc62bcb5f0b
Opcode Fuzzy Hash: a480fa5a6a7a756d0105e495393910631574a92e4f748aeb99fc8dbee37af27d
Instruction Fuzzy Hash: 5F4129B9A003459FCB14CF99C488AAAFBF5FF88314F15C599D529AB321D734A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07425CE0, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 074294C2

Memory Dump Source

Source File: 00000000.00000002.257065789.0000000007420000.00000040.00000001.sdmp, Offset: 07420000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 26b11fe2444076e6c411a927f3d37027ca5f0fdaf3e8584ec9c4020b7ac71b71
Instruction ID: 7973eed4775baa1b0d9fe994c481a395b3efb1a2b8ec1df8cdc7c4e9df2e49e6
Opcode Fuzzy Hash: 26b11fe2444076e6c411a927f3d37027ca5f0fdaf3e8584ec9c4020b7ac71b71
Instruction Fuzzy Hash: 083123B1D042699FCB14CFA8C8847DEBBF1BB08314F54852AE815B7390D774A896CF96

Uniqueness

Uniqueness Score: -1.00%

Function 010AB988, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010ABA17

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8e96708d02b0fc00716cf4cd65ca179490a992133eb03386413c824e3d145c69
Instruction ID: 95a974754c432f88b5b39a5c813ef487a280f58f5dfdb75959cca15b79d9ad94
Opcode Fuzzy Hash: 8e96708d02b0fc00716cf4cd65ca179490a992133eb03386413c824e3d145c69
Instruction Fuzzy Hash: 5621E4B5900248AFDB10CFA9D984ADEBFF8FB58324F14841AE954B3351D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051DD738, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 051DD7BE

Memory Dump Source

Source File: 00000000.00000002.253510174.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: 7cf482ee04914f1b3ff6d9565048f5683b0b2d1f31fe790b5dd933eb514da369
Instruction ID: bfb5c071b49427ccd1593121616aa7c0c97bbc40b2f10c5ea73ec55412939d7f
Opcode Fuzzy Hash: 7cf482ee04914f1b3ff6d9565048f5683b0b2d1f31fe790b5dd933eb514da369
Instruction Fuzzy Hash: AE2100B29013099FCB10CF99E984ADEFBF8FB48314F14842EE819A7200D374A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010AB990, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010ABA17

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7c79862453eddd11cb9e3b2a7817b0066d5899538071dceb0b146ea0f10d371a
Instruction ID: e1c46f8af14c8d0516ac1561879099c40f5d3c5f2bbd46290ea2e1958bb8835e
Opcode Fuzzy Hash: 7c79862453eddd11cb9e3b2a7817b0066d5899538071dceb0b146ea0f10d371a
Instruction Fuzzy Hash: F821D5B59002489FDB10CF99D984ADEBFF8FB48324F15841AE954B7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051DD730, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 051DD7BE

Memory Dump Source

Source File: 00000000.00000002.253510174.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: 837a65b9b5a24aeaed748cbfcf37474927fb111c0ddfa72ab663413418d129ed
Instruction ID: ff5e353d23c0e9a4e9ffce7900bcbd68a5e9a15bb03a8fe72a1c5df501008973
Opcode Fuzzy Hash: 837a65b9b5a24aeaed748cbfcf37474927fb111c0ddfa72ab663413418d129ed
Instruction Fuzzy Hash: DB21F2B69013099FCB10CFA9D984AEEFBF4FF08314F14846EE919A7600D374A944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010A89D0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010A9731,00000800,00000000,00000000), ref: 010A9942

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 73c134656084653edfb9bc268496f78ceae90f49e700e88067600ed6dcdc72fe
Instruction ID: 654adc67448d3db6cdce9d3662a44205c24873515c02e53457370efe80361e5e
Opcode Fuzzy Hash: 73c134656084653edfb9bc268496f78ceae90f49e700e88067600ed6dcdc72fe
Instruction Fuzzy Hash: A01126B69043499FDB10CF9AD444ADEFBF4EB88324F01842AD555B7240C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 074296A1, Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0742970A

Memory Dump Source

Source File: 00000000.00000002.257065789.0000000007420000.00000040.00000001.sdmp, Offset: 07420000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 228c7f6fd9bd802ece85fa9171549ff44329aeefd498b9408ab01df614046191
Instruction ID: 3b56b5ce83f6dca171a226b1f9e2f75d84242383cca8fbbf43f7238e411fe3b0
Opcode Fuzzy Hash: 228c7f6fd9bd802ece85fa9171549ff44329aeefd498b9408ab01df614046191
Instruction Fuzzy Hash: 50112BB1D043588FCB10DFA9D4447DEFBF5AF88224F14841AD515B7640CB746945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010A98D0, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010A9731,00000800,00000000,00000000), ref: 010A9942

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d3cefae97273265ebe048d1bb8b41153691d2d8c1abab552d533bad73a84ea7f
Instruction ID: 18aa4d3a4906acf911794510415901e78fb403b1d70e8bb95f7950acfab32bec
Opcode Fuzzy Hash: d3cefae97273265ebe048d1bb8b41153691d2d8c1abab552d533bad73a84ea7f
Instruction Fuzzy Hash: EF1133B69002499FCB10CFAAD484AEEFBF4AB88324F11846AD555A7200C375A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 074296A8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0742970A

Memory Dump Source

Source File: 00000000.00000002.257065789.0000000007420000.00000040.00000001.sdmp, Offset: 07420000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 153f02436771fd0fb82ae8f2c07eef495455875a2b6767fb49ca5eafd2a746d3
Instruction ID: ebebb03361cc462269a81c541b13ea2645d7eec694559a20d59e8b4849bae49e
Opcode Fuzzy Hash: 153f02436771fd0fb82ae8f2c07eef495455875a2b6767fb49ca5eafd2a746d3
Instruction Fuzzy Hash: 4A113AB1D042588BCB10DFA9C4447DFFBF9AF88224F14881AC519B7240CB74A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010A9650, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 010A96B6

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1c694875a95e0807424910479e30b59ef4dafad697b1d76141eeedf3e0602388
Instruction ID: 8608c5ab64afb85f8c45010cd2ef3ddf596e167c9a42c56ab5b1544807f088de
Opcode Fuzzy Hash: 1c694875a95e0807424910479e30b59ef4dafad697b1d76141eeedf3e0602388
Instruction Fuzzy Hash: 131110B2D002498FDB10CF9AC444BDEFBF4AF88224F15841AD559B7210D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0104D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251410405.000000000104D000.00000040.00000001.sdmp, Offset: 0104D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0dbd41ea996c73ba58535d755dab1e0ee0c61c2ba46d966cc6004a86040141
Instruction ID: b810d8e3d585b767bf3fe11d4249bb4624fdcaa1eb19d983bd01a55d8b8fa299
Opcode Fuzzy Hash: ee0dbd41ea996c73ba58535d755dab1e0ee0c61c2ba46d966cc6004a86040141
Instruction Fuzzy Hash: 9B2136B1504204DFDB01CF94C9C0B5ABBA5FBD8324F24C5B9E9490B246C73AE856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0105D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251436377.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e420b4b34cb6abd9a0954e3cecb0b969d2a716f44149b1e3495f132df6e57e
Instruction ID: 33b731bfdbc8efaade4cd9ef506abaf0b5b40ad2feda1c166a00b82bd63f65ed
Opcode Fuzzy Hash: 10e420b4b34cb6abd9a0954e3cecb0b969d2a716f44149b1e3495f132df6e57e
Instruction Fuzzy Hash: 17210371504240DFDB51CFA4D9C0B1BBBA5FB88254F24C9AAED894B246C33AD846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0105D006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251436377.000000000105D000.00000040.00000001.sdmp, Offset: 0105D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccaab20cc820d3a42c9da040a19e7b77be09ce731c89edbfb069fd29c45efa9
Instruction ID: 514bbc6f3b4f51a295b028f418926dccede21099fc483f460c734981f620610e
Opcode Fuzzy Hash: 5ccaab20cc820d3a42c9da040a19e7b77be09ce731c89edbfb069fd29c45efa9
Instruction Fuzzy Hash: A821D4754083808FCB43CF24C990715BFB1EB45214F28C5DBD8888B297C33AD40ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 07300048, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256936294.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934c1d978dad9e5bb9a62c6b5e2af21881b0baf7e57fb06b175127cbba316ad6
Instruction ID: 15b446277daabfde91b2f7f722665d8a19350d4062568e8977bafb796de8ecf7
Opcode Fuzzy Hash: 934c1d978dad9e5bb9a62c6b5e2af21881b0baf7e57fb06b175127cbba316ad6
Instruction Fuzzy Hash: 9001C8B6314211879B28966DD020667F7EABFE5522715803ED649C7380DF77C881C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 0104D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251410405.000000000104D000.00000040.00000001.sdmp, Offset: 0104D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction ID: 88bcf40f1d2140e628efe06dfac03de112c99f5b4f99b7999f8d44d01598ebaa
Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction Fuzzy Hash: 2F11E1B6404280CFCB02CF54D5C0B56BFB1FB94320F28C2A9D8490B656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07300000, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256936294.0000000007300000.00000040.00000001.sdmp, Offset: 07300000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53f334e359628cf70e0eac41b1ac80be1cedd3deed05daa05059a1e663ba995
Instruction ID: 3186217a2b0249c9c1a226cad5d5fc2f2a29a943844350d490495d97a2137c8c
Opcode Fuzzy Hash: f53f334e359628cf70e0eac41b1ac80be1cedd3deed05daa05059a1e663ba995
Instruction Fuzzy Hash: 1911187611E3C28FD7175B348864666BF75AF93121B1B00EBD484CB1A3E66A4888D7A3

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 010AE650, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36baa31c566fdfb04adf29559581eaa7b4bccc89b7eecac37f190c4b59e35e36
Instruction ID: 6f65b540212b0fa155f689c88d1e5f70f2c9603e37c4d89e313558184288cf8e
Opcode Fuzzy Hash: 36baa31c566fdfb04adf29559581eaa7b4bccc89b7eecac37f190c4b59e35e36
Instruction Fuzzy Hash: A112D5B1413B668AE330CF69EC985897B70B745329F904208DEE15FAD8D7BE114ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 010AC284, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835bebc21757d1d0747b761fa63f700a4aee29ca78a9aea63ac9dced882addbd
Instruction ID: 55dff84fa337c68a7b37f421942bf1f53e620b92ff45d8eaef20db68caab4219
Opcode Fuzzy Hash: 835bebc21757d1d0747b761fa63f700a4aee29ca78a9aea63ac9dced882addbd
Instruction Fuzzy Hash: 3FA15C32E0021A8FCF05DFE5C9449DEBBF2FF85300B5585AAE945AB265EB31E905CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0742B780, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.257065789.0000000007420000.00000040.00000001.sdmp, Offset: 07420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713ebde8fe66d60d95ad86725e089f685d3ac4879bc7b8807821230545816492
Instruction ID: 5075640a63dc9a9bac7996a95e218a82697984e046df9b60c17c1486f5feb855
Opcode Fuzzy Hash: 713ebde8fe66d60d95ad86725e089f685d3ac4879bc7b8807821230545816492
Instruction Fuzzy Hash: F7917EF0E002199FDB10CFA9C9817DEBBF2EF88314F64812AD419A7354EB349956DB91

Uniqueness

Uniqueness Score: -1.00%

Function 010AE640, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251527925.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe5d702d512dd685b4bedf605a241b1e5af0c71557ba97a5208c128174b7bbb8
Instruction ID: 0564be8f91af5fe1bd8d4f445258b24ef30f8071826255a4f79fd555d544c88d
Opcode Fuzzy Hash: fe5d702d512dd685b4bedf605a241b1e5af0c71557ba97a5208c128174b7bbb8
Instruction Fuzzy Hash: CAC13AB18127668BD730CF69EC885897B71BB85328F514308DDA16FAD8D7BE104ACF85

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe PID: 5664 Parent PID: 1740 SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exeCOMMON

Executed Functions

Function 06A593E8, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06A59B70

Memory Dump Source

Source File: 00000002.00000002.503904502.0000000006A50000.00000040.00000001.sdmp, Offset: 06A50000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf4c82b49116cb8cae27e89fdd0f74d9d7a1d2879e85dca0db8aac86b9c69a9f
Instruction ID: 9c6eb607c1be4cb9c86d7f3b0f9bc623633bc08d6b8af5f4a456885ecd1dfdba
Opcode Fuzzy Hash: cf4c82b49116cb8cae27e89fdd0f74d9d7a1d2879e85dca0db8aac86b9c69a9f
Instruction Fuzzy Hash: D4621B31E007198FDB64EF78C85469EB7F1AF89304F1185A9D90AAB354EF309E85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06847FB8, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06847FF9

Memory Dump Source

Source File: 00000002.00000002.503352227.0000000006840000.00000040.00000001.sdmp, Offset: 06840000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66de40507678cb460b07e75c6b99078a5ed5ed68dda6ad602bd3d74b765537e5
Instruction ID: d24456e5d5e7366ef605a8195564dcbe499af18fe995783577b699cfdf8b4614
Opcode Fuzzy Hash: 66de40507678cb460b07e75c6b99078a5ed5ed68dda6ad602bd3d74b765537e5
Instruction Fuzzy Hash: D7613970E10209DFDB54EBB4D858AAEB7B6AF88309F108829D416E7354DF39D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0687D738, Relevance: 1.4, Instructions: 1434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8dc187b7a1fde2ceb5833439b65e5ff7996be6ed55ebeeea167be1cd23531c
Instruction ID: 997af5e71a1549424bb5f78871e8af24bff826e9aa6b4ab6d30d1e119554fd94
Opcode Fuzzy Hash: df8dc187b7a1fde2ceb5833439b65e5ff7996be6ed55ebeeea167be1cd23531c
Instruction Fuzzy Hash: CEC26930A00204CFDB64DBB8D458AADB7F2EF89319F1488A9D506DB7A1DB35DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0687EB0C, Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e3890df594c7e3a7e2310499d303db2c5938f4976fad8c9ceef0eb0aa44730
Instruction ID: d433b24185502aef2c66be8a1de4c63eec64f4bf870b240a677d0d1894240915
Opcode Fuzzy Hash: 54e3890df594c7e3a7e2310499d303db2c5938f4976fad8c9ceef0eb0aa44730
Instruction Fuzzy Hash: 3642A430E042488FDBA4DBB8C454BADBBB2AF85304F14C5AAD609EF295CB74DC85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06871FE0, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600c947c5d11d00ff04ee02d14b6cdaaa005f04af95c396edf382621944aaf0d
Instruction ID: c13daa9b4241cd21952be82d09579312d56ea73e83d60db9450c585fce4ba186
Opcode Fuzzy Hash: 600c947c5d11d00ff04ee02d14b6cdaaa005f04af95c396edf382621944aaf0d
Instruction Fuzzy Hash: 07027D70A102198FDB54DFA8C864BAEBBB6BF88304F148569E906DB395DF34DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06872618, Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7831b16a33435723ea08b03dc9f0334fe4732c93db02777cf9cfd8e6dc2abe5e
Instruction ID: ccb01baf51ccdadc55f4c8e1315d26888cef1ffe27460d588d5e5448e508c8e5
Opcode Fuzzy Hash: 7831b16a33435723ea08b03dc9f0334fe4732c93db02777cf9cfd8e6dc2abe5e
Instruction Fuzzy Hash: 60027D30E00209DFCB55DFA9C994AADBBB2FF88314F158069E915EB261D731EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0687AB78, Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9510f2197934ec4e30b55e3b44473781a03b783b65fd8849f69d9af2cd86fa35
Instruction ID: 7aeac442c33aaba09cf85fa84387314875cd16156bcfaa565116a7ebcbb8810c
Opcode Fuzzy Hash: 9510f2197934ec4e30b55e3b44473781a03b783b65fd8849f69d9af2cd86fa35
Instruction Fuzzy Hash: 90E1D330B042048FCB59DBB8D8846AE7BF6EF89304F248969E505DB361DB35DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0687CFF8, Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55381135402f3ce0aeed2f3e14f8350f96f8b823101c694f352652a3be15f072
Instruction ID: 331e21790b2c200e2d8d67a2ac12d2b5f9fd3946d7efc418113ef62060abdfce
Opcode Fuzzy Hash: 55381135402f3ce0aeed2f3e14f8350f96f8b823101c694f352652a3be15f072
Instruction Fuzzy Hash: ADE1C330B093858FD752C778D8546AA7BF6AF86304F1984EBD544CF2A3E679DC0A8721

Uniqueness

Uniqueness Score: -1.00%

Function 0687F780, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2a70a78ff8885cf308276b53844e99b05954f835e3892fe4324f1e64841bde
Instruction ID: 11b6fb554de23b10ed6b77465d0860c78179b8ccdd3a284f043092cf508ec407
Opcode Fuzzy Hash: ee2a70a78ff8885cf308276b53844e99b05954f835e3892fe4324f1e64841bde
Instruction Fuzzy Hash: 95B1BE31A04249DFCF05CFA9C844ADEBBB2FF89314F14856AEA15EB291D731E855CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06A5AD80, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06A5ADDF

Memory Dump Source

Source File: 00000002.00000002.503904502.0000000006A50000.00000040.00000001.sdmp, Offset: 06A50000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df85347a0b958d8940e1e0952fd79f8f003bb587e714519e68b06f513b6403e5
Instruction ID: a10965329d6c385086d47bcbb953850beb4c9ee5b13bd6163cf5533641010d06
Opcode Fuzzy Hash: df85347a0b958d8940e1e0952fd79f8f003bb587e714519e68b06f513b6403e5
Instruction Fuzzy Hash: 9151B131B002059FCB54EBB8D844AAEB7F6BF84304F148A2AD9069B794DF30D804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A5AD7B, Relevance: 1.6, APIs: 1, Instructions: 139libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06A5ADDF

Memory Dump Source

Source File: 00000002.00000002.503904502.0000000006A50000.00000040.00000001.sdmp, Offset: 06A50000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce8a3fda6e3dd9c88c7fd400949d536214ebceb80020301028ec5e1462698449
Instruction ID: 3b71487db0c0c2a0adc34f5d52c12b8db42af9ccc8d6697348b6d6206a3d8925
Opcode Fuzzy Hash: ce8a3fda6e3dd9c88c7fd400949d536214ebceb80020301028ec5e1462698449
Instruction Fuzzy Hash: C7419131B102059FCB54EFB8D844AAEB7F5BF85704F14892AE916DB754EF70E8048B91

Uniqueness

Uniqueness Score: -1.00%

Function 06A583AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 06A58469

Memory Dump Source

Source File: 00000002.00000002.503904502.0000000006A50000.00000040.00000001.sdmp, Offset: 06A50000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2077fcd6d69b6aada145d55a0bcecd047e6b35f93ef191ae316fecea7225ceec
Instruction ID: 8cf8e05260b1fb9eb9c90b0e95d193c923f214e45e145d5b86b2a1dc68f48d88
Opcode Fuzzy Hash: 2077fcd6d69b6aada145d55a0bcecd047e6b35f93ef191ae316fecea7225ceec
Instruction Fuzzy Hash: AE31E2B1D002689FCB50DF9AD984ADEBFF9BF48310F55802AE819AB310D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06A583B0, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 06A58469

Memory Dump Source

Source File: 00000002.00000002.503904502.0000000006A50000.00000040.00000001.sdmp, Offset: 06A50000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 47bfa5e4f4531d8546daf0a1053f619f50fcca2e89bbd4f2685e21e421325933
Instruction ID: 2453bf7b95f0fe80f04c65aee109317606232ddc096d8af2d9489bb3fcd36bb2
Opcode Fuzzy Hash: 47bfa5e4f4531d8546daf0a1053f619f50fcca2e89bbd4f2685e21e421325933
Instruction Fuzzy Hash: 8231E1B1D002689FCB10DF9AD984ADEFBF9BF48310F55802AE819AB310D7749945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06A5813F, Relevance: 1.6, APIs: 1, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 06A581FC

Memory Dump Source

Source File: 00000002.00000002.503904502.0000000006A50000.00000040.00000001.sdmp, Offset: 06A50000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 44e624f7a3f44085b8538b346a482c68c9a6a9069361cd33a1df0528bf6dcf77
Instruction ID: bd88133565e284315929dece57badf380e345f37c98221dd5f7d4f87111ae75b
Opcode Fuzzy Hash: 44e624f7a3f44085b8538b346a482c68c9a6a9069361cd33a1df0528bf6dcf77
Instruction Fuzzy Hash: 6B3114B0D052588FDB10CF99C584A8EFFF5BF48314F25856AD818AB350C7799984CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06A58148, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 06A581FC

Memory Dump Source

Source File: 00000002.00000002.503904502.0000000006A50000.00000040.00000001.sdmp, Offset: 06A50000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6df0fcd528caf2f33b4b09914065fd368cc43bd174a0cffaeaf401c692e1a57e
Instruction ID: 1385666d7406361eddcfb1be36466f90ef291344d3fe75d2f26f824246a44bfe
Opcode Fuzzy Hash: 6df0fcd528caf2f33b4b09914065fd368cc43bd174a0cffaeaf401c692e1a57e
Instruction Fuzzy Hash: C93102B0D052589FDB10CF99C584A8EFFF5BF48304F29816AE819AB351C7799984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0684EA48, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0684EA0A), ref: 0684EAF7

Memory Dump Source

Source File: 00000002.00000002.503352227.0000000006840000.00000040.00000001.sdmp, Offset: 06840000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 5e08b8fa0cc4584712dc4d826fa85af99c3e5eda185bbc0458eb1260217e4a29
Instruction ID: 97dcadbc907f66899b485632f6a93d3fd4b62bf73ef9ca6e00411888decdb15b
Opcode Fuzzy Hash: 5e08b8fa0cc4584712dc4d826fa85af99c3e5eda185bbc0458eb1260217e4a29
Instruction Fuzzy Hash: 9A21DC71C042598FCB10CFA9E5487DEBBF0BF48314F06856AD914B7240E3389945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06847F98, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06847FF9

Memory Dump Source

Source File: 00000002.00000002.503352227.0000000006840000.00000040.00000001.sdmp, Offset: 06840000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f7cac6b74d92ad1e4f96c826067d7ef03d166f8dcd32156a96edbc1f0e7a1e9
Instruction ID: 48bef458a4e387a4acacf771dc4c7f5f26389f2b33bcbed3888ae217f35a4720
Opcode Fuzzy Hash: 9f7cac6b74d92ad1e4f96c826067d7ef03d166f8dcd32156a96edbc1f0e7a1e9
Instruction Fuzzy Hash: 88213D70E11258DFDB54EFB8D498ADEBBB1FF49304F118869D401AB250CB35D845CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0684D4DC, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0684EA0A), ref: 0684EAF7

Memory Dump Source

Source File: 00000002.00000002.503352227.0000000006840000.00000040.00000001.sdmp, Offset: 06840000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6d9d5bbca545993303f2670dea62989ec528db269678389223b7d33ee5f3d681
Instruction ID: e861080d4811d82b50ae9682e2bf8382260562b65e6586f9c456e17f9e608051
Opcode Fuzzy Hash: 6d9d5bbca545993303f2670dea62989ec528db269678389223b7d33ee5f3d681
Instruction Fuzzy Hash: 2C1144B1C046599BCB10DF9AD548BDEFBF4BF48224F01852AD918B7240D378A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0687D489, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

P@'l, xrefs: 0687D50F

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID: P@'l
API String ID: 0-68338280
Opcode ID: 2ce2e574322ad9e11c48b53e81b965282fa5ecca08aeefc02075f5aced44806b
Instruction ID: f5aa45a54c6324658ff114a5f95dbe7c2257b8ab022a6f2970a1cefa147d73c6
Opcode Fuzzy Hash: 2ce2e574322ad9e11c48b53e81b965282fa5ecca08aeefc02075f5aced44806b
Instruction Fuzzy Hash: 7531AB31B002098FDB65AF78E4586AEBBF6EF89348B208429D406DB754DF31DC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0687D498, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

P@'l, xrefs: 0687D50F

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID: P@'l
API String ID: 0-68338280
Opcode ID: 32306dc09f9190ddb9f31b6a010af95190e4e0d3f13bcbd6a5757747fb000e67
Instruction ID: 0416f6cc2d1505dbd60123b335cc39e0bba5be525633008cf6e1ee5a5f2b0800
Opcode Fuzzy Hash: 32306dc09f9190ddb9f31b6a010af95190e4e0d3f13bcbd6a5757747fb000e67
Instruction Fuzzy Hash: CD318D31B042058FDB68AB78E4186AEBAF6EF89348F14852DD506DB794DF30DD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06874230, Relevance: .8, Instructions: 824COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095b61eade4391a5609c2972d41cb94225d673bd0847e683cc9c5d643004290d
Instruction ID: 411c82773a51f3c779afe6f9b7f1531a39c9c99225bac3e4a9178f72c390f5af
Opcode Fuzzy Hash: 095b61eade4391a5609c2972d41cb94225d673bd0847e683cc9c5d643004290d
Instruction Fuzzy Hash: CB727034A04209DFEB65DBA4C850F9E7BB2FF84344F1180A9DA0AAB394DB319D45DF91

Uniqueness

Uniqueness Score: -1.00%

Function 06875A68, Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b8174911ff7f9c72c1cce86eb3c218a7c54f3121e8d53b820ed5e120604816
Instruction ID: 30be305cd3c9229651df7aa862fa64054d317477fb1d5dc5f7701d7eb0cb4851
Opcode Fuzzy Hash: 32b8174911ff7f9c72c1cce86eb3c218a7c54f3121e8d53b820ed5e120604816
Instruction Fuzzy Hash: BDE19270A042158FCBA68FB4C89099DB7E2AF95704F64543EDAA5DB291EF309842CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 06872D50, Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17adf8600a4c7a68e126ff641c351166a294f3db9ac47e934d56fb7c45a46efc
Instruction ID: 4e7099901171f1dd897bfbf164454ee5cd13379a80b10e497fdf411dd495cc08
Opcode Fuzzy Hash: 17adf8600a4c7a68e126ff641c351166a294f3db9ac47e934d56fb7c45a46efc
Instruction Fuzzy Hash: B2126A30A10209DFCB64DFA9D884A9EBBF2BF48314F158569E909DB361DB30ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 068732D8, Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca62c949b39808678c0e0aacb23636efdf0216cb806e5148e7849103c3b3fe7
Instruction ID: e52d36c0dfa7c2760cde7bdd3c74e1a78485290ad948b4f226b7a1b1b4f556c5
Opcode Fuzzy Hash: 3ca62c949b39808678c0e0aacb23636efdf0216cb806e5148e7849103c3b3fe7
Instruction Fuzzy Hash: AE025F70A0010ADFCB95CFA8D584AAEB7F2FF88344F198554E516DB2A1C730ED81DB92

Uniqueness

Uniqueness Score: -1.00%

Function 068716C8, Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925e86620eddbeeb99e6e82f9f358156b31ff3e0a4288833a1ca62231e6aca5f
Instruction ID: 907ad6406ec8aec90c8f77977f19cc0ebb9a4ff57f7bcfa8edef677a99fa46bd
Opcode Fuzzy Hash: 925e86620eddbeeb99e6e82f9f358156b31ff3e0a4288833a1ca62231e6aca5f
Instruction Fuzzy Hash: 79C1EF347042198FDB659B68C858B7E7BB2AFC8348F088569E946CB784CF34CC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06874F60, Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb33a072e42f43bf583265e63bf3d2ee4630ac09b3e06bd58787a3db59727930
Instruction ID: 3c997daf9557ede9eb62e8c2383cff9f6d7aeb69f5159ce4ce6b45cc69cd7c33
Opcode Fuzzy Hash: cb33a072e42f43bf583265e63bf3d2ee4630ac09b3e06bd58787a3db59727930
Instruction Fuzzy Hash: 08D1D971E002198FCB44CFA8C9849ADBBF2BF89314F168599E515EB361CB71EC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0687C818, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bb6c0a2086377e98008366f452412a4be31f09dc119c6578d901e56a0cb7dc
Instruction ID: 42c66aa2ca6c4758ce84cff86944ccc320b7c503e65e58b227330cfc2dd1cc81
Opcode Fuzzy Hash: a0bb6c0a2086377e98008366f452412a4be31f09dc119c6578d901e56a0cb7dc
Instruction Fuzzy Hash: 60A15830B04204DFDB54AB74D859B6DBBA6EB84325F148A68E926DB3E4DF31DC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06872D40, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c97505379d60288ca3b0faabc5688edc7afd1172d0ee61707c5573dcd4c4a1
Instruction ID: d5576695faed5b3a95854b225ab9bf0e34fc2ce3e72b79cfec75212a5f1e7f1a
Opcode Fuzzy Hash: a0c97505379d60288ca3b0faabc5688edc7afd1172d0ee61707c5573dcd4c4a1
Instruction Fuzzy Hash: ACC16A30A00219DFCB64DFA9C894A9EBBF2BF48314F158559E949EB261D730ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0687F440, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b87068cca240b9cc7fd974bf6cc563c64e9cf96f8d75466282f8ab39fe1b3a
Instruction ID: 99d3f04fc69ce495f9e8114a996e608f88b3dac458c562472323a36f253d9f98
Opcode Fuzzy Hash: 69b87068cca240b9cc7fd974bf6cc563c64e9cf96f8d75466282f8ab39fe1b3a
Instruction Fuzzy Hash: A5A17C34B042458FCB95DF3AC854A6E3BE5AF5A204F1940AAEB05CB3B2DB74DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0687B488, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27d7ab0925d64930ad67a7c3f0aff2f2d98ce28b4645771dcd821260e7c1b7c
Instruction ID: 2831cba7b8955b7941b4dd6a2598dc4a98d0d67571704b7b91c0099c108efedc
Opcode Fuzzy Hash: e27d7ab0925d64930ad67a7c3f0aff2f2d98ce28b4645771dcd821260e7c1b7c
Instruction Fuzzy Hash: 95916A30B042099FCB54EFB8E8586AD77B3EF88308F108969DA06DB754EB349D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06871AC0, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10589b71e35bdb8fbe19bfb87908c9baf071dd02ca8c8b5e21eaa01a23309838
Instruction ID: 296770e0137a2295cc789a75303995f60893a271e37d5f73b085fcf7a7debc70
Opcode Fuzzy Hash: 10589b71e35bdb8fbe19bfb87908c9baf071dd02ca8c8b5e21eaa01a23309838
Instruction Fuzzy Hash: 7191D235B00205CFCB94CFA8C489AADB7B2FF89655F188069D956DBB60DB31EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06875688, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696bd41876cfcfc4e150c3046444db5eddc5a6051dd1ebec954b6fb6a9c9b91c
Instruction ID: 303a74db967de5504086c37eed19fac0448ecfbbc122726201fd3b55b3c86e79
Opcode Fuzzy Hash: 696bd41876cfcfc4e150c3046444db5eddc5a6051dd1ebec954b6fb6a9c9b91c
Instruction Fuzzy Hash: A7917F35A04219CFCB51CF68C484AAEBBB5FF45350F1684AAE919DB362CB30ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0687E7D8, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32b4b26255f40ef54c86bb0a40633b38ae08457d5ef0235d8ffaddf77cdd196
Instruction ID: 522498d543f9d5cd7b4d2fab1cf3ca13d6d92926f713f4edee1bfa3f0ea4a0f0
Opcode Fuzzy Hash: b32b4b26255f40ef54c86bb0a40633b38ae08457d5ef0235d8ffaddf77cdd196
Instruction Fuzzy Hash: 58716F30F102059BCB649BB8D4587AEB6F7AFD8344F248429E906DB794EF34DC068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0687B478, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26943c71991a7829760299dea37d225b13c5a20902d4eeadfd88d8b26bc852f6
Instruction ID: 9e9d714f476edf796477b8a10cdc1dd327bbccc563dee4e0044fe6dd41f66ce9
Opcode Fuzzy Hash: 26943c71991a7829760299dea37d225b13c5a20902d4eeadfd88d8b26bc852f6
Instruction Fuzzy Hash: FA616C30B043058FCB64AF74D4586AD76B7AF88308F248828D906DBB54EF74DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06873AC8, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ee4656af2b27787916d81f734fe65a024cf482bdacd68eb71d39bf8815e353
Instruction ID: 34191633d8014922f8c367155ff5965a03ee46e0462c7a9e7cb22c0c685b0570
Opcode Fuzzy Hash: 50ee4656af2b27787916d81f734fe65a024cf482bdacd68eb71d39bf8815e353
Instruction Fuzzy Hash: FC51BF317186158FDB94CF39C88896ABBE9FF8921471540BAE506CB371DB31EC01DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0687CD8F, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2e9f74795fbd6145726838d08bf5c263d8194790dab0f0b0652d6d4dbfeb46
Instruction ID: b3048d473315a6aba6997720cec3a4866a4c99501e9b77aec9c0f5603ece0fcb
Opcode Fuzzy Hash: 0e2e9f74795fbd6145726838d08bf5c263d8194790dab0f0b0652d6d4dbfeb46
Instruction Fuzzy Hash: B2712B34E143059FCB10DFB8E94899DBBB6FF49304B508969D804EB764EB396E05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0687EAC4, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35a61ea1c54e7adf3a58a2b5355ba87222e773b4f5df1a9f84778f209e0af87
Instruction ID: 2c6e45d8ca27da293bb49527ede4bc18968bc73d87cd3ad8a7717af24056bd70
Opcode Fuzzy Hash: f35a61ea1c54e7adf3a58a2b5355ba87222e773b4f5df1a9f84778f209e0af87
Instruction Fuzzy Hash: 05416D31B102058FDB649BB8D45977EBBF6AB98354F248468E906EB794DF34CC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 068758FA, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7361f9ef6ad3b7f646f5a9967e1dba411786bced66c50110e0ee84526473b0
Instruction ID: 631555110116faf59c0780958194cf37210f70c1543199fc1e75aab62e27fa3e
Opcode Fuzzy Hash: 3d7361f9ef6ad3b7f646f5a9967e1dba411786bced66c50110e0ee84526473b0
Instruction Fuzzy Hash: 2A41F3703042158FCB55DF28E855ABE3BB2EF85314B0444AAE949CB2A2CF35CC12CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0687CDF0, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07f45482f1a94168dd4de79af7cbdef69e3420c13f0a48145139c3dbf135a8d
Instruction ID: 79a3339a79aafbbc6dac2b4e134f903460aa19d33788b16dfaf07494de797182
Opcode Fuzzy Hash: f07f45482f1a94168dd4de79af7cbdef69e3420c13f0a48145139c3dbf135a8d
Instruction Fuzzy Hash: C451F934E142099FCB20DFB8E58999DBBB6FF49304B508924D804E7B24EB396E15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0687F93B, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1223b2db6b7be5066a8fd1e1d60b248a023bf4524af86dbecd93f781d4a54a4
Instruction ID: 3911ae8e52b90db55eb68e9f8794bd17776c4cc2d10503176b64b7fcf21a2608
Opcode Fuzzy Hash: d1223b2db6b7be5066a8fd1e1d60b248a023bf4524af86dbecd93f781d4a54a4
Instruction Fuzzy Hash: 5641D431A04249EFCF41CFA9C844BAEBBB2FF49358F008156EA15EB295D330D914CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06875686, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0bccdda040e1b25c1156cb347c9a808a8eb607b320e76347dcf6d5c8b6434d
Instruction ID: 8fd903fef078f435aaf89d790405a4f875ed43508b473342ee39caf8bf7c4a71
Opcode Fuzzy Hash: 8b0bccdda040e1b25c1156cb347c9a808a8eb607b320e76347dcf6d5c8b6434d
Instruction Fuzzy Hash: 6441E535A00219CFCB55CF68C584A6DB7B2FF54394B1AC499E9199B3A2CB30FD41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 068738D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d20870acb9371f8a9e1f7ccb6973d5ae73c1a3dbd9bf0ca450d34adcd4d5411
Instruction ID: 43803439a27ebe37e320e48abaf66ebe05f92b4e1210b8e5b8ecab40babfa167
Opcode Fuzzy Hash: 5d20870acb9371f8a9e1f7ccb6973d5ae73c1a3dbd9bf0ca450d34adcd4d5411
Instruction Fuzzy Hash: 4D413A747102199FDB54CF28D849BAE7BB6EF89314F100069EA16DB360CB71DD40DB92

Uniqueness

Uniqueness Score: -1.00%

Function 068714A8, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a54c45d76e63a2d0b1fe3e1ef6cf9516136a9a9d42db97c0dd8dc029599e24
Instruction ID: d1d45cdd2fa9f9c18a0cf041bd36c03644c8d68c24d0c11daa149d1df4963618
Opcode Fuzzy Hash: 78a54c45d76e63a2d0b1fe3e1ef6cf9516136a9a9d42db97c0dd8dc029599e24
Instruction Fuzzy Hash: F341A03170410ADFCF559F69E859AAE7BB6FB88300F088069FA46D7251CB35CD21DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0687AB18, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e2f77cb92d1a8d627f29a6e918804c0d8c3cb013662c54729911853db71b03
Instruction ID: 32e40edede87e9904e2e0af631607599ce2a11fe4c92bf734db20b99848b8068
Opcode Fuzzy Hash: c1e2f77cb92d1a8d627f29a6e918804c0d8c3cb013662c54729911853db71b03
Instruction Fuzzy Hash: 9B319F70E042089FCB98CF78D584AEEBBF2EB99315F15856AD508DB311E731E942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 068719E0, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99071043e577347a4b2493103e581b458bcfc93a8d71bcd1faa1e366ed2b232f
Instruction ID: 945a291f1a50314a16c4fe16f52266b568e606482d441a53badfde7e9a2a1506
Opcode Fuzzy Hash: 99071043e577347a4b2493103e581b458bcfc93a8d71bcd1faa1e366ed2b232f
Instruction Fuzzy Hash: 8721A8317046008FC3255678C859A3E7BB6EFC5259B1945B9E606DB7A2CF30CC06C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 06873D09, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278cce187c896b2c16261b18f69e901868cf243a2abcb002dbd35b5a07df7837
Instruction ID: 0666a4e4a81dd3940975811d98ad9b6183571d62f7dc7ad5439411b54d8cebb8
Opcode Fuzzy Hash: 278cce187c896b2c16261b18f69e901868cf243a2abcb002dbd35b5a07df7837
Instruction Fuzzy Hash: 5B21D3317182198FDBA51735849457D3EA79FC5618728407ADA02CFBA5DF28CC02A7C3

Uniqueness

Uniqueness Score: -1.00%

Function 06873D18, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a36f234941e1fd3e3296682dc1cb37af365d3670e20d8e8dd2a188c950ffe40
Instruction ID: d37535f3b9cec7d27508142d9ef2230f1fa336f6176f48abef681328a4aaaf08
Opcode Fuzzy Hash: 5a36f234941e1fd3e3296682dc1cb37af365d3670e20d8e8dd2a188c950ffe40
Instruction Fuzzy Hash: 9B21C2317282194BEB546635C4956BE3AAB9FC4618F248039DA02CFB94DF39CC42A7C2

Uniqueness

Uniqueness Score: -1.00%

Function 06873C10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df56b2ad140c9cb19bb7373dd7dcdc2d3d1e3599d68e42c0fe8d3c31f6937c5a
Instruction ID: f11434bb9f7cf8e4f4e4cf19474d755cc4877c8a268aca36dbacafeb235fb2ca
Opcode Fuzzy Hash: df56b2ad140c9cb19bb7373dd7dcdc2d3d1e3599d68e42c0fe8d3c31f6937c5a
Instruction Fuzzy Hash: F821E7717042699FEB54CE69E884A6F7BEAFFC5202F054426E912C7240D775CD40EBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0687C7B8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0e5ec9d977357ae06d0144ad2b12fdbdaf17fb0412d6996c895aad7890f9795
Instruction ID: c92a324a39163309e3a383c60b35e3eac7b26eafa3f46d49e1aa668f1204a89a
Opcode Fuzzy Hash: a0e5ec9d977357ae06d0144ad2b12fdbdaf17fb0412d6996c895aad7890f9795
Instruction Fuzzy Hash: 32210430B183449FDB50DB78D818A5E3BF6EF86358F1188AAE905DB392DB35DC068790

Uniqueness

Uniqueness Score: -1.00%

Function 0135D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.488249807.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee2570abe3ea3bb0058c3f098ca2b80cd2d97feb0e54e2ff920c6bff2d8a6f8
Instruction ID: 1ebe5685238a3a5044f30cc0016da22d3b1639c13903923c58e8d629ecbe8c56
Opcode Fuzzy Hash: 1ee2570abe3ea3bb0058c3f098ca2b80cd2d97feb0e54e2ff920c6bff2d8a6f8
Instruction Fuzzy Hash: 59216AB1104244DFCB41DF94D9C0F26BF69FB8872CF248968EC054B246C336D856C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0135D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.488249807.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763611041bae82480864173190a3efbc647c828e03e3ff9a51b791f33632db02
Instruction ID: 16a2df76e9ea1ec944c878b592036c4b9f769d106f27479edb645bd536c362c8
Opcode Fuzzy Hash: 763611041bae82480864173190a3efbc647c828e03e3ff9a51b791f33632db02
Instruction Fuzzy Hash: B72141B1504204DFCB01DF94D8C0F66BF69FB8872CF208968ED055B206C736E846CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 06871DB0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d530cbe1588bfa10d2f1b677bbdb1a62f09e91f0c4d72ea2cd7e353716ae3c
Instruction ID: 5f39b61c64fb0893329ba94cbc677dc41a62ab5b00c58a8dce63b88e68122f0b
Opcode Fuzzy Hash: 54d530cbe1588bfa10d2f1b677bbdb1a62f09e91f0c4d72ea2cd7e353716ae3c
Instruction Fuzzy Hash: 2D1134327082140BCB64ABB8EC95A6B32BADBC1258B140539EA05CBB64EF31CC05C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0136D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.488372104.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb160606f921ea294ebd816589d190639c0b1b726eca026ffa99146f53bf9cb3
Instruction ID: c5235efd1d83dad3380021191056f9fbf6e12d94cb0a90273eb9e722d673609b
Opcode Fuzzy Hash: cb160606f921ea294ebd816589d190639c0b1b726eca026ffa99146f53bf9cb3
Instruction Fuzzy Hash: 31212571604244DFCB11CF64D9C0B26BB6DFB88358F24C96DE88A4B74AC337D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0687FA20, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d30dbbd1edefe400ca52fe6f1f8f458b1fcb2eca646cdb382c665c7b7448152
Instruction ID: 6d7b737b276b304c056a62437e1190fac2a731bd9f85adaa31d29d62f85d3823
Opcode Fuzzy Hash: 3d30dbbd1edefe400ca52fe6f1f8f458b1fcb2eca646cdb382c665c7b7448152
Instruction Fuzzy Hash: BA118131A002459BDB50CF6EC885B5EFBE2AF85358F148255D628FF295D371E810CB95

Uniqueness

Uniqueness Score: -1.00%

Function 06872613, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b632e0829a1e60e18bb90456bce075cd5c3580a09bbbbab77c0b784b4328dab3
Instruction ID: 94a20265e3b8b6bc23422568b19f9a42a1bd4319a9d348d006df477775c0722f
Opcode Fuzzy Hash: b632e0829a1e60e18bb90456bce075cd5c3580a09bbbbab77c0b784b4328dab3
Instruction Fuzzy Hash: 68117971A00208DFDB24DF94C848BAEBBF6EB48364F04846AE619DB211D371EA54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0135D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.488249807.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction ID: c4c282bdffd7d020119ebe5dfef6dd0aa53974d1f848708fe370a7c729057b93
Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction Fuzzy Hash: D411D076404280CFCB02CF54D9C4B16BF72FB84728F28C6A9DC494B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0135D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.488249807.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction ID: 3601ab388598d290f4fee7c92e999fa7155a2fe66a8e05535ce6197f466965d6
Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction Fuzzy Hash: 6611AC76404280CFDB12CF54D9C4B56BF71FB84728F2886A9DD094B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06875850, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b765d5a0d5514a105513e1275d38001632f1ac0156763160bc2d87c1e4fd9bd7
Instruction ID: 82412f79956bbc4d19e78fa544a508b1ebe0a9cbbc9197f6db3d6db36981f4aa
Opcode Fuzzy Hash: b765d5a0d5514a105513e1275d38001632f1ac0156763160bc2d87c1e4fd9bd7
Instruction Fuzzy Hash: 49119A70E1124A8FDB41DFA9C840AAFBBF5FF49304F10486BE915E3251CB709A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 068714F0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14eed5326f7b06d720c21871d5f0af43640dd62bcc7af713af062a4f3158fb6b
Instruction ID: 4eff577a68d6d7ed886bd63ef72e8b182bf9a50df518ab50eac5bcdb00b4a57d
Opcode Fuzzy Hash: 14eed5326f7b06d720c21871d5f0af43640dd62bcc7af713af062a4f3158fb6b
Instruction Fuzzy Hash: 70117031610119DFCB599F29E989AAE7BA6EB48315F044029FE46D7610CB35CD51CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0136D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.488372104.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634690fb963a58e4e786e327c84160adc3c6b9f5f52cf29ba2d57553d863054
Instruction ID: d508cd97eb16babbbe721a9990b0bfee8dba7fe4dd6dd5f048a91b75e4c74759
Opcode Fuzzy Hash: 1634690fb963a58e4e786e327c84160adc3c6b9f5f52cf29ba2d57553d863054
Instruction Fuzzy Hash: 3D118E75504280DFDB12CF54D5C4B15BB71FB84318F28C6A9D8494B65AC33AD45ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0687D3C8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0802b7272cb86f3b51ae1a0f9a96fe05615e5b62f7b3828287be1cbe47c7f7
Instruction ID: 731911236274e6fd8fa20e9ee185273584e83ee6f6c46633e16578efcc8a9405
Opcode Fuzzy Hash: 8c0802b7272cb86f3b51ae1a0f9a96fe05615e5b62f7b3828287be1cbe47c7f7
Instruction Fuzzy Hash: C8111835B002199FCB90DBBCE85999EB7F6FF8C314B508429D90AE3354EB349D018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06871627, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf0b249db73754a1cb6ca64241860f81d81916a2e10b8c5d26635cee29d6147
Instruction ID: 94722c26e73a7e7493d936b632320e1f1de13ca3c6ef045ab2aa47d5930a1d1f
Opcode Fuzzy Hash: ccf0b249db73754a1cb6ca64241860f81d81916a2e10b8c5d26635cee29d6147
Instruction Fuzzy Hash: 8701B172B001296BCF459E69D811BEF3BAAEBD8790F188029FA05C7280DE71C91587D0

Uniqueness

Uniqueness Score: -1.00%

Function 06873A20, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623211f13938b671115814d3d8dc259fcfc9f6d1289dbbcc927ea683e56ad215
Instruction ID: 954a53523a3f329d2d54a5b3ecfef90eb624a956facd6776c85fad862efe16d5
Opcode Fuzzy Hash: 623211f13938b671115814d3d8dc259fcfc9f6d1289dbbcc927ea683e56ad215
Instruction Fuzzy Hash: 0FF0C231710A105F8F555A2ED855A2EFBDEEFC9A913194079FA09DB361DE20CC02C381

Uniqueness

Uniqueness Score: -1.00%

Function 0687AAA1, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c90dd67a5661616582c97a28d3bc97c61bd62881b55cb6a5125692a37daddb
Instruction ID: dbf9ae6783996e5cbad6dc7bbaf2722fec5250baea26331539c6dde26e706569
Opcode Fuzzy Hash: b8c90dd67a5661616582c97a28d3bc97c61bd62881b55cb6a5125692a37daddb
Instruction Fuzzy Hash: FCF0CD32F041248F8B84DBBCAA411AE77F5EB88225710417BD10EE3200E73089028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0687AAB0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52dd39c23e10d8e53195dd3861b70ccd5f84a624e0f372b0324370a596926d33
Instruction ID: 541ede3792991c62e27513f83de6940e04bd29f2216b5b6df0810098e8666855
Opcode Fuzzy Hash: 52dd39c23e10d8e53195dd3861b70ccd5f84a624e0f372b0324370a596926d33
Instruction Fuzzy Hash: FBE01271E001199F87509BBD98455AF7AF9EA8C261B014176D619E3200E67089018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0687D429, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bb1aa2a69c98905c63dab1497f91e1c95c62e91e8cf29217f8e0a69e603e88
Instruction ID: 8974aa8189f584477fb46fd56c7aebf369f0665ba29eeca8d3686a0fcb614bb9
Opcode Fuzzy Hash: 94bb1aa2a69c98905c63dab1497f91e1c95c62e91e8cf29217f8e0a69e603e88
Instruction Fuzzy Hash: AFE0C975B101168BCF54EBB9E8584DCB3F6FF88259B108065D90AE37A4DE349C018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0687B832, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0423bcb8d70ae6e3814bb59819024e70c9f07a35c57a1a5b86089d0caaab06e8
Instruction ID: 0ceadd0dd4937dba76b2585cede11cfe18bdb9b097fc2e5289465235e8705137
Opcode Fuzzy Hash: 0423bcb8d70ae6e3814bb59819024e70c9f07a35c57a1a5b86089d0caaab06e8
Instruction Fuzzy Hash: B2E0EC309692818FDB619E34A55825A3B66EF07355F2109AAD509CF2A1D63BD851CB00

Uniqueness

Uniqueness Score: -1.00%

Function 06874C98, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: d132b6dde19903255d02b37a5aaacf276bf8e6a20678aaf6838dfeed6f170098
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 56C01233A0C2282AA364508E7C41AABABCCC3C22BAA210137FA5CC320098429C8442E8

Uniqueness

Uniqueness Score: -1.00%

Function 0687B840, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb334378e92139c698fed5ff4ae9f0a71284ef57bc2dedc8c42a1bd9f2a8e6c4
Instruction ID: b26d919d78694f7af100e84d32afe588edf7d89b4eee08750280bab8cacd1a11
Opcode Fuzzy Hash: bb334378e92139c698fed5ff4ae9f0a71284ef57bc2dedc8c42a1bd9f2a8e6c4
Instruction Fuzzy Hash: 04D01230E6024A8BDB706D74A54936D375FEB453A5F600839DA0ECB340D63ADC80D740

Uniqueness

Uniqueness Score: -1.00%

Function 06874E65, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38749c07e0b2cce3545aa566c8e0d677ff24e7b0743ee87bdac558048343a2fc
Instruction ID: 86c465d09f36f9c4354910d2c838642fc0616726113b42f9ba54e1c3198e757a
Opcode Fuzzy Hash: 38749c07e0b2cce3545aa566c8e0d677ff24e7b0743ee87bdac558048343a2fc
Instruction Fuzzy Hash: CBD0673AB101189F8B049F98E8409DDB7BAFB9C225B448556EA15A3265C6319921DB90

Uniqueness

Uniqueness Score: -1.00%

Function 06871D72, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55344aeb8c2456cc109c9a8d92dae1aa776a4ad971cd06c973b590da15aefa9
Instruction ID: 96abf00f547ff498a80cea3c4808c84d1b43c0ff8feec742e6a07d390fcde3dd
Opcode Fuzzy Hash: c55344aeb8c2456cc109c9a8d92dae1aa776a4ad971cd06c973b590da15aefa9
Instruction Fuzzy Hash: FED05E301AC2195BCB90EF68F9966553369E781308F80AA10E90447628DF75DD098741

Uniqueness

Uniqueness Score: -1.00%

Function 06871D80, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d005d28ac3e43176e06746c6d98c4f063fc7101a783088e2cbe750cc9a64386
Instruction ID: 942cbe8b497798dbea396e9b6ae0e3295ef1e80003bf4e71385b19aa2e382111
Opcode Fuzzy Hash: 7d005d28ac3e43176e06746c6d98c4f063fc7101a783088e2cbe750cc9a64386
Instruction Fuzzy Hash: 3FC0123016C20946C690BF7CF956425336AD6C13087809A21E5044A628DF759D054B95

Uniqueness

Uniqueness Score: -1.00%

Function 06879622, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.503470316.0000000006870000.00000040.00000001.sdmp, Offset: 06870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cdeafed8443f31b40ebeec777a15745f73df1c1f408522e75c4db2a552ce12
Instruction ID: 93fbeb428874932ce9189230a6b3c53343261d5b4b013742af1a903b57780c00
Opcode Fuzzy Hash: 47cdeafed8443f31b40ebeec777a15745f73df1c1f408522e75c4db2a552ce12
Instruction Fuzzy Hash: 2AC0123AA000188AEB00A640FC922CCB321E780229F2001A2D20882580DB32AA564B90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vlc.exe PID: 6248 Parent PID: 3388 vlc.exeCOMMON

Executed Functions

Function 06C36158, Relevance: 3.7, Strings: 2, Instructions: 1233COMMON

Download Yara Rule

Strings

##, xrefs: 06C36F86
3", xrefs: 06C370D3

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID: ##$3"
API String ID: 0-253056818
Opcode ID: f19ed794f449118b9a730059cf6464b80ef84ee42e5efffe04881226fe009a08
Instruction ID: da3dea00c310d03f4f5a2615c3130ef04b8e07c0e353a7f984f2d266e93bb641
Opcode Fuzzy Hash: f19ed794f449118b9a730059cf6464b80ef84ee42e5efffe04881226fe009a08
Instruction Fuzzy Hash: F5B25974B002248FDB64DF69C994A69B7F2BF89304F1184AAE84ADB361DB31ED41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06C32D38, Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d819821e1867d7c95d1c9f04b4e693cc4c6bca84b10d9d640b0b6c7e9b772f01
Instruction ID: eff2d9d3cb0269f9ba81afc3753fd6874a722c43e1e170789d8ba60a220a9c05
Opcode Fuzzy Hash: d819821e1867d7c95d1c9f04b4e693cc4c6bca84b10d9d640b0b6c7e9b772f01
Instruction Fuzzy Hash: CC426C30B00295CFDB55DFA8C494A6EBBF2BF89300F158469E90A9B361DB35ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C30448, Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1bb13cab376eed93f528eb487848415e1195d1baa9ec96c08bf132baec959f
Instruction ID: 081ff12a19f20b286a2606e74c84ffc9ca85301e2ae333554966f56805bfce5c
Opcode Fuzzy Hash: 6e1bb13cab376eed93f528eb487848415e1195d1baa9ec96c08bf132baec959f
Instruction Fuzzy Hash: 19F15776A00615CFDB65CF69C484AAABBF2FF89300F14896DE8469B761C734E985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9470, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EC96B6

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4b554d728aad2561155c36a2cfc5f2b8b82f92b147c0fe11b72ac72eb6a02a47
Instruction ID: 755174b6dab98a1ea54c19f554451f58f2fdd6c2dca112c0ef0ed176af177bfc
Opcode Fuzzy Hash: 4b554d728aad2561155c36a2cfc5f2b8b82f92b147c0fe11b72ac72eb6a02a47
Instruction Fuzzy Hash: C67147B0A00B048FD764DF69D645BAAB7F1FF88304F00892DE44AE7A41DB75E906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE150, Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ECFEEA

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cf161deb7ae950086b7b3597ac4f89e5b69d57830a2ebcc5120a678dff89122b
Instruction ID: 5d694cb5e2437c40551daf9cd3cfd8bba011eaf12519e6e182ee83586c8e16ff
Opcode Fuzzy Hash: cf161deb7ae950086b7b3597ac4f89e5b69d57830a2ebcc5120a678dff89122b
Instruction Fuzzy Hash: 0B51FFB1D043489FDB15CFA9C980ADEBFB6BF48314F25812AE419AB210D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE16C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ECFEEA

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9d9efb5eaccccccb558772c49fb2ba8a302c96ed3954b34d1f2836f009ddcee6
Instruction ID: 8bf2e2eea2ab34e1b374a94bcdf5f316c516253eefd3e7cbaeb4d2992ca67c68
Opcode Fuzzy Hash: 9d9efb5eaccccccb558772c49fb2ba8a302c96ed3954b34d1f2836f009ddcee6
Instruction Fuzzy Hash: 7751BFB1D003489FDB14CF99D984ADEBBB6FF48314F24912EE819AB250D7759845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECFDCD, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00ECFEEA

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0a14efe441a2ce31cba1c3382a3dbcbd3282ccf40451f45db0eaa7384924390c
Instruction ID: d5b778847fbf40d87ec29b7e6ea235601cbb42e29b9602ec522f71a1fc92ec76
Opcode Fuzzy Hash: 0a14efe441a2ce31cba1c3382a3dbcbd3282ccf40451f45db0eaa7384924390c
Instruction Fuzzy Hash: EB51CFB1D00208DFDB14CFA9C980ADEBBB5FF48314F24852EE819AB250D775A846CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC3E08, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00EC5441

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6ce8b4794a1d4a1c53965f54e9218b69def34c51aac628e5a9502b95245429e3
Instruction ID: aed51312956827c811bf3eb1026349206bb141262b5b5e73e94fe76b07169881
Opcode Fuzzy Hash: 6ce8b4794a1d4a1c53965f54e9218b69def34c51aac628e5a9502b95245429e3
Instruction Fuzzy Hash: 3F4115B1C04718CBDB24CFA9C944BDDBBB5BF48309F208069D419BB241D776A986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC538E, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00EC5441

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: af30fdb8e43bb45713f7d5fa54b92a8aee5c15b9c7dcac98cbb79b9971993138
Instruction ID: 5cf04f177a41a6315ae12f366903557a3aa7e275adeede21cf98f02cc95000f4
Opcode Fuzzy Hash: af30fdb8e43bb45713f7d5fa54b92a8aee5c15b9c7dcac98cbb79b9971993138
Instruction Fuzzy Hash: 2E4115B1C00618CFDB24CFA9C984BDDBBB5BF48309F208069D419BB251DB756986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06D693ED, Relevance: 1.6, APIs: 1, Instructions: 93libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 06D694C2

Memory Dump Source

Source File: 00000006.00000002.307084203.0000000006D60000.00000040.00000001.sdmp, Offset: 06D60000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 17df824da8cd60bbe29ab7559e4c9b36998ca7d832c0384477c5cd9932c782c1
Instruction ID: 73750d1d695def70733271de2ef849ce7f8c8c5b5462bfda14db9aeeef095a94
Opcode Fuzzy Hash: 17df824da8cd60bbe29ab7559e4c9b36998ca7d832c0384477c5cd9932c782c1
Instruction Fuzzy Hash: 213155B0D0024A9FDB54DFAAC8947DEBBF1BF08310F148529E865AB380D7B4A445CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06D65CE0, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 06D694C2

Memory Dump Source

Source File: 00000006.00000002.307084203.0000000006D60000.00000040.00000001.sdmp, Offset: 06D60000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fd1bab4f5df800a98102ae5e68cea64079ad4daa6eb4dc7fd5c71aee5a63cfdc
Instruction ID: 18eb76f6b0fd2e34d4f1d3c7675c8f101a407cf2aab439428ab39f63f2acb886
Opcode Fuzzy Hash: fd1bab4f5df800a98102ae5e68cea64079ad4daa6eb4dc7fd5c71aee5a63cfdc
Instruction Fuzzy Hash: 4F3136B0D0024A8FDB54CFAAC9947EEBBF1BB48314F148529E825AB380D7B4A445CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00ECAB9C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00ECB956,?,?,?,?,?), ref: 00ECBA17

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 82f50d245f3b78a65c412fd7eb5cad6e83393cb91a06561ff3490229e03632fe
Instruction ID: e7e806ed8c088aac4268758268865691b5453e8e23d4459af18d66811dfefff9
Opcode Fuzzy Hash: 82f50d245f3b78a65c412fd7eb5cad6e83393cb91a06561ff3490229e03632fe
Instruction Fuzzy Hash: 1E2105B5900208DFDB10CF9AD984AEEBBF8EB48314F14841AE918B3310D375A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECB988, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00ECB956,?,?,?,?,?), ref: 00ECBA17

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1c78b8e0ea182b9a417a8175eb157ad34bedd810fea0d11ef173821b09c72580
Instruction ID: 3f4df7dd0f71adcd8d46a4ab336a5e67617273d8de682573df91fbf48d06623c
Opcode Fuzzy Hash: 1c78b8e0ea182b9a417a8175eb157ad34bedd810fea0d11ef173821b09c72580
Instruction Fuzzy Hash: 702103B5900248DFDB00CFA9D984AEEBFF4FB48324F14841AE958A3310C378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC98D0, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EC9731,00000800,00000000,00000000), ref: 00EC9942

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 473069dcea6bdd3e8e3167d725a78de99db3444c0f890e571f4622abbeb3f99f
Instruction ID: 567e99a6ddf7ca923d3835bff005d8dbaa7b2670dfcdf2fc7b19d11ada6f7eef
Opcode Fuzzy Hash: 473069dcea6bdd3e8e3167d725a78de99db3444c0f890e571f4622abbeb3f99f
Instruction Fuzzy Hash: 231114B69002498FDB10CF9AD548BDEFBF4EB88324F11841ED519B7600C779A94ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC89D0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EC9731,00000800,00000000,00000000), ref: 00EC9942

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d40623e0fabed84a0ba52f413516bbdfbb1b72a39fdbd1a1c67a9412e5714de0
Instruction ID: 48ea12f3ad43b25ca81fe70f9cb3dded3154a5fff1c37dd21553a58030eb2a01
Opcode Fuzzy Hash: d40623e0fabed84a0ba52f413516bbdfbb1b72a39fdbd1a1c67a9412e5714de0
Instruction Fuzzy Hash: A61103B69003499FDB10CF9AD548BDEBBF4EB88324F11842EE915B7200C775A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06D696A1, Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06D6970A

Memory Dump Source

Source File: 00000006.00000002.307084203.0000000006D60000.00000040.00000001.sdmp, Offset: 06D60000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 058689bfb87911e010283b93e83d05e196e9c2ef5123cd4736d2c4759f96ee0d
Instruction ID: 78470d61826873391c1d1fd6db96f2daaa3ced8db014e65745b2ff090c647302
Opcode Fuzzy Hash: 058689bfb87911e010283b93e83d05e196e9c2ef5123cd4736d2c4759f96ee0d
Instruction Fuzzy Hash: 561146B1D042098BCB10DFAAD8447DEFBF8AF88224F14881AD559A7640CB38A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06D696A8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06D6970A

Memory Dump Source

Source File: 00000006.00000002.307084203.0000000006D60000.00000040.00000001.sdmp, Offset: 06D60000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b6189c888276d42e23d4d6a7a1ff81da811c9d593294df5687392a18ce679c36
Instruction ID: 2d9c1cf3fb3ca0eff9dfc5554857c7f93f125aef2733f87d134678d0741b4907
Opcode Fuzzy Hash: b6189c888276d42e23d4d6a7a1ff81da811c9d593294df5687392a18ce679c36
Instruction Fuzzy Hash: 3C113AB1D042498BCB10DFAAD8447DEFBF9AF88324F148819D519A7240CB79A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9650, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EC96B6

Memory Dump Source

Source File: 00000006.00000002.299832283.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7b78f6d10c5fd6a1e5ed8eda008939b855e7725eb302a21c43f372b4122021aa
Instruction ID: b1944287233ad8d7f0031b9a2fe3ec10be41b705fcccc4db9c01d47191cedee7
Opcode Fuzzy Hash: 7b78f6d10c5fd6a1e5ed8eda008939b855e7725eb302a21c43f372b4122021aa
Instruction Fuzzy Hash: 84110FB6C002498FCB10CF9AD948BDEFBF8AB88324F11841AD419B7240D379A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C32B88, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

@, xrefs: 06C32CF2

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: da792e7831171bdc30e5704141fc19f0952e0549ed74495d592cbf43db5d4b44
Instruction ID: de049989b9dd57306a4cde7d8e41bb9c93c0728de7983b76c10a18c21c20b9fd
Opcode Fuzzy Hash: da792e7831171bdc30e5704141fc19f0952e0549ed74495d592cbf43db5d4b44
Instruction Fuzzy Hash: 5F518F71E002299FEF55DF69D884AAEBBF1FF48300B148069E815EB251D734DE55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C32B83, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@, xrefs: 06C32BBA

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4bc6161e9dfd0cee157446fd1502ea70b41bb3730c848ef69856e83bd1aeca06
Instruction ID: b5b607900ac4e4d950f9d0f6c56562c0386e1e82ea68a709c3041cbebe75960a
Opcode Fuzzy Hash: 4bc6161e9dfd0cee157446fd1502ea70b41bb3730c848ef69856e83bd1aeca06
Instruction Fuzzy Hash: 0E21B072A002299FDF10CFA8C884DAFBBB5FF88310B04846AE815D7210D734DB05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C325D0, Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20376d7187293e06d6b9abd3d6ef4c8304a45855da2a978285fd4a398715e122
Instruction ID: 54e71a492e36e4d9dfb827325c24f9fb7497b92f3fe408348572a88c68f5f9ec
Opcode Fuzzy Hash: 20376d7187293e06d6b9abd3d6ef4c8304a45855da2a978285fd4a398715e122
Instruction Fuzzy Hash: 89C11A74A002458FCB44DFA9C584AAEBBF2FF88314B56C499E509EB326DB34ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06C344A0, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5072ce715c5b905d7c71e61cdf570dbe91eccb381c6804391514a4045a75c1a
Instruction ID: edeb5e33bdf4c25e3881b055b9d92a636cba05cdc96769d157ecd4b3a3ea4f07
Opcode Fuzzy Hash: d5072ce715c5b905d7c71e61cdf570dbe91eccb381c6804391514a4045a75c1a
Instruction Fuzzy Hash: 9BC10574A00219DFCB48DF68D48499EBBF2FF89310B1585A9E909AB761DB30ED41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06C30FC8, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e0773d7fab52e00c6a395a54e52075612991bc07c52ddffe2c945f94c4ce4f
Instruction ID: 0bbff6c9b23484a44d4068127b2c51e523382ca0de5a4472ec158bb8822cb8bb
Opcode Fuzzy Hash: e0e0773d7fab52e00c6a395a54e52075612991bc07c52ddffe2c945f94c4ce4f
Instruction Fuzzy Hash: CCA18E30604350CFD7A0CF69C688BA5B7E2EF41315F4984A9D449CFAA2D375EE84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06C3449B, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff9f5aa3609586635b0763f8d1c34c8011bb9afbd2605e3fc19341ad61398ac
Instruction ID: 5796b129e1519fb57cb4381e5d24815c8f85539118891be880525371a45aa1ed
Opcode Fuzzy Hash: 4ff9f5aa3609586635b0763f8d1c34c8011bb9afbd2605e3fc19341ad61398ac
Instruction Fuzzy Hash: 7DA1F374A00219DFCB48DF69D484AAEBBF2FF89310F158559E809AB761DB30ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C383A8, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2bcee2d146e199b5a679ea5038dbbd13537ef0d3fbb7a96ce80cdb5ccd488bd
Instruction ID: 211ac7427b8820666587539085cb0e242b38092e9829b9d3eb3dbfcb46d68061
Opcode Fuzzy Hash: d2bcee2d146e199b5a679ea5038dbbd13537ef0d3fbb7a96ce80cdb5ccd488bd
Instruction Fuzzy Hash: 39614A70E012159FDB45DFA9D890AAEBBF7FF89310F148429E906A7351DB34AD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C383A3, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94d6759607adfc5e64e12ff8a32fde243eb9241993d158060531fd31c4bda8a
Instruction ID: 759a5c7a27b707a046d21d7dd9c7111ca74a61c3f1682a20052ba1bcd1cc0675
Opcode Fuzzy Hash: f94d6759607adfc5e64e12ff8a32fde243eb9241993d158060531fd31c4bda8a
Instruction Fuzzy Hash: E5519C70A013159FDB44DFA9D840AAEBBF7FF89310F14842AE50A97351DB34AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06C3C780, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67750d590abd9f9db8ace9a4b416745016032f661a457736fd4bd8af7bdf5b33
Instruction ID: fe125d8d7fa32884c7e3d2a6545f935dca6c83c71cc6e59f44fd4af3086b6c5c
Opcode Fuzzy Hash: 67750d590abd9f9db8ace9a4b416745016032f661a457736fd4bd8af7bdf5b33
Instruction Fuzzy Hash: 64517031E04255DFDB51CF68C880AAEBBF2FF45320F15855AE855EB291C730EA44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C354CB, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32f73a1d7c13e637c7f19755ecb5e38d5208919fe785825298afce9d5893f27
Instruction ID: 229063bc4e1d92475c580b8c7678439a85b28219af74e374d5e18b08af13f9f3
Opcode Fuzzy Hash: a32f73a1d7c13e637c7f19755ecb5e38d5208919fe785825298afce9d5893f27
Instruction Fuzzy Hash: 5F51E1B4A04305CFC744DF68C48589ABBF2FF89314B5589A9D449DB722DB30EE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06C30438, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc82249d9ee184e4aaf4ff053c93d51ee7cfb03d3289e630e31b280625921df
Instruction ID: 1af95f6e0d712451286a9e8e1edd3cc8360ebffed2969c0b00a18bad0bc09e27
Opcode Fuzzy Hash: 5bc82249d9ee184e4aaf4ff053c93d51ee7cfb03d3289e630e31b280625921df
Instruction Fuzzy Hash: 66510275E006548FDB55CFA9C884A9DBBF2BF88300F15856AE84AAB721D730E985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 06C317D3, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33524334728a2d9a8e9add0cd5ca07a803824d7b63a808b7d6752c520b8735b9
Instruction ID: 92c00e480c855d069b04dfe7ce8fb00152a1585ac6641c58af67bd09b5c2a466
Opcode Fuzzy Hash: 33524334728a2d9a8e9add0cd5ca07a803824d7b63a808b7d6752c520b8735b9
Instruction Fuzzy Hash: EE41AB34A187548FE7B0CE26C084762B7F1BF44328F09895ED48783E91DB74EA88C762

Uniqueness

Uniqueness Score: -1.00%

Function 06C3DD18, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7abb7f5ca292bfcde5d07ae5777ee2ff97bd95bd195b4acdcc38997f346ba51
Instruction ID: 8ed6f4d2a5c734a7ce75742fcbefd087ffb05b3ca2cbf2dd734a693b338e3263
Opcode Fuzzy Hash: b7abb7f5ca292bfcde5d07ae5777ee2ff97bd95bd195b4acdcc38997f346ba51
Instruction Fuzzy Hash: 7C410235700610CFDB58CF29C488A2ABBF6FF89215B1545A9E5478B772CB35EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C35E90, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a746f6ae299dfb0683c3bc4455149a840e91b7eb1a32093e5b049d6a3a2c4d1
Instruction ID: 2a9add2eeb38a2af047b984082aa34be114f15125d1e6080dfc2efd29650442d
Opcode Fuzzy Hash: 3a746f6ae299dfb0683c3bc4455149a840e91b7eb1a32093e5b049d6a3a2c4d1
Instruction Fuzzy Hash: 68415E75F002199FCB14DFA9D984AAEBBF6FF88310F548029E915A7351CB31AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06C3DED0, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1ac141c473a0074ba867700ab9ca7a6c6d373991bb020c6a1764e4832faa04
Instruction ID: e2443f419c88acf25146b24c0f56794662c16603a9e8921decf6e1720f959760
Opcode Fuzzy Hash: ce1ac141c473a0074ba867700ab9ca7a6c6d373991bb020c6a1764e4832faa04
Instruction Fuzzy Hash: 52315D75F002268FDB54DF69C8809AEB7B5FF88311B1444A9E815A7351D730EE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C3C04B, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4938e47181be3503f8f508a2023e7bdad03b8c4168be1e56618936883b4c4a69
Instruction ID: 8ecfded96367a3de5f438c754860ba589dc68241cdbc5251daa64e3aa07d10db
Opcode Fuzzy Hash: 4938e47181be3503f8f508a2023e7bdad03b8c4168be1e56618936883b4c4a69
Instruction Fuzzy Hash: D2313276A1025A9F8F51DF94E8448FFBFB6FF88251B108026F915D3210DB35DA26DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06C37748, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa483b67cac2824370453b8e867d3ed93ad7ccbc3e1aadaac60b297a3b7911b
Instruction ID: f28076185c274281a524ada4af0f8934203fb531feb50da89d87f87fc188aa18
Opcode Fuzzy Hash: dfa483b67cac2824370453b8e867d3ed93ad7ccbc3e1aadaac60b297a3b7911b
Instruction Fuzzy Hash: D431D730B152548FCB05ABB8D8645AF7BF6EF86310B1104EAD64ADB391DF348D068791

Uniqueness

Uniqueness Score: -1.00%

Function 06C36070, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337314a6a55b3f4ee59b48ccbd26bb757b67d55e0b3b4c6d10376099d7026019
Instruction ID: f50d652a186adc70eabbcf393bc09c4bd0c010685039a25a1db2c3eee6c690d6
Opcode Fuzzy Hash: 337314a6a55b3f4ee59b48ccbd26bb757b67d55e0b3b4c6d10376099d7026019
Instruction Fuzzy Hash: DC2190317101209FC714DF3AD89992ABBEABF88614B1541ADEA06CB371DF31DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C38680, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535716096b6243b786d3dbf280b113880a5c188434ea4292f8728a7e316bd408
Instruction ID: f5d0b5e9ec09796da4b35559e0ddbc196c2bc349c949b561740e71bdd4e5e0fa
Opcode Fuzzy Hash: 535716096b6243b786d3dbf280b113880a5c188434ea4292f8728a7e316bd408
Instruction Fuzzy Hash: 0E216D74A142549FCB45DF28D55986EFFB2FF89311B058085F80697362CB38AE42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.299571429.0000000000E6D000.00000040.00000001.sdmp, Offset: 00E6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0c319664a2bd2f5203b9cc35a05b2e1be89afd053e3f785b65bd033ab7efc1
Instruction ID: a84384f69db96c3aac8d62beaed79f1d1ea1563cca3da8a58aa8f6b556129371
Opcode Fuzzy Hash: 7c0c319664a2bd2f5203b9cc35a05b2e1be89afd053e3f785b65bd033ab7efc1
Instruction Fuzzy Hash: 2E214571A48240DFCB01CF14EDC0B66BF65FB8836CF24C569E8066B646C336D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.299648844.0000000000E7D000.00000040.00000001.sdmp, Offset: 00E7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7257a22b7a2193bcafc428358c4179f1044b7d11b8c4cf89ac620b833014e5
Instruction ID: ff1c82c57c11b62ed0f68540f234df600e9ecfb2938d77eb3d82c4f532e01aac
Opcode Fuzzy Hash: 0c7257a22b7a2193bcafc428358c4179f1044b7d11b8c4cf89ac620b833014e5
Instruction Fuzzy Hash: D621D375508244DFCB14DF24DDC4B56BB76FF88318F24D969D80D5B286C336D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 06C3867B, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c74af9856d00f4cd780272fd582d325893afffa89c0afed6dc4cea370a4cbe8
Instruction ID: 37b2c1e3a09bd18d081594a258a0cb8acde2eba7d7e9b2722898a695a067e98f
Opcode Fuzzy Hash: 3c74af9856d00f4cd780272fd582d325893afffa89c0afed6dc4cea370a4cbe8
Instruction Fuzzy Hash: A621FA79A102149FCB45DF58D54986EBFB2FB88311B058099F80A97761CB38AE42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06C3F770, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2608ee1ce6effca376622b53d72f3cc7df0f926eac885da3ea6e763ef2cf058e
Instruction ID: 2f16e990d6f8a749c50edab89dffb2447aaf5f7cf1c23372f25c775cfa0c6860
Opcode Fuzzy Hash: 2608ee1ce6effca376622b53d72f3cc7df0f926eac885da3ea6e763ef2cf058e
Instruction Fuzzy Hash: 55215074D0410ADFDB44EFA6D5555AEB7B2FF86304F00C86AC621EB264EB349A05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E7D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.299648844.0000000000E7D000.00000040.00000001.sdmp, Offset: 00E7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30b048c28f7d12b84a281284667b1df23a1269fa132a654c7df59e1dd83588b
Instruction ID: dc0706a9893a546a50ea23aa27ce0963b76f577d2a3ab2568f2c71a3085d00c0
Opcode Fuzzy Hash: b30b048c28f7d12b84a281284667b1df23a1269fa132a654c7df59e1dd83588b
Instruction Fuzzy Hash: C9217F755093C08FCB02CF20D990B15BF71EF46214F29C5EAD8498B697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06C325AD, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622f70a748c5b2e2fd56c623a8a42c7e58aa5b51db6141fba73546f37ac30b15
Instruction ID: 6fc0bfed6299171026c40ef085e706ef3187aa59a58cc0b638c7f2423731dfbb
Opcode Fuzzy Hash: 622f70a748c5b2e2fd56c623a8a42c7e58aa5b51db6141fba73546f37ac30b15
Instruction Fuzzy Hash: CB116A31A043118FCBA0CF18D544BA9FBE2AF44324F498169D559CB695D739AB46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06C40001, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306795611.0000000006C40000.00000040.00000001.sdmp, Offset: 06C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7044a40ef4fd1d73bc92c6f8ec2e99597956511bfcf46eeb22556c2491e1df28
Instruction ID: c06c8cdcf439d73be02ce5893dfdcaa9c743b07486f26c4da0255dc6c49b5f5b
Opcode Fuzzy Hash: 7044a40ef4fd1d73bc92c6f8ec2e99597956511bfcf46eeb22556c2491e1df28
Instruction Fuzzy Hash: 1611AC3254E3C18FC723AF3488105627FB0AE93551B1B05DFD5C5CB0A3E228890EC762

Uniqueness

Uniqueness Score: -1.00%

Function 06C40048, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306795611.0000000006C40000.00000040.00000001.sdmp, Offset: 06C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8fd868ca54582c0f6bb776ac3b9b9a539ca4f37ffaa634409abb94445e0692
Instruction ID: a3bc1cfdd9961bb56811f5694e4a4e07a8e670fd4f5020145c8c008ac2a4a7f9
Opcode Fuzzy Hash: 9a8fd868ca54582c0f6bb776ac3b9b9a539ca4f37ffaa634409abb94445e0692
Instruction Fuzzy Hash: 230161367442918B9BA4AF7AE01056BB7AAABD4561B15843EDB45C7240DF32C942C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 06C3E960, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26977b5ee97e49ab789569c0d8511f8eac017f77ee329886e02e5a160ab0d5d
Instruction ID: 1b9d0d169ecf7a1c13d874b56532a89745ac77773887ac3f3fb2041a98dda907
Opcode Fuzzy Hash: b26977b5ee97e49ab789569c0d8511f8eac017f77ee329886e02e5a160ab0d5d
Instruction Fuzzy Hash: CA119630508222CFE7C96FB5E54D7BD7A76FB4A213B100657E6078A180DB3189828BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00E6D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.299571429.0000000000E6D000.00000040.00000001.sdmp, Offset: 00E6D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction ID: 9a863e038a5c18f5c75378ff786138053124d7faae87829dd6307d2465db1312
Opcode Fuzzy Hash: 82c2d4f6a2d17f220f738be8533c1ca489a9cfe0fbf4c45656e9e51e69fbbc3b
Instruction Fuzzy Hash: FD11E676944280CFCF11CF10E9C4B56BF71FB84328F28C6A9D8455B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06C325C7, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2111008e669549a5b3f4c5c60e19b8495c00a22c5b1638ef59c04169a244d131
Instruction ID: 0899dd8d4f3baafc04f7e5f7a56132409cad79a77ced655c05e50a4c1a3b9a2f
Opcode Fuzzy Hash: 2111008e669549a5b3f4c5c60e19b8495c00a22c5b1638ef59c04169a244d131
Instruction Fuzzy Hash: 1A115830A042159FDBA0CF19C544BAAFBF2FF44224F448429D949CB651E338EA41CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06C3502B, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc9948b6c83e6cec924746417353fa611a116b3625df1f22cac2633ea49b986
Instruction ID: d75b1a6a24172b8c3ff12081953e52d0f4affe2d758b29c3807a65d3a4762f15
Opcode Fuzzy Hash: 8fc9948b6c83e6cec924746417353fa611a116b3625df1f22cac2633ea49b986
Instruction Fuzzy Hash: 81119135610205CFCB05CF28D844D9EBBB2FF89324B148569E959CB362CB71ED02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06C337F1, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c0a8c7b7773b0c30d10f9d07f920f1bb734b155afc1a6e18201654bb42861b
Instruction ID: 211033a2a40069a6697a3f4540d31ffc15840292632ff683c098a86eb17d3819
Opcode Fuzzy Hash: a6c0a8c7b7773b0c30d10f9d07f920f1bb734b155afc1a6e18201654bb42861b
Instruction Fuzzy Hash: 6F11A135B102198FCB00DFA4D84986FBBB6FF88324714802AE509E7320DB30DA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C35030, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6174bee8a46cf7ea26ecaffb2465d572a0f8a19d2270e036b72e355a71c27ed9
Instruction ID: 08873bba66b30ef533cf5b3b19d4229448edbd9a87df9292f1afd485aa01533f
Opcode Fuzzy Hash: 6174bee8a46cf7ea26ecaffb2465d572a0f8a19d2270e036b72e355a71c27ed9
Instruction Fuzzy Hash: B1118C35610204DFCB00DF68D884D9ABBB2FF89324B108559E919CB322CB71ED02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06C31298, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8556dde3e375d0877976e985c95fa956de9c2e4c9036ab0c2dfbadb66eab9a
Instruction ID: 96e12cebb82317922d730e4402d3e797aeb53efd5f3dd1681546e540a4e53c1a
Opcode Fuzzy Hash: 3d8556dde3e375d0877976e985c95fa956de9c2e4c9036ab0c2dfbadb66eab9a
Instruction Fuzzy Hash: 1801C430A18B91DEE3E28A38C68C7967ED16F16205F8C985CD083CBE42C7A5F584C350

Uniqueness

Uniqueness Score: -1.00%

Function 06C376D8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0389ff091d991a9321d9a0dfea0a8aa123cf0491a420ed2260ea22f1d0f42ced
Instruction ID: 200b197d91a2d146c6378b6207f57a88e3e3034af1c142d2bd536a0dfba6f843
Opcode Fuzzy Hash: 0389ff091d991a9321d9a0dfea0a8aa123cf0491a420ed2260ea22f1d0f42ced
Instruction Fuzzy Hash: DDF0B472B182318F9B499EA9B4045BA77E9EB4517571400BFE10DC7240EE32DE40C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 06C385B3, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713f3066733d63b2b108ad85e3289666574c573e85060e7abf2590d22fca193e
Instruction ID: 4c2879942899a082e35cd3012124c417486f35052e89024f7a4419119486a776
Opcode Fuzzy Hash: 713f3066733d63b2b108ad85e3289666574c573e85060e7abf2590d22fca193e
Instruction Fuzzy Hash: 75F04C31726568DFCB518B28C444D5AFB70FF40310B16C68AF496CB192CB24EC02C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 06C350BC, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71288f201c25c039e80f3c938d3871c8400eadbcb196d99d5d97fe0778822dfa
Instruction ID: 3e685b033746353ca3a46ffbb080020b1df34df6e5ce5c4c50ad25202eabd43c
Opcode Fuzzy Hash: 71288f201c25c039e80f3c938d3871c8400eadbcb196d99d5d97fe0778822dfa
Instruction Fuzzy Hash: 68F0BEB390E1D14BCB02D738ACA89CABF21EC231A871908DBD194CB852D210851AD3A2

Uniqueness

Uniqueness Score: -1.00%

Function 06C3BF98, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1161d4c9171b1054a12af542e872c7297cafa9832aa6fd64cc077a0d7ffb22d6
Instruction ID: ca41072368457b75c3c0d295cef163e24297c401c1083b3a4f92b4f6e2d633c8
Opcode Fuzzy Hash: 1161d4c9171b1054a12af542e872c7297cafa9832aa6fd64cc077a0d7ffb22d6
Instruction Fuzzy Hash: 55F0E0393042149FC7208B49D454D5BF7EAEFD4320F16C86EE50A87252CB30FC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 06C3BF8B, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df23274ebba39caa3c7dffe2dcf47e60b6352056d0db249e98bb7b831589d064
Instruction ID: 4a1c6205a1df21264c60bb166feabaad450a00d31f593551f4d91bf8cb53dd50
Opcode Fuzzy Hash: df23274ebba39caa3c7dffe2dcf47e60b6352056d0db249e98bb7b831589d064
Instruction Fuzzy Hash: 4DF0E9397053149FC7218748E484D6ABBE9AF8932070BD45EF00AD7252CB30FC408B61

Uniqueness

Uniqueness Score: -1.00%

Function 06C3861B, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5f9c23431cae36262377ee7e02c228e29e716610d6327460f6918359eb54a0
Instruction ID: ff6a3ccceda41b7556e60557d93221a8a2f40f22739b704526f86a232c26f853
Opcode Fuzzy Hash: 7c5f9c23431cae36262377ee7e02c228e29e716610d6327460f6918359eb54a0
Instruction Fuzzy Hash: 03F0E232B12975AFC7208B0CC484D56FBB9AB84320B12C65AF56ADB291CB30EC018BC1

Uniqueness

Uniqueness Score: -1.00%

Function 06C385DB, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7cc3eab6b1422fffafffd86068a98ef975f7945b3f43dc432768aaf6b5c9aa
Instruction ID: 22a30979a97e74e0f7634255095fd023a5572222ea6429e18630101ddbfd59f6
Opcode Fuzzy Hash: fd7cc3eab6b1422fffafffd86068a98ef975f7945b3f43dc432768aaf6b5c9aa
Instruction Fuzzy Hash: C2D05EB672A320570724159E7CD98BFBE9EEBCD135314003AF50AC3300DE94DC4242E1

Uniqueness

Uniqueness Score: -1.00%

Function 06C385E0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92537d2f9de43cb970e538b498a2eb5bac177635a401e95547667e40fafb75f3
Instruction ID: 9f33a990e43f164d94ffc5734e5bfa78b52f7f01e78ba0c07080e0e5d369dd37
Opcode Fuzzy Hash: 92537d2f9de43cb970e538b498a2eb5bac177635a401e95547667e40fafb75f3
Instruction Fuzzy Hash: FDD05EB272A320170714154E78C84BFFA9EE7CD535314003AF50AC3300DE949C0242A0

Uniqueness

Uniqueness Score: -1.00%

Function 06C31501, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9301b8711fcecbd80be7a1450deec5ef3998358970376d1132cd9e28159a0b
Instruction ID: 74cee82ae4d291d2431e7af95d53166bd572e541e07b0c6249b151d0514b6d79
Opcode Fuzzy Hash: bd9301b8711fcecbd80be7a1450deec5ef3998358970376d1132cd9e28159a0b
Instruction Fuzzy Hash: A3E0D8729093C58FE302CF20D968E907FB3AB26300F098496D88ACB153D335CA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06C31538, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd23e041ce7ef002cac972ef4d68ebae5dbd24fa0bf90cb16cb5d8800fa8ce7
Instruction ID: dc450464989eac16311529137147c944297fd231f23c604c603d478acbbd78a2
Opcode Fuzzy Hash: cfd23e041ce7ef002cac972ef4d68ebae5dbd24fa0bf90cb16cb5d8800fa8ce7
Instruction Fuzzy Hash: BBE08C715042859FD301CF20D558A607FE6AB26300F098096E486CB112C335CA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C3773B, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77e799e3079338d3321b195a4b7ee365ab182d08484c02a996205f1a25db164
Instruction ID: b5e6f2bd10a4a5c360a4106480dded870b4f67ae1fe017b7bbff20dc6cf5682a
Opcode Fuzzy Hash: b77e799e3079338d3321b195a4b7ee365ab182d08484c02a996205f1a25db164
Instruction Fuzzy Hash: 57D0A92490B2E42F830312296C848ABBF2D8C4352032840DAF048DB107C4408D1083F6

Uniqueness

Uniqueness Score: -1.00%

Function 06C31548, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8727667ea78733c5b5db664f076a58210f8018ba2c5de0c6f732ff8b05712f0c
Instruction ID: a3b46cb48bd863d991eded002f8d7d16d7ff0e2958222e1426b3d897bddacac0
Opcode Fuzzy Hash: 8727667ea78733c5b5db664f076a58210f8018ba2c5de0c6f732ff8b05712f0c
Instruction Fuzzy Hash: DBE01731600208EFC700CF58C288E51BBEAEB19740F09C495E50A8B212D330EE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06C3150D, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72fd88b2ef909e145d8b2939c95b9dd2de29062a0133586d0e0b837c8ae6f11
Instruction ID: a800995e85d552bac1a9b503c4252f9184289b0fe532280687342af7c6bff940
Opcode Fuzzy Hash: f72fd88b2ef909e145d8b2939c95b9dd2de29062a0133586d0e0b837c8ae6f11
Instruction Fuzzy Hash: 71D0A7322101048FCB048FB1E4085247BF5EB48614324445DF40EC7A11E733C843DB00

Uniqueness

Uniqueness Score: -1.00%

Function 06C378E4, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592f25a7495fefcb6f30a32b609b897e20d37c916c75f4cd1a1b67e933b6e06a
Instruction ID: d5e5441ef1846b914d9029415548592f771fa22e773455ebb6ff641b38ee0a81
Opcode Fuzzy Hash: 592f25a7495fefcb6f30a32b609b897e20d37c916c75f4cd1a1b67e933b6e06a
Instruction Fuzzy Hash: 28D0C975B000188F8B84EBAEE05049C7BB5EF89215B0000A6E21ACB220DB309D568B91

Uniqueness

Uniqueness Score: -1.00%

Function 06C37AAA, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13003d0d21f8cbbf757492be6af9478a1255b5a0b1348bd75b804a40a7ecc071
Instruction ID: 565379a899664bc72218de2261fd6a6cf303d9323b9f3c677d41a9f1e9181305
Opcode Fuzzy Hash: 13003d0d21f8cbbf757492be6af9478a1255b5a0b1348bd75b804a40a7ecc071
Instruction Fuzzy Hash: 18D01235710014CF8B88EA9DD01449873A5EF85519B1100E6E61ACB260CB20DC154790

Uniqueness

Uniqueness Score: -1.00%

Function 06C37B4C, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2c3b815c8eff9bd1ef3b4f74bde2bf7a91ac6401bba4af99a6cc6c62e8635c
Instruction ID: a57b1cbcd5add5986a1b45e1c99a6b237ab2be421546a9ade8b044fb4f61ae30
Opcode Fuzzy Hash: de2c3b815c8eff9bd1ef3b4f74bde2bf7a91ac6401bba4af99a6cc6c62e8635c
Instruction Fuzzy Hash: 9AD012357400148F8748EA9DD0504A833F5EFC422574100A6E206C7631CB30DC968B80

Uniqueness

Uniqueness Score: -1.00%

Function 06C385B8, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.306741161.0000000006C30000.00000040.00000001.sdmp, Offset: 06C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30bec9eddc14612beb28bbe673cf84b013ec0ddc3daefde3510b5abe0884ce92
Instruction ID: 47c39d5d950c0848c73a5f1b7a0a8c255c194dd83058e7d460e84093d32c78e5
Opcode Fuzzy Hash: 30bec9eddc14612beb28bbe673cf84b013ec0ddc3daefde3510b5abe0884ce92
Instruction Fuzzy Hash: C1C09230512344CFCB06CF30C048808BBB2FF4230536940D8E00A8B522CB36EC83CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: vlc.exe PID: 6536 Parent PID: 3388 vlc.exeCOMMON

Executed Functions

Function 0726A300, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000000), ref: 0726A44C

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 28c74d9607e7db9fc71804435d99d86dbc5d490fab4a459d460b102f740c4ce1
Instruction ID: 9d73ad54a25e665e6eb0031399f1659d15c3fba6faf9e2ae7e25bddf51e2da3d
Opcode Fuzzy Hash: 28c74d9607e7db9fc71804435d99d86dbc5d490fab4a459d460b102f740c4ce1
Instruction Fuzzy Hash: 765106B0D102598FDB14CFA9C988BDDBBF5AF48304F24C02AD816BB391DB749884CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DEB758, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DEB7C8
GetCurrentThread.KERNEL32 ref: 00DEB805
GetCurrentProcess.KERNEL32 ref: 00DEB842
GetCurrentThreadId.KERNEL32 ref: 00DEB89B

Strings

H, xrefs: 00DEB8C7

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: H
API String ID: 2063062207-1105002124
Opcode ID: c54f70cf45ae5e5822b4e934a1918a1c65abef192e2cf3eb4258097cf56414c1
Instruction ID: bc74feea176e143a7eaebb43f3d6302235b926a83bfca3aeec26f9ec37daa15b
Opcode Fuzzy Hash: c54f70cf45ae5e5822b4e934a1918a1c65abef192e2cf3eb4258097cf56414c1
Instruction Fuzzy Hash: 4C5168B0D006898FDB54CFA9D6887EEBFF1AF48314F24855AE409A73A1D7746844CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DEB768, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00DEB7C8
GetCurrentThread.KERNEL32 ref: 00DEB805
GetCurrentProcess.KERNEL32 ref: 00DEB842
GetCurrentThreadId.KERNEL32 ref: 00DEB89B

Strings

H, xrefs: 00DEB8C7

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: H
API String ID: 2063062207-1105002124
Opcode ID: 13e915eb7a98ae8e18b1ce9ee0268dcf86c850958aa8027b6395ac84a4ac490d
Instruction ID: 7b03fdb01fa288aa9cee531e09a79c8c5a27ac5039e723e85074b77b0e7e9d67
Opcode Fuzzy Hash: 13e915eb7a98ae8e18b1ce9ee0268dcf86c850958aa8027b6395ac84a4ac490d
Instruction Fuzzy Hash: 1A5157B0D006498FDB54DFAAD6887DEBBF5BF88314F24845AE409A7390DB746884CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00DE7EF8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004B), ref: 00DE7FDD

Strings

H, xrefs: 00DE7FAC

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: MetricsSystem
String ID: H
API String ID: 4116985748-1105002124
Opcode ID: cbb1cf617a3332d86f2d87a49428412835385b4110ba0aec45fd06d2398b4e5b
Instruction ID: b4f0e623684a3c0ec665dc54f549c1d2a2340bd5fb1fecd91d5224549a3da343
Opcode Fuzzy Hash: cbb1cf617a3332d86f2d87a49428412835385b4110ba0aec45fd06d2398b4e5b
Instruction Fuzzy Hash: 613139719087C48FC711EFAADA093E9BFF4EF15315F184099D084A7252CB38994ADB71

Uniqueness

Uniqueness Score: -1.00%

Function 0726862C, Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0726886E

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0da96c148c7eac78f8b4fbfc24c45b3ec8c0539031d048a76f6ad493e6d8e39d
Instruction ID: 0009fad37b58081ef3af6b78688e9fdcffb73579faee39fa2dd14c79d8cef299
Opcode Fuzzy Hash: 0da96c148c7eac78f8b4fbfc24c45b3ec8c0539031d048a76f6ad493e6d8e39d
Instruction Fuzzy Hash: 4DA15BB5D1421ACFDB10CFA8CC847DEBBB6BF48314F14856AD809A7240DB759A85CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07268638, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0726886E

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5ae7d30b0a16cb20248573a66c6bc337701eeebc9114856f91f3b5a7e21861e6
Instruction ID: 46832a2e4a14e6918115f4820e9874a3529f314b9e8ffe65fc84418572def0c1
Opcode Fuzzy Hash: 5ae7d30b0a16cb20248573a66c6bc337701eeebc9114856f91f3b5a7e21861e6
Instruction Fuzzy Hash: C4914AB1D1425ACFDB10CFA8C8847EDBBB2BF48314F14856AD809A7240DB759A85CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00DE9470, Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DE96B6

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2d875db946eb8d5408a24b95b8cd585b769c71312da31b5da572606255c88700
Instruction ID: eea6b4d6615b07effe51693b602fcaeecbdfdbf2da16c64e522d2f9c56b0ba9a
Opcode Fuzzy Hash: 2d875db946eb8d5408a24b95b8cd585b769c71312da31b5da572606255c88700
Instruction Fuzzy Hash: 8F7137B0A01B458FDB64EF6AD5517AAB7F1FF88304F04892ED44AD7A40DB35E8058FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0726A2F6, Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000000), ref: 0726A44C

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 94ed65c5b167fc16043fdbc295fe0d25595b79e37ca762d07db1797cd4db9fe1
Instruction ID: ced4bf4987115c8fe52dc78bb74e5bb6bd2d6c8241dcf550d5bae904593f06f9
Opcode Fuzzy Hash: 94ed65c5b167fc16043fdbc295fe0d25595b79e37ca762d07db1797cd4db9fe1
Instruction Fuzzy Hash: 985104B0D142598FDB14CFA9C998BDDBBF5AF48304F24C02AD816BB391DB749884CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00DEFDCD, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DEFEEA

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2079e0df9ec186369ecd4ec934044459d7f7715a49995096e3bc3317fb0af013
Instruction ID: 71b661379f2ad810ce22a13f06751873e2488607d1338fa6ced5180f26ab85f7
Opcode Fuzzy Hash: 2079e0df9ec186369ecd4ec934044459d7f7715a49995096e3bc3317fb0af013
Instruction Fuzzy Hash: A251D2B1D00349DFDB14CFAAC880ADEBFB5BF49314F24812AE819AB250D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DEFDD8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DEFEEA

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 122f05b56f4e24a5605c7dfddacd051af3d24cb601f045e64546bcbe386043da
Instruction ID: 1e8af6a5206c72e00524eacf4409d28dd016e3b8195cd3d6d37812252d18ffaf
Opcode Fuzzy Hash: 122f05b56f4e24a5605c7dfddacd051af3d24cb601f045e64546bcbe386043da
Instruction Fuzzy Hash: 6F41B1B1D00349DFDB14DF9AC984ADEBBB5FF48314F24812AE819AB250D774A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00DE5384, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00DE5441

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fcb8b8297c9a5edacaef13798722ee4d319e2e3d791dfc6f389247153220270c
Instruction ID: 6495de9915c35b9717796143f7e99e1deafce915545b3ec1b435686750ea47c7
Opcode Fuzzy Hash: fcb8b8297c9a5edacaef13798722ee4d319e2e3d791dfc6f389247153220270c
Instruction Fuzzy Hash: 12411471C0465CCFDB24DFAAC884BDDBBB5BF88309F248069D409AB251DB755946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00DE3E08, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00DE5441

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e77ba340feb7c33760169b506f16c846b4f18dba3a022473f7a0cccbf4fb07bd
Instruction ID: 99e7de138295e901bafc5e1d5f6fd54530c07493c2fbd19127b80d3cfac5d430
Opcode Fuzzy Hash: e77ba340feb7c33760169b506f16c846b4f18dba3a022473f7a0cccbf4fb07bd
Instruction Fuzzy Hash: 98411470C0465CCBDB20DFAAC844BDEBBB5BF88309F208069D409AB245D7B5A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06B493ED, Relevance: 1.6, APIs: 1, Instructions: 93libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 06B494C2

Memory Dump Source

Source File: 0000000B.00000002.321355952.0000000006B40000.00000040.00000001.sdmp, Offset: 06B40000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e24cc2f24fd6c2192e56efe46860277f67756afdfa53abd9ef56b76f86685d41
Instruction ID: ccfb8d8599a6ed10c31ab42ef70583fd224e7e73c87d2548c97e043534125025
Opcode Fuzzy Hash: e24cc2f24fd6c2192e56efe46860277f67756afdfa53abd9ef56b76f86685d41
Instruction Fuzzy Hash: 9B3152B1D002498FDB60EFA8C8947DEBBB1FB08354F248569E829A7380D7789445CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06B45CE0, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 06B494C2

Memory Dump Source

Source File: 0000000B.00000002.321355952.0000000006B40000.00000040.00000001.sdmp, Offset: 06B40000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 428cee371d9f3e6404eb76dfd341f24ed14ae560dfa552853e5ca4cffaa4e232
Instruction ID: ee1bafe1417f0679d2cede701a1ba0f0c897224490a034d464b0f2f07c0f8130
Opcode Fuzzy Hash: 428cee371d9f3e6404eb76dfd341f24ed14ae560dfa552853e5ca4cffaa4e232
Instruction Fuzzy Hash: 5C3144B0D002498FDB64EFA9C8857EEBBF1FB08354F148569E825AB384D7789845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0726830A, Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072683A0

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1bc64957c92d4e69fea0aa8945069d248c6bfee89cfef0ca727a8f33ece2f87e
Instruction ID: 3006fe13f5a2048fbdf109062294c56552611927af9398d269b58a6485c069df
Opcode Fuzzy Hash: 1bc64957c92d4e69fea0aa8945069d248c6bfee89cfef0ca727a8f33ece2f87e
Instruction Fuzzy Hash: 272126B1D003599FCB50CFAAC984BEEBBF5FF48354F10842AE919A7241D7789954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07268310, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072683A0

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a5883d371b19718d6b5f9401d204924199c2fb7d25858a66572b5f832f1d40db
Instruction ID: da8a329f787f2e160fb4e04b29e0906b8dfe5f45958ca596e91ab0f8b7984b74
Opcode Fuzzy Hash: a5883d371b19718d6b5f9401d204924199c2fb7d25858a66572b5f832f1d40db
Instruction Fuzzy Hash: B521F6B19003599FCB10CFA9C9847DEBBF5FF48314F10842AE919A7241D7789954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0726AE82, Relevance: 1.6, APIs: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0726AE4D

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 638f2a98eeb33a70d6eff36a5be8599666e1334f7f6f6b63be366ce722f01bed
Instruction ID: 4cd77d1f7a3b8125d8c3651271499fe923db5b245609624a948561bdc7057b48
Opcode Fuzzy Hash: 638f2a98eeb33a70d6eff36a5be8599666e1334f7f6f6b63be366ce722f01bed
Instruction Fuzzy Hash: 4621D1B5E0929A8FCB10DF98D5183EEBBF1AF89300F15845AC500BB240C7795980CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 072683FA, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07268480

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1229331e8df8364ac4eb3566dc0893112addb52989aa0bc0a2036b7a4d739ba1
Instruction ID: 091e684f8c873a1252a351ca3a7618ce2ec64a0f019259687d6df53151baf900
Opcode Fuzzy Hash: 1229331e8df8364ac4eb3566dc0893112addb52989aa0bc0a2036b7a4d739ba1
Instruction Fuzzy Hash: 392125B1D002599FCB10CFA9C8847EEBBF5BF48314F14842AE519A7240C7389944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07268172, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 072681F6

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 54c834e9ce2a4df510268311c304568923e3022fe42192cd8178f29f326b1f1b
Instruction ID: 80d2c61c06a0419f52ff07faec92af16bf9a1a954c8af9c9ee31b29b62ab48f3
Opcode Fuzzy Hash: 54c834e9ce2a4df510268311c304568923e3022fe42192cd8178f29f326b1f1b
Instruction Fuzzy Hash: 152138B1D042499FDB50CFAAC8847EEBBF5EF48264F14842AD519A7240DB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEB988, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DEBA17

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6d278f941ab768edcbe2d5398e265465341feb7e2af6f7eb3d587c1a00bbeaf1
Instruction ID: bdfbf82e6413de56fd2d6da31debd373cbda0b07b2654cdea65352bc41b13840
Opcode Fuzzy Hash: 6d278f941ab768edcbe2d5398e265465341feb7e2af6f7eb3d587c1a00bbeaf1
Instruction Fuzzy Hash: 3021F2B5D002489FDB10CFAAD984AEEBFF4FB48324F14841AE954A3351C374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07268400, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07268480

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c61b534f725376cc96c139119b21f9804fa47ed6fc8269921cd992da001d8e12
Instruction ID: 4272ceb0604139d98e65907603b3b79c0e338473ce94e62687bba120b2cf77eb
Opcode Fuzzy Hash: c61b534f725376cc96c139119b21f9804fa47ed6fc8269921cd992da001d8e12
Instruction Fuzzy Hash: 212114B1D002599FCB10CFAAC884BEEBBF5FF48314F50842AE919A7240D7789954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07268178, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 072681F6

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ab8318e08c9233dfc73c124cea8717b793af91b48b1fcc960cff45e6575c3132
Instruction ID: f06005e71116089a1c668606af27ef2a3cd6ec10c80b593a00dbc05787486fa4
Opcode Fuzzy Hash: ab8318e08c9233dfc73c124cea8717b793af91b48b1fcc960cff45e6575c3132
Instruction Fuzzy Hash: 172149B1D043498FCB10CFAAC8847EEBBF4EF48354F14842AD519A7240DB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DEB990, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DEBA17

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 69b5477364a9dea4089c3ef5a57bcfa69c148c29816f1994596ace203ba9f5aa
Instruction ID: 4d6b17f14e587685eb9ed1cf510d00351abb4f4272e4683055e0782b44bc4e6e
Opcode Fuzzy Hash: 69b5477364a9dea4089c3ef5a57bcfa69c148c29816f1994596ace203ba9f5aa
Instruction Fuzzy Hash: D621C4B59002499FDB10CF9AD984ADEBBF8FB48324F15841AE914B7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE98D0, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DE9731,00000800,00000000,00000000), ref: 00DE9942

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 76471370adaa8b6aaa5ff400f5681347e9ba3faaed977d51ad96686bfef7d891
Instruction ID: b328920221a1bfc5fdab8830d9426d4acb3184ea489fcbf98aa936feeaea52d2
Opcode Fuzzy Hash: 76471370adaa8b6aaa5ff400f5681347e9ba3faaed977d51ad96686bfef7d891
Instruction Fuzzy Hash: E32158B2C002888FCB10CFAAD884ADEFBF4AF88324F14841DD455A7701C3759905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE89D0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DE9731,00000800,00000000,00000000), ref: 00DE9942

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ceb45030624429bc8d621f0ebe3995b5c4d3ee97dd01e37b3ce7f4d4c3ab9e3d
Instruction ID: d86e7cb124bd9e6bcf5daf55bfc7576e80f7778b066a359586d1368d606a46c0
Opcode Fuzzy Hash: ceb45030624429bc8d621f0ebe3995b5c4d3ee97dd01e37b3ce7f4d4c3ab9e3d
Instruction Fuzzy Hash: 721114B69042498FCB10DF9AD844ADEFBF4EB88324F15842ED515A7700C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07268250, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072682BE

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b081f44f24c4c424ff701e4aabb0a3d68c3dad4588db47b3f60ce0f23ae9faa1
Instruction ID: 0e41245d4ff1668fbd8e6a59fb42a9208ff0805cc003f8a660b91ea043462e99
Opcode Fuzzy Hash: b081f44f24c4c424ff701e4aabb0a3d68c3dad4588db47b3f60ce0f23ae9faa1
Instruction Fuzzy Hash: 041137B29042499FCF10CFA9C8447EFBBF5AF88324F14881AD515A7650C775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06B496A1, Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(00000006), ref: 06B4970A

Memory Dump Source

Source File: 0000000B.00000002.321355952.0000000006B40000.00000040.00000001.sdmp, Offset: 06B40000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b525c8f4270d4d05cf4aa7f7401384a16b8abca57c3d2cae9718c33468d9fce3
Instruction ID: 9dd98cda1043dd4fcebadb0f0d7662a0922e8e4a45964d371ebbcb9eea46fae4
Opcode Fuzzy Hash: b525c8f4270d4d05cf4aa7f7401384a16b8abca57c3d2cae9718c33468d9fce3
Instruction Fuzzy Hash: 991158B1D043488FCB10DFAAC8447DFBBF9AF88268F148819D519B7240CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07268252, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072682BE

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 90235b0e36494f6d2b5c41a919caf7b8aa01545524a766593097a6daf431d150
Instruction ID: 0e36dfc606b3eb45b4a0e7d184cd6045a49f2ae8bad4c5e07189bc4444785bee
Opcode Fuzzy Hash: 90235b0e36494f6d2b5c41a919caf7b8aa01545524a766593097a6daf431d150
Instruction Fuzzy Hash: 271134B29042499FCF10CFA9D8447EFBBF5AF88324F14881AE519A7650C7759954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0726ADE8, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0726AE4D

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 26bbe2fb978b897ccefdfffd02c56bdcb2b336c5ae8849948f1052bcbcc866b8
Instruction ID: 6650557e507d74a962431cd7683e78e33fcd939dbbb1dee116ffbe0a086ddb45
Opcode Fuzzy Hash: 26bbe2fb978b897ccefdfffd02c56bdcb2b336c5ae8849948f1052bcbcc866b8
Instruction Fuzzy Hash: 361103B58002499FDB50CF99D988BDEFBF8EB48724F10841AE514B7700C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06B496A8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(00000006), ref: 06B4970A

Memory Dump Source

Source File: 0000000B.00000002.321355952.0000000006B40000.00000040.00000001.sdmp, Offset: 06B40000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3bda2f6d402f6b4fc09d1f53a9cd18c7f5c8a1eb0c57bd92c53c3b1b7f929ea9
Instruction ID: 3107b63e5de172169b5311b906a79c66b9bf3aa1040f2dcfb2bb240f4b9deec2
Opcode Fuzzy Hash: 3bda2f6d402f6b4fc09d1f53a9cd18c7f5c8a1eb0c57bd92c53c3b1b7f929ea9
Instruction Fuzzy Hash: A1113AB1D042488BDB10DFAAC8447DFFBF9EF88224F148419C519A7640CB74A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DE9650, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00DE96B6

Memory Dump Source

Source File: 0000000B.00000002.315011297.0000000000DE0000.00000040.00000001.sdmp, Offset: 00DE0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 000cb3ee093192619c7d8a2ad2677909f59f58d65a352a8b65ca098a955ac296
Instruction ID: 7b5e9fcf583397778ee4a030b2eb1166a7ecd31f55cd88dcef744e97f4b10550
Opcode Fuzzy Hash: 000cb3ee093192619c7d8a2ad2677909f59f58d65a352a8b65ca098a955ac296
Instruction Fuzzy Hash: B5110FB2C012898FCB10DF9AC844BDEFBF4AB88324F15841AD419B7600D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07268B10, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0726AE4D

Memory Dump Source

Source File: 0000000B.00000002.321582824.0000000007260000.00000040.00000001.sdmp, Offset: 07260000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8c9bdf3e6d58e92c9b78a625e85893730a21ebb1533c53b956e21bcea1781f35
Instruction ID: ccf3fd24d30df0bea6809216977aaf60cc588f413cd4badb9d06c678b4e4bf26
Opcode Fuzzy Hash: 8c9bdf3e6d58e92c9b78a625e85893730a21ebb1533c53b956e21bcea1781f35
Instruction Fuzzy Hash: F91103B58003499FCB10CF99D988BDFBBF8EB48324F10841AE515B7200D374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.314749196.0000000000D9D000.00000040.00000001.sdmp, Offset: 00D9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e541d4dfc24059f591b0efc5c63dab429886a77b51f1d69d2a4e68e163cf452f
Instruction ID: fbe07385f879b8ccddaca41033d2226ba43ca73946aea516ecf5f450f1fed687
Opcode Fuzzy Hash: e541d4dfc24059f591b0efc5c63dab429886a77b51f1d69d2a4e68e163cf452f
Instruction Fuzzy Hash: C121F271604244DFDF14DF24D9C4B26BBA6FB88314F24C969E84E4B286C33BD846CA71

Uniqueness

Uniqueness Score: -1.00%

Function 00D9D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.314749196.0000000000D9D000.00000040.00000001.sdmp, Offset: 00D9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af8d5609f2820ca69c72ebff54103827ddb43017516afa679b231d20a3951b0
Instruction ID: c01c7fff6ee543b83090635a50ef58c295195aed43bf9e815f24732ec839463a
Opcode Fuzzy Hash: 5af8d5609f2820ca69c72ebff54103827ddb43017516afa679b231d20a3951b0
Instruction Fuzzy Hash: BF2192755093C08FCB02CF24D990715BF71EB46314F29C5EAD8498F697C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameOhOvZMWOvVyKYxqxFjBeQ.exe4 vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePanlwmqitxzsq.dll4 vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.252302125.0000000003C61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClassLibrary3.dll< vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000000.214469304.0000000000902000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameJqeofcirr6.exe` vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000000.00000002.251609553.00000000010EB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000001.00000000.245925171.0000000000382000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameJqeofcirr6.exe` vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.503386805.0000000006850000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000000.247521411.0000000000DF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameJqeofcirr6.exe` vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.484715731.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameOhOvZMWOvVyKYxqxFjBeQ.exe4 vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.504414136.0000000007130000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe, 00000002.00000002.503840561.0000000006A30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe
Source: SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe	Binary or memory string: OriginalFilenameJqeofcirr6.exe` vs SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Trojan.MulDrop15.61980.13868.3384

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre