Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report lWAGihypmY0YXgh.exe

Overview

General Information

Sample Name:lWAGihypmY0YXgh.exe
Analysis ID:344974
MD5:4c0f12aff6638202b87a156b8bcabb8a
SHA1:4742ebd00f82dcc2a520e2165d5c941e6cba4936
SHA256:c935dd6128830f5506af13b5e46043d4f8b2781e345936f06964722865ab0c6e
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • lWAGihypmY0YXgh.exe (PID: 988 cmdline: 'C:\Users\user\Desktop\lWAGihypmY0YXgh.exe' MD5: 4C0F12AFF6638202B87A156B8BCABB8A)
    • schtasks.exe (PID: 4588 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQNbDThyljJh' /XML 'C:\Users\user\AppData\Local\Temp\tmp38D3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "eS6gY1q65emm", "URL: ": "http://Lh0EfnfAinQ8pAa5.net", "To: ": "", "ByHost: ": "mail.sardaplywood.com:5878", "Password: ": "wyujHc", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.247243531.0000000004573000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.245486243.000000000338E000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000004.00000002.632866048.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000002.246672076.00000000043F4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.lWAGihypmY0YXgh.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQNbDThyljJh' /XML 'C:\Users\user\AppData\Local\Temp\tmp38D3.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQNbDThyljJh' /XML 'C:\Users\user\AppData\Local\Temp\tmp38D3.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\lWAGihypmY0YXgh.exe' , ParentImage: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe, ParentProcessId: 988, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQNbDThyljJh' /XML 'C:\Users\user\AppData\Local\Temp\tmp38D3.tmp', ProcessId: 4588

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: lWAGihypmY0YXgh.exe.6068.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "eS6gY1q65emm", "URL: ": "http://Lh0EfnfAinQ8pAa5.net", "To: ": "", "ByHost: ": "mail.sardaplywood.com:5878", "Password: ": "wyujHc", "From: ": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\HQNbDThyljJh.exeReversingLabs: Detection: 33%
              Multi AV Scanner detection for submitted fileShow sources
              Source: lWAGihypmY0YXgh.exeVirustotal: Detection: 32%Perma Link
              Source: lWAGihypmY0YXgh.exeReversingLabs: Detection: 33%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\HQNbDThyljJh.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: lWAGihypmY0YXgh.exeJoe Sandbox ML: detected
              Source: 4.2.lWAGihypmY0YXgh.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: lWAGihypmY0YXgh.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: lWAGihypmY0YXgh.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: http://Lh0EfnfAinQ8pAa5.net
              Source: global trafficTCP traffic: 192.168.2.5:49737 -> 72.52.178.59:587
              Source: Joe Sandbox ViewIP Address: 72.52.178.59 72.52.178.59
              Source: Joe Sandbox ViewASN Name: LIQUIDWEBUS LIQUIDWEBUS
              Source: global trafficTCP traffic: 192.168.2.5:49737 -> 72.52.178.59:587
              Source: unknownDNS traffic detected: queries for: mail.sardaplywood.com
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.637472567.00000000031AE000.00000004.00000001.sdmpString found in binary or memory: http://Lh0EfnfAinQ8pAa5.net
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmpString found in binary or memory: http://RwbTYu.com
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.224018588.0000000006316000.00000004.00000001.sdmpString found in binary or memory: http://en.w
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.637537848.0000000003205000.00000004.00000001.sdmpString found in binary or memory: http://mail.sardaplywood.com
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245252670.0000000003311000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.225380050.0000000006317000.00000004.00000001.sdmp, lWAGihypmY0YXgh.exe, 00000001.00000003.225415215.0000000006317000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmp, lWAGihypmY0YXgh.exe, 00000001.00000003.232456297.0000000006317000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.228943788.000000000631D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html0
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.228943788.000000000631D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.229468329.000000000631E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.229367097.000000000631C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comW.TTFInI
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.228943788.000000000631D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.229367097.000000000631C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.229367097.000000000631C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.228853121.000000000631C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedVnl
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.232456297.0000000006317000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicno
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.232733352.0000000006317000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.232456297.0000000006317000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.229468329.000000000631E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsief
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.229367097.000000000631C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.224977850.0000000006318000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.224977850.0000000006318000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5k
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.225020310.0000000006317000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnFROM
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.224935169.0000000006317000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnU
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.224977850.0000000006318000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cncn4g
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.224935169.0000000006317000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.225782389.000000000631B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.226307399.000000000631D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%n
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.226307399.000000000631D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.n
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.225782389.000000000631B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/://wInI
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.226307399.000000000631D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.225782389.000000000631B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/dn
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.226307399.000000000631D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.224219916.000000000632B000.00000004.00000001.sdmp, lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.224219916.000000000632B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com2
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.224219916.000000000632B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.224219916.000000000632B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comtu
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: lWAGihypmY0YXgh.exe, 00000001.00000003.226385091.0000000006344000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comva
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.247243531.0000000004573000.00000004.00000001.sdmp, lWAGihypmY0YXgh.exe, 00000004.00000002.632866048.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\lWAGihypmY0YXgh.exeJump to behavior
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.244750869.00000000017A9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 4.2.lWAGihypmY0YXgh.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b844667E1u002dDB28u002d4087u002dB569u002dC1A133D68329u007d/AFA2B437u002dA4B8u002d477Eu002d974Bu002d953C4991484C.csLarge array initialization: .cctor: array initializer size 11962
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 1_2_0328C1D41_2_0328C1D4
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 1_2_0328E6201_2_0328E620
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 1_2_0328E6301_2_0328E630
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_011968B84_2_011968B8
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_01195B584_2_01195B58
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119F2484_2_0119F248
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_011936984_2_01193698
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119E6D04_2_0119E6D0
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119B50F4_2_0119B50F
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119B1504_2_0119B150
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119B5714_2_0119B571
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119B81E4_2_0119B81E
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119B4C74_2_0119B4C7
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119C0F94_2_0119C0F9
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119F2414_2_0119F241
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_01219BD84_2_01219BD8
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_01210F684_2_01210F68
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0121AB1C4_2_0121AB1C
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_012400674_2_01240067
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_01244CE84_2_01244CE8
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0124B7204_2_0124B720
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_01247F004_2_01247F00
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_012459204_2_01245920
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_012459304_2_01245930
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0124C1F84_2_0124C1F8
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_01249E504_2_01249E50
              Source: lWAGihypmY0YXgh.exeBinary or memory string: OriginalFilename vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.247243531.0000000004573000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTJLnfPGmTXdBZrgeHdXDhWNah.exe4 vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.247243531.0000000004573000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamei7hDxntRTQ.exe@ vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.252724664.0000000008130000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245486243.000000000338E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.253343777.0000000008230000.00000002.00000001.sdmpBinary or memory string: originalfilename vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.253343777.0000000008230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.244750869.00000000017A9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exeBinary or memory string: OriginalFilename vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.634810911.00000000011A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.633648937.0000000000F58000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.633299909.0000000000AF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamei7hDxntRTQ.exe@ vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.634961217.000000000126A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.632866048.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameTJLnfPGmTXdBZrgeHdXDhWNah.exe4 vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exeBinary or memory string: OriginalFilenamei7hDxntRTQ.exe@ vs lWAGihypmY0YXgh.exe
              Source: lWAGihypmY0YXgh.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 4.2.lWAGihypmY0YXgh.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.2.lWAGihypmY0YXgh.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@2/1
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile created: C:\Users\user\AppData\Roaming\HQNbDThyljJh.exeJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeMutant created: \Sessions\1\BaseNamedObjects\aDgjvXeVmPcQVVUOozrwWCDq
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_01
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile created: C:\Users\user\AppData\Local\Temp\tmp38D3.tmpJump to behavior
              Source: lWAGihypmY0YXgh.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: lWAGihypmY0YXgh.exeVirustotal: Detection: 32%
              Source: lWAGihypmY0YXgh.exeReversingLabs: Detection: 33%
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile read: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe 'C:\Users\user\Desktop\lWAGihypmY0YXgh.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQNbDThyljJh' /XML 'C:\Users\user\AppData\Local\Temp\tmp38D3.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe {path}
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQNbDThyljJh' /XML 'C:\Users\user\AppData\Local\Temp\tmp38D3.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess created: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: lWAGihypmY0YXgh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: lWAGihypmY0YXgh.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: lWAGihypmY0YXgh.exe, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: HQNbDThyljJh.exe.1.dr, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.0.lWAGihypmY0YXgh.exe.f70000.0.unpack, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.lWAGihypmY0YXgh.exe.f70000.0.unpack, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.2.lWAGihypmY0YXgh.exe.af0000.1.unpack, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 4.0.lWAGihypmY0YXgh.exe.af0000.0.unpack, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119DD31 push ebp; retf 4_2_0119DD32
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_0119D2C5 pushad ; retf 4_2_0119D2C7
              Source: initial sampleStatic PE information: section name: .text entropy: 7.53579555496
              Source: initial sampleStatic PE information: section name: .text entropy: 7.53579555496
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile created: C:\Users\user\AppData\Roaming\HQNbDThyljJh.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQNbDThyljJh' /XML 'C:\Users\user\AppData\Local\Temp\tmp38D3.tmp'
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000001.00000002.245486243.000000000338E000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: lWAGihypmY0YXgh.exe PID: 988, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245486243.000000000338E000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245486243.000000000338E000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWindow / User API: threadDelayed 2702Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWindow / User API: threadDelayed 7117Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe TID: 204Thread sleep time: -31500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe TID: 5448Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe TID: 6080Thread sleep time: -20291418481080494s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe TID: 4696Thread sleep count: 2702 > 30Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe TID: 4696Thread sleep count: 7117 > 30Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe TID: 6080Thread sleep count: 34 > 30Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.246250068.0000000003609000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245252670.0000000003311000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245252670.0000000003311000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245252670.0000000003311000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245486243.000000000338E000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245486243.000000000338E000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245486243.000000000338E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.246250068.0000000003609000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245486243.000000000338E000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: lWAGihypmY0YXgh.exe, 00000001.00000002.245252670.0000000003311000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: lWAGihypmY0YXgh.exe, 00000004.00000003.505041677.0000000001340000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeCode function: 4_2_01190A70 KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,4_2_01190A70
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQNbDThyljJh' /XML 'C:\Users\user\AppData\Local\Temp\tmp38D3.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeProcess created: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe {path}Jump to behavior
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.635646979.0000000001900000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.635646979.0000000001900000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.635646979.0000000001900000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.635646979.0000000001900000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: lWAGihypmY0YXgh.exe, 00000004.00000002.635646979.0000000001900000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Users\user\Desktop\lWAGihypmY0YXgh.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.247243531.0000000004573000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.632866048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.246672076.00000000043F4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: lWAGihypmY0YXgh.exe PID: 988, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: lWAGihypmY0YXgh.exe PID: 6068, type: MEMORY
              Source: Yara matchFile source: 4.2.lWAGihypmY0YXgh.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\lWAGihypmY0YXgh.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Yara matchFile source: 00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: lWAGihypmY0YXgh.exe PID: 6068, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.247243531.0000000004573000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.632866048.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.246672076.00000000043F4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: lWAGihypmY0YXgh.exe PID: 988, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: lWAGihypmY0YXgh.exe PID: 6068, type: MEMORY
              Source: Yara matchFile source: 4.2.lWAGihypmY0YXgh.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture111System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing12NTDSSecurity Software Discovery321Distributed Component Object ModelInput Capture111Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion14SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion14Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              lWAGihypmY0YXgh.exe33%VirustotalBrowse
              lWAGihypmY0YXgh.exe33%ReversingLabsByteCode-MSIL.Packed.Generic
              lWAGihypmY0YXgh.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\HQNbDThyljJh.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\HQNbDThyljJh.exe33%ReversingLabsByteCode-MSIL.Packed.Generic

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.2.lWAGihypmY0YXgh.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.sajatypeworks.comiv0%Avira URL Cloudsafe
              http://www.sajatypeworks.com20%URL Reputationsafe
              http://www.sajatypeworks.com20%URL Reputationsafe
              http://www.sajatypeworks.com20%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/://wInI0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/dn0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/a-d0%Avira URL Cloudsafe
              http://www.founder.com.cn/cnU0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.founder.com.cn/cnFROM0%Avira URL Cloudsafe
              http://www.fontbureau.comessed0%URL Reputationsafe
              http://www.fontbureau.comessed0%URL Reputationsafe
              http://www.fontbureau.comessed0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.sakkal.comva0%Avira URL Cloudsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cnm0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/%n0%Avira URL Cloudsafe
              http://RwbTYu.com0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sajatypeworks.comtu0%Avira URL Cloudsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/.n0%Avira URL Cloudsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://mail.sardaplywood.com0%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              http://www.fontbureau.comF0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://www.fontbureau.comessedVnl0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
              http://Lh0EfnfAinQ8pAa5.net0%Avira URL Cloudsafe
              http://www.fontbureau.comd0%URL Reputationsafe
              http://www.fontbureau.comd0%URL Reputationsafe
              http://www.fontbureau.comd0%URL Reputationsafe
              http://www.fontbureau.come.com0%URL Reputationsafe
              http://www.fontbureau.come.com0%URL Reputationsafe
              http://www.fontbureau.come.com0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://en.w0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.fontbureau.comicno0%Avira URL Cloudsafe
              http://www.fontbureau.comW.TTFInI0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cncn4g0%Avira URL Cloudsafe
              http://www.fontbureau.comt0%URL Reputationsafe
              http://www.fontbureau.comt0%URL Reputationsafe
              http://www.fontbureau.comt0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              mail.sardaplywood.com
              		72.52.178.59
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://Lh0EfnfAinQ8pAa5.nettrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1lWAGihypmY0YXgh.exe, 00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.fontbureau.com/designersGlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                  		high
                  http://www.sajatypeworks.comivlWAGihypmY0YXgh.exe, 00000001.00000003.224219916.000000000632B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sajatypeworks.com2lWAGihypmY0YXgh.exe, 00000001.00000003.224219916.000000000632B000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/?lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bThelWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.html0lWAGihypmY0YXgh.exe, 00000001.00000003.228943788.000000000631D000.00000004.00000001.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp/://wInIlWAGihypmY0YXgh.exe, 00000001.00000003.225782389.000000000631B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/dnlWAGihypmY0YXgh.exe, 00000001.00000003.225782389.000000000631B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers?lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/a-dlWAGihypmY0YXgh.exe, 00000001.00000003.226307399.000000000631D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cnUlWAGihypmY0YXgh.exe, 00000001.00000003.224935169.0000000006317000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tiro.comlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnFROMlWAGihypmY0YXgh.exe, 00000001.00000003.225020310.0000000006317000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designerslWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmp, lWAGihypmY0YXgh.exe, 00000001.00000003.232456297.0000000006317000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comessedlWAGihypmY0YXgh.exe, 00000001.00000003.229367097.000000000631C000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.goodfont.co.krlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comvalWAGihypmY0YXgh.exe, 00000001.00000003.226385091.0000000006344000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sajatypeworks.comlWAGihypmY0YXgh.exe, 00000001.00000003.224219916.000000000632B000.00000004.00000001.sdmp, lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/cThelWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnmlWAGihypmY0YXgh.exe, 00000001.00000003.224935169.0000000006317000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/%nlWAGihypmY0YXgh.exe, 00000001.00000003.226307399.000000000631D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://RwbTYu.comlWAGihypmY0YXgh.exe, 00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaselWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comtulWAGihypmY0YXgh.exe, 00000001.00000003.224219916.000000000632B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.urwpp.deDPleaselWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namelWAGihypmY0YXgh.exe, 00000001.00000002.245252670.0000000003311000.00000004.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/.nlWAGihypmY0YXgh.exe, 00000001.00000003.226307399.000000000631D000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sakkal.comlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziplWAGihypmY0YXgh.exe, 00000001.00000002.247243531.0000000004573000.00000004.00000001.sdmp, lWAGihypmY0YXgh.exe, 00000004.00000002.632866048.0000000000402000.00000040.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://mail.sardaplywood.comlWAGihypmY0YXgh.exe, 00000004.00000002.637537848.0000000003205000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0lWAGihypmY0YXgh.exe, 00000001.00000003.225380050.0000000006317000.00000004.00000001.sdmp, lWAGihypmY0YXgh.exe, 00000001.00000003.225415215.0000000006317000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                                  		high
                                  http://DynDns.comDynDNSlWAGihypmY0YXgh.exe, 00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comFlWAGihypmY0YXgh.exe, 00000001.00000003.229468329.000000000631E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlulWAGihypmY0YXgh.exe, 00000001.00000003.228943788.000000000631D000.00000004.00000001.sdmpfalse
                                    		high
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%halWAGihypmY0YXgh.exe, 00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comessedVnllWAGihypmY0YXgh.exe, 00000001.00000003.228853121.000000000631C000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/jp/lWAGihypmY0YXgh.exe, 00000001.00000003.226307399.000000000631D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comdlWAGihypmY0YXgh.exe, 00000001.00000003.228943788.000000000631D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.come.comlWAGihypmY0YXgh.exe, 00000001.00000003.229367097.000000000631C000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://en.wlWAGihypmY0YXgh.exe, 00000001.00000003.224018588.0000000006316000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comllWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNlWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comicnolWAGihypmY0YXgh.exe, 00000001.00000003.232456297.0000000006317000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.comW.TTFInIlWAGihypmY0YXgh.exe, 00000001.00000003.229367097.000000000631C000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.founder.com.cn/cnlWAGihypmY0YXgh.exe, 00000001.00000003.224977850.0000000006318000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmllWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cncn4glWAGihypmY0YXgh.exe, 00000001.00000003.224977850.0000000006318000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comtlWAGihypmY0YXgh.exe, 00000001.00000003.229367097.000000000631C000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.commlWAGihypmY0YXgh.exe, 00000001.00000003.232733352.0000000006317000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/lWAGihypmY0YXgh.exe, 00000001.00000003.225782389.000000000631B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comolWAGihypmY0YXgh.exe, 00000001.00000003.232456297.0000000006317000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8lWAGihypmY0YXgh.exe, 00000001.00000002.250251822.0000000007522000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn5klWAGihypmY0YXgh.exe, 00000001.00000003.224977850.0000000006318000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comsieflWAGihypmY0YXgh.exe, 00000001.00000003.229468329.000000000631E000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          72.52.178.59
                                          		unknownUnited States
                                          		32244LIQUIDWEBUStrue

                                          General Information

                                          Joe Sandbox Version:31.0.0 Emerald
                                          Analysis ID:344974
                                          Start date:27.01.2021
                                          Start time:15:15:14
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 10m 16s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:lWAGihypmY0YXgh.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:33
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@6/4@2/1
                                          EGA Information:Failed
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 59
                                          • Number of non-executed functions: 3
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.255.188.83, 23.210.248.85, 51.104.144.132, 95.101.22.224, 95.101.22.216, 20.54.26.129, 51.103.5.159, 52.155.217.156
                                          • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus17.cloudapp.net, emea1.notify.windows.com.akadns.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, par02p.wns.notify.trafficmanager.net
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          15:16:06API Interceptor1149x Sleep call for process: lWAGihypmY0YXgh.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          72.52.178.59Shipping Documents.docGet hashmaliciousBrowse
                                            8Aobnx1VRi.exeGet hashmaliciousBrowse
                                              RFQ-Strip Casting Line.exeGet hashmaliciousBrowse
                                                SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                  SecuriteInfo.com.BehavesLike.Win32.Generic.mh.exeGet hashmaliciousBrowse
                                                    QImd3Q4VM0mNPFC.exeGet hashmaliciousBrowse
                                                      yarobelo.exeGet hashmaliciousBrowse
                                                        New order.docGet hashmaliciousBrowse
                                                          Purchase order.docGet hashmaliciousBrowse
                                                            PO-A2031150 AVI41916.exeGet hashmaliciousBrowse
                                                              uQQ6orCz0I.exeGet hashmaliciousBrowse
                                                                tM0AaInQN843GBX.exeGet hashmaliciousBrowse
                                                                  GMo4SZUHaO.exeGet hashmaliciousBrowse
                                                                    6IvaO5k09S.exeGet hashmaliciousBrowse
                                                                      y4EDfjLJfDnggGQ.exeGet hashmaliciousBrowse
                                                                        SecuriteInfo.com.Generic.mg.4ddf98cd8e5a012c.exeGet hashmaliciousBrowse
                                                                          hBpR9WytClXymyi.exeGet hashmaliciousBrowse
                                                                            qu89NOv44s.exeGet hashmaliciousBrowse
                                                                              Purchase order.exeGet hashmaliciousBrowse
                                                                                part1.rtfGet hashmaliciousBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  mail.sardaplywood.comShipping Documents.docGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  8Aobnx1VRi.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  RFQ-Strip Casting Line.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  SecuriteInfo.com.BehavesLike.Win32.Generic.mh.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  Order 21-21.docGet hashmaliciousBrowse
                                                                                  • 67.225.218.11
                                                                                  SecuriteInfo.com.BehavesLike.Win32.Generic.qm.exeGet hashmaliciousBrowse
                                                                                  • 67.225.218.11
                                                                                  QImd3Q4VM0mNPFC.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  yarobelo.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  New order.docGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  Purchase order.docGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  PO-A2031150 AVI41916.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  uQQ6orCz0I.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  tM0AaInQN843GBX.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  GMo4SZUHaO.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  6IvaO5k09S.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  y4EDfjLJfDnggGQ.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  SecuriteInfo.com.Generic.mg.4ddf98cd8e5a012c.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  hBpR9WytClXymyi.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  qu89NOv44s.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  LIQUIDWEBUSARCH 05 2_80074.docGet hashmaliciousBrowse
                                                                                  • 209.59.139.39
                                                                                  Shipping Documents.docGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  8Aobnx1VRi.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  RFQ-Strip Casting Line.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  SecuriteInfo.com.BehavesLike.Win32.Generic.mh.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.59
                                                                                  433.docGet hashmaliciousBrowse
                                                                                  • 67.227.152.97
                                                                                  Order 21-21.docGet hashmaliciousBrowse
                                                                                  • 67.225.218.11
                                                                                  SecuriteInfo.com.BehavesLike.Win32.Generic.qm.exeGet hashmaliciousBrowse
                                                                                  • 67.225.218.11
                                                                                  Adjunto-30.docGet hashmaliciousBrowse
                                                                                  • 67.227.195.169
                                                                                  935 2021 7-1529257.docGet hashmaliciousBrowse
                                                                                  • 209.59.139.39
                                                                                  Purchase Order_pdf.exeGet hashmaliciousBrowse
                                                                                  • 69.16.211.30
                                                                                  937 2912 2020 2_90961070.docGet hashmaliciousBrowse
                                                                                  • 67.227.152.97
                                                                                  Archivo_2020.docGet hashmaliciousBrowse
                                                                                  • 67.227.152.97
                                                                                  81msxxUisn.exeGet hashmaliciousBrowse
                                                                                  • 72.52.178.23
                                                                                  Archivo.docGet hashmaliciousBrowse
                                                                                  • 67.227.152.97
                                                                                  Q38V8rfI5H.jsGet hashmaliciousBrowse
                                                                                  • 72.52.178.23
                                                                                  Q38V8rfI5H.jsGet hashmaliciousBrowse
                                                                                  • 72.52.178.23
                                                                                  Doc.docGet hashmaliciousBrowse
                                                                                  • 67.225.191.31
                                                                                  ARCH_2021.docGet hashmaliciousBrowse
                                                                                  • 209.59.139.39

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lWAGihypmY0YXgh.exe.log
                                                                                  Process:C:\Users\user\Desktop\lWAGihypmY0YXgh.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1216
                                                                                  Entropy (8bit):5.355304211458859
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                  Malicious:true
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                  C:\Users\user\AppData\Local\Temp\tmp38D3.tmp
                                                                                  Process:C:\Users\user\Desktop\lWAGihypmY0YXgh.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1649
                                                                                  Entropy (8bit):5.183233044081882
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBMAPtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3SAF
                                                                                  MD5:4FFF7ED5E1697C90C08C0405B1ADB58B
                                                                                  SHA1:5560656702998474BF8DBA257CA9CA870F4D6660
                                                                                  SHA-256:72ACEA1E93A7C1666866037903EDF735A225B732DE2392792FD332F572E8D1DD
                                                                                  SHA-512:8A7CBD44EA0327DFBE311CFA3014D6D89A7E7961245783D071D6EF8B536ED1513EECC74C68C1E8BC9664B603217832784B97C4B2B5D0929F79967F41D5944412
                                                                                  Malicious:true
                                                                                  Reputation:low
                                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                                                  C:\Users\user\AppData\Roaming\HQNbDThyljJh.exe
                                                                                  Process:C:\Users\user\Desktop\lWAGihypmY0YXgh.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):832000
                                                                                  Entropy (8bit):7.376167485974427
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:Rqfu196mwIFAW3WgWpMj/HtxVTfid5rBtqKuCwaBbaBx:z5wIue3Wqj/txVTU5rBtq9ZaRa
                                                                                  MD5:4C0F12AFF6638202B87A156B8BCABB8A
                                                                                  SHA1:4742EBD00F82DCC2A520E2165D5C941E6CBA4936
                                                                                  SHA-256:C935DD6128830F5506AF13B5E46043D4F8B2781E345936F06964722865AB0C6E
                                                                                  SHA-512:D77B8B4F17A840897ADD306E358A97A19F1BE2E7605741EFA8386F7E8FB23C1664228A47F9DF8A3B4CF8CD0B311C1EE58E82F18BC4615273103E3FD080473322
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 33%
                                                                                  Reputation:low
                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..`..............0.................. ........@.. ....................................@.................................h...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......d...._......y....<..p...........................................&.(......*...0..9........~.........,".r...p.....(....o....s............~.....+..*....0...........~.....+..*".......*.0..!........(....r1..p~....o......t.....+..*".(.....*Vr?..p.....rK..p.....*^..}.....(.......(.....*.0..J.........rY..pr...p(....&.(....t!...o.......#..r...p.o....(....r...p...(....&...*..........%&.# ....0..+.........,..{.......+....,...{....o .......(!....*..0............s"...}.....s"...}.
                                                                                  C:\Users\user\AppData\Roaming\j04yismf.sjk\Chrome\Default\Cookies
                                                                                  Process:C:\Users\user\Desktop\lWAGihypmY0YXgh.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):0.698304057893793
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoIL4rtEy80:T5LLOpEO5J/Kn7U1uBoI+j
                                                                                  MD5:3806E8153A55C1A2DA0B09461A9C882A
                                                                                  SHA1:BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
                                                                                  SHA-256:366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
                                                                                  SHA-512:31E96CC89795D80390432062466D542DBEA7DF31E3E8676DF370381BEDC720948085AD495A735FBDB75071DE45F3B8E470D809E863664990A79DEE8ADC648F1C
                                                                                  Malicious:false
                                                                                  Reputation:moderate, very likely benign file
                                                                                  Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):7.376167485974427
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                  File name:lWAGihypmY0YXgh.exe
                                                                                  File size:832000
                                                                                  MD5:4c0f12aff6638202b87a156b8bcabb8a
                                                                                  SHA1:4742ebd00f82dcc2a520e2165d5c941e6cba4936
                                                                                  SHA256:c935dd6128830f5506af13b5e46043d4f8b2781e345936f06964722865ab0c6e
                                                                                  SHA512:d77b8b4f17a840897add306e358a97a19f1be2e7605741efa8386f7e8fb23c1664228a47f9df8a3b4cf8cd0b311c1ee58e82f18bc4615273103e3fd080473322
                                                                                  SSDEEP:12288:Rqfu196mwIFAW3WgWpMj/HtxVTfid5rBtqKuCwaBbaBx:z5wIue3Wqj/txVTU5rBtq9ZaRa
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..`..............0.................. ........@.. ....................................@................................

                                                                                  File Icon

                                                                                  Icon Hash:e0dc9e0e1e9296e8

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x4bbdba
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                  Time Stamp:0x6010C76A [Wed Jan 27 01:52:42 2021 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbbd680x4f.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x10e98.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000xb9dc00xb9e00False0.66132260844data7.53579555496IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0xbc0000x10e980x11000False0.132999195772data4.50647829778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0xce0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_ICON0xbc1000x10828data
                                                                                  RT_GROUP_ICON0xcc9380x14data
                                                                                  RT_VERSION0xcc95c0x33cdata
                                                                                  RT_MANIFEST0xccca80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Version Infos

                                                                                  DescriptionData
                                                                                  Translation0x0000 0x04b0
                                                                                  LegalCopyrightCopyright 2017
                                                                                  Assembly Version1.0.0.0
                                                                                  InternalNamei7hDxntRTQ.exe
                                                                                  FileVersion1.0.0.0
                                                                                  CompanyName
                                                                                  LegalTrademarks
                                                                                  Comments
                                                                                  ProductNameHotelMgmtSystem
                                                                                  ProductVersion1.0.0.0
                                                                                  FileDescriptionHotelMgmtSystem
                                                                                  OriginalFilenamei7hDxntRTQ.exe

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 27, 2021 15:17:52.778460979 CET49737587192.168.2.572.52.178.59
                                                                                  Jan 27, 2021 15:17:55.763927937 CET49737587192.168.2.572.52.178.59
                                                                                  Jan 27, 2021 15:18:01.764501095 CET49737587192.168.2.572.52.178.59
                                                                                  Jan 27, 2021 15:18:15.942601919 CET49738587192.168.2.572.52.178.59
                                                                                  Jan 27, 2021 15:18:18.953504086 CET49738587192.168.2.572.52.178.59
                                                                                  Jan 27, 2021 15:18:24.953892946 CET49738587192.168.2.572.52.178.59

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jan 27, 2021 15:15:56.917489052 CET6318353192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:15:56.974052906 CET53631838.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:15:57.998327971 CET6015153192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:15:58.046441078 CET53601518.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:15:58.912138939 CET5696953192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:15:58.960170984 CET53569698.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:16:00.000684977 CET5516153192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:16:00.051584005 CET53551618.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:16:00.873547077 CET5475753192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:16:00.923321962 CET53547578.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:16:22.828087091 CET4999253192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:16:22.890472889 CET53499928.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:16:26.554241896 CET6007553192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:16:26.605107069 CET53600758.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:16:29.726089954 CET5501653192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:16:29.783792019 CET53550168.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:16:42.237662077 CET6434553192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:16:42.294150114 CET53643458.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:16:45.877793074 CET5712853192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:16:45.925832033 CET53571288.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:16:47.475452900 CET5479153192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:16:47.523392916 CET53547918.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:16:50.426089048 CET5046353192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:16:50.486789942 CET53504638.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:17:26.807775021 CET5039453192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:17:26.858573914 CET53503948.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:17:51.258930922 CET5853053192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:17:51.309784889 CET53585308.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:17:51.775666952 CET5381353192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:17:51.826503992 CET53538138.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:17:52.484864950 CET6373253192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:17:52.632637024 CET53637328.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:15.879472017 CET5734453192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:15.940701008 CET53573448.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:38.646527052 CET5445053192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:38.708085060 CET53544508.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:39.348392010 CET5926153192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:39.399883032 CET53592618.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:40.190232992 CET5715153192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:40.239104033 CET53571518.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:40.912715912 CET5941353192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:40.969495058 CET53594138.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:41.610985041 CET6051653192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:41.672333002 CET53605168.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:42.297666073 CET5164953192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:42.359169960 CET53516498.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:43.215058088 CET6508653192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:43.263248920 CET53650868.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:44.532676935 CET5643253192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:44.591362000 CET53564328.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:46.108494043 CET5292953192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:46.165102005 CET53529298.8.8.8192.168.2.5
                                                                                  Jan 27, 2021 15:18:46.677643061 CET6431753192.168.2.58.8.8.8
                                                                                  Jan 27, 2021 15:18:46.728189945 CET53643178.8.8.8192.168.2.5

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Jan 27, 2021 15:17:52.484864950 CET192.168.2.58.8.8.80x9441Standard query (0)mail.sardaplywood.comA (IP address)IN (0x0001)
                                                                                  Jan 27, 2021 15:18:15.879472017 CET192.168.2.58.8.8.80x25ffStandard query (0)mail.sardaplywood.comA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Jan 27, 2021 15:17:52.632637024 CET8.8.8.8192.168.2.50x9441No error (0)mail.sardaplywood.com72.52.178.59A (IP address)IN (0x0001)
                                                                                  Jan 27, 2021 15:18:15.940701008 CET8.8.8.8192.168.2.50x25ffNo error (0)mail.sardaplywood.com72.52.178.59A (IP address)IN (0x0001)

                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  Analysis Process: lWAGihypmY0YXgh.exe PID: 988 Parent PID: 5632

                                                                                  General

                                                                                  Start time:15:16:01
                                                                                  Start date:27/01/2021
                                                                                  Path:C:\Users\user\Desktop\lWAGihypmY0YXgh.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Users\user\Desktop\lWAGihypmY0YXgh.exe'
                                                                                  Imagebase:0xf70000
                                                                                  File size:832000 bytes
                                                                                  MD5 hash:4C0F12AFF6638202B87A156B8BCABB8A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.247243531.0000000004573000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.245486243.000000000338E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.246672076.00000000043F4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  Reputation:low

                                                                                  Chronological Activities

                                                                                  Analysis Process: schtasks.exe PID: 4588 Parent PID: 988

                                                                                  General

                                                                                  Start time:15:16:10
                                                                                  Start date:27/01/2021
                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HQNbDThyljJh' /XML 'C:\Users\user\AppData\Local\Temp\tmp38D3.tmp'
                                                                                  Imagebase:0x3f0000
                                                                                  File size:185856 bytes
                                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: conhost.exe PID: 5440 Parent PID: 4588

                                                                                  General

                                                                                  Start time:15:16:10
                                                                                  Start date:27/01/2021
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff7ecfc0000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Chronological Activities

                                                                                  Analysis Process: lWAGihypmY0YXgh.exe PID: 6068 Parent PID: 988

                                                                                  General

                                                                                  Start time:15:16:11
                                                                                  Start date:27/01/2021
                                                                                  Path:C:\Users\user\Desktop\lWAGihypmY0YXgh.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:{path}
                                                                                  Imagebase:0xaf0000
                                                                                  File size:832000 bytes
                                                                                  MD5 hash:4C0F12AFF6638202B87A156B8BCABB8A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.632866048.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.635904351.0000000002EF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                  Reputation:low

                                                                                  Chronological Activities

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >

                                                                                    Analysis Process: lWAGihypmY0YXgh.exe PID: 988 Parent PID: 5632 lWAGihypmY0YXgh.exeCOMMON

                                                                                    Executed Functions

                                                                                    Function 0328DE7C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0328FECA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: dbf3154a0cc485f564ccc1cac43507e5b05315b02c3f68759398f43caa9beaca
                                                                                    • Instruction ID: 347aa68546358e53ebb69e34f45472c158623f0e73658110b8122dc87763ef0d
                                                                                    • Opcode Fuzzy Hash: dbf3154a0cc485f564ccc1cac43507e5b05315b02c3f68759398f43caa9beaca
                                                                                    • Instruction Fuzzy Hash: 3B51CEB1D10349AFDB14CF99D984ADEFBB5BF48314F24812AE819AB250D7749885CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0328FDAC, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0328FECA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 0cbcc2d4d7ac1677f2570f5902868a012c34ee032278db20d2f5d937b75cfa05
                                                                                    • Instruction ID: cdf381341eab397ac87f266d9f4775bae1719a4cc9508e59fb29973b5fb2632c
                                                                                    • Opcode Fuzzy Hash: 0cbcc2d4d7ac1677f2570f5902868a012c34ee032278db20d2f5d937b75cfa05
                                                                                    • Instruction Fuzzy Hash: F251EEB1D10349EFDB14CFA9D980ADEFBB5BF48304F24812AE418AB250D7749885CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0328539C, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 03285459
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 7d2a6c158bc59aad7f244aeb8d8ecbdc52a276cc554fba2e5321703f59a097a1
                                                                                    • Instruction ID: f5c2398b5e4449a445fc4055842f31751df392f553aa85d60984c4eac8507f00
                                                                                    • Opcode Fuzzy Hash: 7d2a6c158bc59aad7f244aeb8d8ecbdc52a276cc554fba2e5321703f59a097a1
                                                                                    • Instruction Fuzzy Hash: 2F41E271D0061DCBDB24DFA9C884B8EBBB1BF89308F248459D509AB251D7755986CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03283E2C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateActCtxA.KERNEL32(?), ref: 03285459
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 76a96e36eb4fcf7d0bf813c7596f57de778081b464ef42c06774b30083495850
                                                                                    • Instruction ID: ac01efea05b2fc0dec59f3380109e5ae05a2127e372023ea591fd3df94208fe5
                                                                                    • Opcode Fuzzy Hash: 76a96e36eb4fcf7d0bf813c7596f57de778081b464ef42c06774b30083495850
                                                                                    • Instruction Fuzzy Hash: DE410471D0471CCBDB20DF9AC88478EBBB1BF49304F208459D509AB291DB745989CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0328A174, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0328B93E,?,?,?,?,?), ref: 0328B9FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 3a5f1cea0f3233a91ecdb5472a3e67ca0c26889fb6f0344fd0cdc0c1bc7bcaa4
                                                                                    • Instruction ID: ab33e887073090321ac99fcb1c68e1914f3b5340c70e14266c6e95cadaa7b3d6
                                                                                    • Opcode Fuzzy Hash: 3a5f1cea0f3233a91ecdb5472a3e67ca0c26889fb6f0344fd0cdc0c1bc7bcaa4
                                                                                    • Instruction Fuzzy Hash: 0121E3B5901248DFDB10CFA9D884AEEBBF8EB48324F14841AE915B3350D378A944CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0328B971, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0328B93E,?,?,?,?,?), ref: 0328B9FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DuplicateHandle
                                                                                    • String ID:
                                                                                    • API String ID: 3793708945-0
                                                                                    • Opcode ID: 1d37b93e036baffab1f0454f2ee879abdaf92b662a0616a0b2d8e06d2af106f2
                                                                                    • Instruction ID: 00f18114175ba881541e093ff29fc3d2cdd182fa84826281ba0e1a60e683f3cd
                                                                                    • Opcode Fuzzy Hash: 1d37b93e036baffab1f0454f2ee879abdaf92b662a0616a0b2d8e06d2af106f2
                                                                                    • Instruction Fuzzy Hash: 5521E0B5900248DFDB10CFA9D984ADEBBF4FB48324F14841AE914B3350D378A944CF60
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 032887C0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03289711,00000800,00000000,00000000), ref: 03289922
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: d5479e14885c28bc1e66bbf5b7327a3bf9507c975bd79931854f37056c7c83f9
                                                                                    • Instruction ID: bb1b5ec79de32500da7ca462b8e30a96d06bd2847c32ee25fad6ecb60de6c5c8
                                                                                    • Opcode Fuzzy Hash: d5479e14885c28bc1e66bbf5b7327a3bf9507c975bd79931854f37056c7c83f9
                                                                                    • Instruction Fuzzy Hash: 071126B6D043499FDB10DF9AD484AEEFBF4EB49314F14842AE925B7240C374A985CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 032898B1, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,03289711,00000800,00000000,00000000), ref: 03289922
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: a5bc896568435209f8ee98b3f51881526b816fdb1fae76cf3cc2971240b37e1d
                                                                                    • Instruction ID: 1715e9076c3b3cccd9efb9c9f9c928bf44d912df6d6966460b04cd2046169c0e
                                                                                    • Opcode Fuzzy Hash: a5bc896568435209f8ee98b3f51881526b816fdb1fae76cf3cc2971240b37e1d
                                                                                    • Instruction Fuzzy Hash: AA1114B6D003498FCB10CF99C484AEEFBF4AB48314F15842AD925A7250C778A586CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 03289630, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 03289696
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: HandleModule
                                                                                    • String ID:
                                                                                    • API String ID: 4139908857-0
                                                                                    • Opcode ID: ea69bd93a7dfe848e99645423809a91aa981c29b482c99446fedc93ac0b3573b
                                                                                    • Instruction ID: 77be6d7daa2b854cb9c5447e3cdb7f3ee194981e78c57db29cadd7a4dedacb41
                                                                                    • Opcode Fuzzy Hash: ea69bd93a7dfe848e99645423809a91aa981c29b482c99446fedc93ac0b3573b
                                                                                    • Instruction Fuzzy Hash: 541113B6D013598FCB10DF9AC444BDEFBF4EB89224F14841AD419B7240C379A585CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 0328E630, Relevance: .3, Instructions: 315COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7f3acca13124525a670a429bbdc5c6f95e5065fbf8d5b744673101faa023184d
                                                                                    • Instruction ID: 9af1792a2bf8977957b680521bf784024416ec2487ec01770b343b8efe58ffee
                                                                                    • Opcode Fuzzy Hash: 7f3acca13124525a670a429bbdc5c6f95e5065fbf8d5b744673101faa023184d
                                                                                    • Instruction Fuzzy Hash: D812C9F14217468AD310EF67F99C1897B61F756328BB0C308D2652BAD9D7B8B14ACF84
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0328C1D4, Relevance: .3, Instructions: 265COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 11b6b8b61878d7462530ab44fd98640592dd7dff99040b9c93b6ab57ffb5eea5
                                                                                    • Instruction ID: 8a92b0fc3708513e785415e58ce09aef26007d98b195c01414a8e815532991f0
                                                                                    • Opcode Fuzzy Hash: 11b6b8b61878d7462530ab44fd98640592dd7dff99040b9c93b6ab57ffb5eea5
                                                                                    • Instruction Fuzzy Hash: 09A19136E2121A8FCF05EFB5C8445DDB7B2FF84300B15856AE805BB2A5DB71A949CF80
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0328E620, Relevance: .2, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.245083681.0000000003280000.00000040.00000001.sdmp, Offset: 03280000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1aa6a1de32bf37ee82a15b962fd2d0345118ca174bc5127d15cc17a28d8f3e56
                                                                                    • Instruction ID: 3a8226d1ca697e4c95c046184bd64e17d479d950eaf0c388c3b2eb8af9b04efd
                                                                                    • Opcode Fuzzy Hash: 1aa6a1de32bf37ee82a15b962fd2d0345118ca174bc5127d15cc17a28d8f3e56
                                                                                    • Instruction Fuzzy Hash: 51C11AB14217458AD710EF67F99C1897B61FB96328F70C309D2612BAD8D7B4B48ACF84
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Analysis Process: lWAGihypmY0YXgh.exe PID: 6068 Parent PID: 988 lWAGihypmY0YXgh.exeCOMMON

                                                                                    Executed Functions

                                                                                    Function 01190A70, Relevance: 7.0, APIs: 4, Instructions: 984libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: dce1bf0490a672e281348fac79657ffd03958295c34f23c6536c5a7524c9a4c8
                                                                                    • Instruction ID: 960c2b1baf2200f7e4a9a0c10b5a019659dfa072b15e7818839089ce5634d903
                                                                                    • Opcode Fuzzy Hash: dce1bf0490a672e281348fac79657ffd03958295c34f23c6536c5a7524c9a4c8
                                                                                    • Instruction Fuzzy Hash: 26A235B4A00228CFCB69EF20D95869DB7B6BF88205F1085E9D60AA3754CF349EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01247F00, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634900352.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: a2355dfc13d9b4396f2b37caa39e805f2a10cc71c1abd0fe11cdb66f970fb80b
                                                                                    • Instruction ID: db9d116c390ec2d704353464eac280a2c65c2e9c4c4fed6d98b24fea9fc6abde
                                                                                    • Opcode Fuzzy Hash: a2355dfc13d9b4396f2b37caa39e805f2a10cc71c1abd0fe11cdb66f970fb80b
                                                                                    • Instruction Fuzzy Hash: 78622970E106198FDB24EFB8C9546EDB7B2AF89304F1085A9D50AAB354EF709D85CF81
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190A91, Relevance: 6.6, APIs: 4, Instructions: 637libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: ef7c055ceb4b9abadd74b45a48eb1fee153b509ca5dc0155908d9b1e94c7b0fc
                                                                                    • Instruction ID: 9e5d832b2e468507eab2aaaf3dd5df6cde77fb9837bc1e983f825c30b68463c8
                                                                                    • Opcode Fuzzy Hash: ef7c055ceb4b9abadd74b45a48eb1fee153b509ca5dc0155908d9b1e94c7b0fc
                                                                                    • Instruction Fuzzy Hash: 096227B4A04228CFCB69EF24D85869DB7B6BF49209F5085E9D60AA3740CF349EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190AD6, Relevance: 6.6, APIs: 4, Instructions: 628libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 7b29dadc3d25d076e505075c67b57317cebbd72ff026b76c1a47ae6af23af239
                                                                                    • Instruction ID: ea83b9b969423cf840313545b8adaecb7bb2f89490f29e0841ce34680ec2bf44
                                                                                    • Opcode Fuzzy Hash: 7b29dadc3d25d076e505075c67b57317cebbd72ff026b76c1a47ae6af23af239
                                                                                    • Instruction Fuzzy Hash: 775227B4A04228CFDB69EF24D85869DB7B6BF49209F5084E9D60AA3740CF349EC5CF11
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190B12, Relevance: 6.6, APIs: 4, Instructions: 621libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 32c96e2743a7dd870b66b55a4b387c69a742991dcf6bccf97e820737df20e89e
                                                                                    • Instruction ID: a4ddae6a106eee11cabc8d67c822aa502347d8c1bcc998d4559feb933f256e10
                                                                                    • Opcode Fuzzy Hash: 32c96e2743a7dd870b66b55a4b387c69a742991dcf6bccf97e820737df20e89e
                                                                                    • Instruction Fuzzy Hash: AC5227B4A04228CFCB69EF24D85869DB7B6BF49209F5084E9D60AA3740CF349EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190B4E, Relevance: 6.6, APIs: 4, Instructions: 616libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: b4910ea4068c0dc2f9aebe730a178e927a5e25a6d54c291cc407c1c2fe6374d9
                                                                                    • Instruction ID: 0aec0e3fe9042eb18d8c5516925b85efe5d7e3ea9a16f35f0d879c7394cd33dd
                                                                                    • Opcode Fuzzy Hash: b4910ea4068c0dc2f9aebe730a178e927a5e25a6d54c291cc407c1c2fe6374d9
                                                                                    • Instruction Fuzzy Hash: 475227B4A04228CFCB69EF24D85869DB7B6BF49209F5085E9D60AA3740CF349EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190B93, Relevance: 6.6, APIs: 4, Instructions: 609libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: c20768c41bad85f4a2ff2a4766bcf485d3fce16feff660aa196e80b1dd637516
                                                                                    • Instruction ID: c1d68bf4c1d2563bbb60e2aef925aa085c72ccbedb674333500d7bc442582e77
                                                                                    • Opcode Fuzzy Hash: c20768c41bad85f4a2ff2a4766bcf485d3fce16feff660aa196e80b1dd637516
                                                                                    • Instruction Fuzzy Hash: DB5226B4A04228CFCB69EF24D85869DB7B6BF49209F5084E9D60AA3740CF349EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190BD8, Relevance: 6.6, APIs: 4, Instructions: 600libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: d83a34249032a37275ee0d6da116f502f9f838d69ddcce0f95a40528de335b05
                                                                                    • Instruction ID: 7be9ab7026e4a9191d1ef5a1f7701c9c11be263c43540e7163083d8d7820498e
                                                                                    • Opcode Fuzzy Hash: d83a34249032a37275ee0d6da116f502f9f838d69ddcce0f95a40528de335b05
                                                                                    • Instruction Fuzzy Hash: 975227B4A04228CFCB69EF24D85869DB7B6BF49209F5085E9D60AA3740CF349EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190C14, Relevance: 6.6, APIs: 4, Instructions: 593libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: eb44d62cb5aef2fcc971b3e7d323242c1c277efa6aca1029f94f58349c8c301b
                                                                                    • Instruction ID: 385f12988442d5264bb2eae53500b6175da2d8db6f078a5c2dd327bcd1ea9b8b
                                                                                    • Opcode Fuzzy Hash: eb44d62cb5aef2fcc971b3e7d323242c1c277efa6aca1029f94f58349c8c301b
                                                                                    • Instruction Fuzzy Hash: 285226B4A04228CFCB69EF24D85869DB7B6BF89205F5085E9D60AA3740CF349EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190C50, Relevance: 6.6, APIs: 4, Instructions: 588libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 8ce04a2871694d1b108e853e3459d39905ef0f4412d4a3be9e3e6497bcec1685
                                                                                    • Instruction ID: ec1e20a25633dee5b18ced02d794f92945fa7fe0220245dbd3b29bda7a97ec8c
                                                                                    • Opcode Fuzzy Hash: 8ce04a2871694d1b108e853e3459d39905ef0f4412d4a3be9e3e6497bcec1685
                                                                                    • Instruction Fuzzy Hash: 9C5226B4A04228CFCB69EF24D85869DB7B6BF89205F5085E9D60AA3740CF349EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190C95, Relevance: 6.6, APIs: 4, Instructions: 581libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: f5328d67a75b5b3bccffcc81c803aceeec7be1dfc4c140cde4a0aaaa753a7bda
                                                                                    • Instruction ID: 8cffb927a93c242da34a855b3d70a0e68141a4ab5201c97407eddfd8998b5c34
                                                                                    • Opcode Fuzzy Hash: f5328d67a75b5b3bccffcc81c803aceeec7be1dfc4c140cde4a0aaaa753a7bda
                                                                                    • Instruction Fuzzy Hash: E44225B4A04228CFCB69EF24D85869DB7B6BF89205F5085E9D60AA3740CF349EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190CDA, Relevance: 6.6, APIs: 4, Instructions: 574libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 061f399ecc5f47fa7a8d8874abddf6a1c56735adf83b3250b0f79e39b940efee
                                                                                    • Instruction ID: 9ed8db5e0fe59455842372b0d539310f1b24818e25b13c1bf0dea9b999d41bbd
                                                                                    • Opcode Fuzzy Hash: 061f399ecc5f47fa7a8d8874abddf6a1c56735adf83b3250b0f79e39b940efee
                                                                                    • Instruction Fuzzy Hash: 364225B4A04228CFCB69EF24D85869DB7B6BF89205F5085E9D60AA3740CF349EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190D1F, Relevance: 6.6, APIs: 4, Instructions: 567libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: cf95e3097d12706c438bcbb2943b8f9d66629c7082bc9c12ddeb7e84ee58ab1b
                                                                                    • Instruction ID: a92119b95980d2a60975328df915967d93c490a18a0dc0490dcb7e21fa6fd843
                                                                                    • Opcode Fuzzy Hash: cf95e3097d12706c438bcbb2943b8f9d66629c7082bc9c12ddeb7e84ee58ab1b
                                                                                    • Instruction Fuzzy Hash: 0C4235B4A04228CFCB69EF24D85869DB7B6BF89205F5085E9D60AA3740CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190D64, Relevance: 6.6, APIs: 4, Instructions: 560libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 0946434ca7bef5942f3d3ed19d2d2ba1cfa80465a83bf1267d433a4b6db83abe
                                                                                    • Instruction ID: 1a71815afcf6c6d4e3a564a5dfe9ac11a0da01d2ff3b1a5639eca9acb4409209
                                                                                    • Opcode Fuzzy Hash: 0946434ca7bef5942f3d3ed19d2d2ba1cfa80465a83bf1267d433a4b6db83abe
                                                                                    • Instruction Fuzzy Hash: 934225B4A04228CFCB69EF24D85869DB7B6BF88205F5085E9D60AA3744CF348EC5CF55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190DA9, Relevance: 6.6, APIs: 4, Instructions: 553libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 6eddc8c2cba25fab9cc4a53b5025afc0b031fa674a13bfebe7d3e8bae433bf8b
                                                                                    • Instruction ID: 5321e5e0b70163797e0008848162c4ff992f295a1f605a87e45d6869e215efe0
                                                                                    • Opcode Fuzzy Hash: 6eddc8c2cba25fab9cc4a53b5025afc0b031fa674a13bfebe7d3e8bae433bf8b
                                                                                    • Instruction Fuzzy Hash: 414225B4A04228CFCB69EF24D85869DB7B6BF88205F5085E9D60AA3744CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190DEE, Relevance: 6.5, APIs: 4, Instructions: 546libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: ff0c91d7b3e2ac7b7e7e462f3302b8b6e4a1cee5bad18cfa459a45a69f821c76
                                                                                    • Instruction ID: 5aef68a998929222cacf316ef737346fa79219fa902805b14573947b5890046a
                                                                                    • Opcode Fuzzy Hash: ff0c91d7b3e2ac7b7e7e462f3302b8b6e4a1cee5bad18cfa459a45a69f821c76
                                                                                    • Instruction Fuzzy Hash: DF4225B4A04228CFCB69EF24D85869DB7B6BF88205F5085E9D60AA3744CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190E33, Relevance: 6.5, APIs: 4, Instructions: 539libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 3771c07a14e10f9bbdb922d2ad184f9e47210847575f10ccc1585bb2ae924e6c
                                                                                    • Instruction ID: e09be584f6f807ba292c3feab026955e35e855b6262166ba9652945745139777
                                                                                    • Opcode Fuzzy Hash: 3771c07a14e10f9bbdb922d2ad184f9e47210847575f10ccc1585bb2ae924e6c
                                                                                    • Instruction Fuzzy Hash: EB4235B4A04229CFCB69EF24D85869DB7B6BF88205F5085E9D60AA3744CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190E78, Relevance: 6.5, APIs: 4, Instructions: 532libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 18e3d33d63f31f0225fabfb785d6def8ad8d25b16f201dea91bacddf5e7417e1
                                                                                    • Instruction ID: 948925378b7bda4451047c4c7f367fc3f138075dae8da2842f54d214ff13f618
                                                                                    • Opcode Fuzzy Hash: 18e3d33d63f31f0225fabfb785d6def8ad8d25b16f201dea91bacddf5e7417e1
                                                                                    • Instruction Fuzzy Hash: 3E3235B4A04229CFCB69EF24D85869DB7B6BF88205F5085E9D60AA3740CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190EBD, Relevance: 6.5, APIs: 4, Instructions: 525libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 74d662faaa52eddb2b02e65ff1bcbe8782a6754dc1b213b8d7e7f69f6a51119f
                                                                                    • Instruction ID: e5a7e62f0e96b8318fa8af3c45a2566e0ffbcf1f01a732b9d664991f1ab7ac6b
                                                                                    • Opcode Fuzzy Hash: 74d662faaa52eddb2b02e65ff1bcbe8782a6754dc1b213b8d7e7f69f6a51119f
                                                                                    • Instruction Fuzzy Hash: A93225B4A04229CFDB69EF24D85869DB7B6BF88205F5085E9D60AA3740CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190F02, Relevance: 6.5, APIs: 4, Instructions: 518libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 804f86640ff819274ad05815d7e4ed1260e87cb8686f38924434b43309be2417
                                                                                    • Instruction ID: b3ae073c84743ca770307cb18597d95f83773f05fce738e301d2e19800009393
                                                                                    • Opcode Fuzzy Hash: 804f86640ff819274ad05815d7e4ed1260e87cb8686f38924434b43309be2417
                                                                                    • Instruction Fuzzy Hash: 1F3235B4A04229CFDB69EF24D85869DB7B6BF88205F5085E9D60AA3740CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190F47, Relevance: 6.5, APIs: 4, Instructions: 511libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190F6B
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 3935983e0073b48a1cc9fb4f8ebc325859a5c29f79c718996852bf9f0c51d68b
                                                                                    • Instruction ID: baa09110a3be9f465f5f6b7f4ffef820021a8e7d88b3c9cef2b930133f2c621c
                                                                                    • Opcode Fuzzy Hash: 3935983e0073b48a1cc9fb4f8ebc325859a5c29f79c718996852bf9f0c51d68b
                                                                                    • Instruction Fuzzy Hash: 143235B4A04229CFDB69EF24D85869DB7B6BF88205F5085E9D60AA3740CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190F8C, Relevance: 5.0, APIs: 3, Instructions: 504libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01190FB0
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionUser$InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2638914809-0
                                                                                    • Opcode ID: 245d4fb40d1cff827ea5f182a1ec8c2091298d587abab68878d4fcb615124e63
                                                                                    • Instruction ID: 7bb5977510ca36a0ba4ff343f74fbab49ff9aab77001f659a41a2482043c9972
                                                                                    • Opcode Fuzzy Hash: 245d4fb40d1cff827ea5f182a1ec8c2091298d587abab68878d4fcb615124e63
                                                                                    • Instruction Fuzzy Hash: 1F3235B4A04229CFDB69EF24D85869DB7B6BF88205F5085E9D60AA3740CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01190FE7, Relevance: 3.5, APIs: 2, Instructions: 493libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                                    • String ID:
                                                                                    • API String ID: 243558500-0
                                                                                    • Opcode ID: be17c5b2bdb54c13a4ec730ebcf73343537709132d4d4f2b94296c75468e7053
                                                                                    • Instruction ID: bef1f0b02ba053952a993af814ebd19e65da607e7ca32bf500abb70a795d2f32
                                                                                    • Opcode Fuzzy Hash: be17c5b2bdb54c13a4ec730ebcf73343537709132d4d4f2b94296c75468e7053
                                                                                    • Instruction Fuzzy Hash: CB3225B4A04229CFCB69EF24D85869DB7B6BF88205F5085E9D60AA3750CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0119102C, Relevance: 3.5, APIs: 2, Instructions: 486libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                                    • String ID:
                                                                                    • API String ID: 243558500-0
                                                                                    • Opcode ID: ce02b7b7a70999a494c7ff7208b00f7a5e5fe33ff577086e97f0a6a0d3e5dde0
                                                                                    • Instruction ID: 24485084e5b2f1731469a7593c0837139c7f86eb168180cfea47bd288a1656f1
                                                                                    • Opcode Fuzzy Hash: ce02b7b7a70999a494c7ff7208b00f7a5e5fe33ff577086e97f0a6a0d3e5dde0
                                                                                    • Instruction Fuzzy Hash: 992225B4A04229CFCB69EF24D85869DB7B6BF88205F5085E9D60AA3750CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01191071, Relevance: 3.5, APIs: 2, Instructions: 479libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                                    • String ID:
                                                                                    • API String ID: 243558500-0
                                                                                    • Opcode ID: f73e7281d3ae33ead91d4256ff91bec0a0b183608a116224d8b1dd00d57a73bb
                                                                                    • Instruction ID: 5daaabc4658047def454ac4f47479f866d95011cdfddf3b003628e990ba79add
                                                                                    • Opcode Fuzzy Hash: f73e7281d3ae33ead91d4256ff91bec0a0b183608a116224d8b1dd00d57a73bb
                                                                                    • Instruction Fuzzy Hash: AD2225B4A04229CFCB69EF24D85869DB7B6BF88205F5085E9D60AA3750CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 011910B6, Relevance: 3.5, APIs: 2, Instructions: 470libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                                    • String ID:
                                                                                    • API String ID: 243558500-0
                                                                                    • Opcode ID: 6cabff10f4ebde5b49d55860668d288a98a950a2dd839c9ca63d6555178dda9f
                                                                                    • Instruction ID: ecf7cb5ed0d95a7cc9412f5b03f07bfb4457ef0c7b3b99128388e8b9483ebb4d
                                                                                    • Opcode Fuzzy Hash: 6cabff10f4ebde5b49d55860668d288a98a950a2dd839c9ca63d6555178dda9f
                                                                                    • Instruction Fuzzy Hash: 7C2235B4A04229CFCB69AF24D85869DB7B6BF88205F5085E9D60AA3750CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 011910F2, Relevance: 3.5, APIs: 2, Instructions: 465libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                                    • String ID:
                                                                                    • API String ID: 243558500-0
                                                                                    • Opcode ID: d39aaae945b70d4f3fddb6116e3f34c732bb74916dea49e7bb6bc9ee3bddf793
                                                                                    • Instruction ID: e34fce0cd7dfa276c477a32342bd8828113ca574a6d13ef045ac167551f3ee7e
                                                                                    • Opcode Fuzzy Hash: d39aaae945b70d4f3fddb6116e3f34c732bb74916dea49e7bb6bc9ee3bddf793
                                                                                    • Instruction Fuzzy Hash: 8F2235B4A042298FCB68AF24D85869DB7B6BF88205F5085E9D60AA3750CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01191137, Relevance: 3.5, APIs: 2, Instructions: 458libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                                    • String ID:
                                                                                    • API String ID: 243558500-0
                                                                                    • Opcode ID: 941998cca6caa60760bb19e2b5e3faed53236508eb2e4aa8e831694141696ad4
                                                                                    • Instruction ID: 06e87ceaca9b434a12df1e1985f60cb89179cbfe4e3f7984a9cb1ee7352d0672
                                                                                    • Opcode Fuzzy Hash: 941998cca6caa60760bb19e2b5e3faed53236508eb2e4aa8e831694141696ad4
                                                                                    • Instruction Fuzzy Hash: A42235B4A042298FCB68AF24D85869DB7B6BF88205F5085E9D60AA3754CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0119117C, Relevance: 3.4, APIs: 2, Instructions: 449libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                                    • String ID:
                                                                                    • API String ID: 243558500-0
                                                                                    • Opcode ID: cf834209eb580659c87c3d977716f6c82516bfd8b23f8c20f9a822654a5cef9f
                                                                                    • Instruction ID: c232cd84f232dbbdd9bb1541c59d6d9f421125f19a18298b9b413a361760b773
                                                                                    • Opcode Fuzzy Hash: cf834209eb580659c87c3d977716f6c82516bfd8b23f8c20f9a822654a5cef9f
                                                                                    • Instruction Fuzzy Hash: 561235B4A04229CFCB68AF34D85869DB7B6BF88205F5085E9D60AA3754CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 011911B8, Relevance: 3.4, APIs: 2, Instructions: 444libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                                    • String ID:
                                                                                    • API String ID: 243558500-0
                                                                                    • Opcode ID: 0fb3b80f37bf819d0df6be131118c370658207d0791c7c890ce00dbb00a502ba
                                                                                    • Instruction ID: 849144aaf683f5330b445d972c32cb9ab27607e33600bc4cfa253a03f93a853d
                                                                                    • Opcode Fuzzy Hash: 0fb3b80f37bf819d0df6be131118c370658207d0791c7c890ce00dbb00a502ba
                                                                                    • Instruction Fuzzy Hash: 8A1235B4A042298FCB68AF34D85869DB7B6BF88205F5085E9D60AA3754CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 011911FD, Relevance: 3.4, APIs: 2, Instructions: 437libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserExceptionDispatcher.NTDLL ref: 01191224
                                                                                    • LdrInitializeThunk.NTDLL ref: 0119153B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: DispatcherExceptionInitializeThunkUser
                                                                                    • String ID:
                                                                                    • API String ID: 243558500-0
                                                                                    • Opcode ID: f55aec2a725238458c0a875b677d0b8688c33f09f42ab735b9b46b2838009eaa
                                                                                    • Instruction ID: 06553ad9cdde40055f0df9f3df6034893c12a92652e17da8bfef6ad4019c7130
                                                                                    • Opcode Fuzzy Hash: f55aec2a725238458c0a875b677d0b8688c33f09f42ab735b9b46b2838009eaa
                                                                                    • Instruction Fuzzy Hash: 9C1246B4A042298BCB68AF34D85869DB7B6BF88205F5084E9D60AA3754CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01191245, Relevance: 1.9, APIs: 1, Instructions: 430libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: b4a697ee5ed38867f134b34327b793cdcce77f604bda6538421be1eedeedee65
                                                                                    • Instruction ID: c180ba213a9bb5d93403e04bb12d1466fbc8c2dfa995f675c51a099993e5a197
                                                                                    • Opcode Fuzzy Hash: b4a697ee5ed38867f134b34327b793cdcce77f604bda6538421be1eedeedee65
                                                                                    • Instruction Fuzzy Hash: 2B1246B4A002298FDB68AF34D85869DB7B6BF88205F5085E9D60AA3754CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0119128D, Relevance: 1.9, APIs: 1, Instructions: 423libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 4848814091db59d4c4f782fb6b1c5aaccca22ce56e0e309cb037661cb3952317
                                                                                    • Instruction ID: d6096b39d8ae6d1ba3fe2e8cd71ff89d9a64d684b204061139062f282cad92d3
                                                                                    • Opcode Fuzzy Hash: 4848814091db59d4c4f782fb6b1c5aaccca22ce56e0e309cb037661cb3952317
                                                                                    • Instruction Fuzzy Hash: BE1246B4A002298BDB68AF34D85869DB7B6BF88205F1084E9D60AA3754CF348EC5CF55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 011912D5, Relevance: 1.9, APIs: 1, Instructions: 416libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 8e0fee302c3e1736a403faab335dfa783c5d07109638716e2cef8a6972fa5539
                                                                                    • Instruction ID: 5a6de61213e408a5c37829713d7b95c0f36ca529104e4e5624ed5689fc83ef58
                                                                                    • Opcode Fuzzy Hash: 8e0fee302c3e1736a403faab335dfa783c5d07109638716e2cef8a6972fa5539
                                                                                    • Instruction Fuzzy Hash: 0B0247B4A002288FDB68AF34D85879DB7B6BF88205F1085E9D60AA3754CF348EC5CF55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0119131D, Relevance: 1.9, APIs: 1, Instructions: 409libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 622fe6af162be13d9878f4d5e1b404f21370605ffb1e724ae9d30ef1c7788e3e
                                                                                    • Instruction ID: d8a1e2f6da02e5e2eb22253a66934bbe40655e16da69a03a2c68785038511c44
                                                                                    • Opcode Fuzzy Hash: 622fe6af162be13d9878f4d5e1b404f21370605ffb1e724ae9d30ef1c7788e3e
                                                                                    • Instruction Fuzzy Hash: 570248B4A002288BDB68EF34D85879DB7B6BF88205F5085E9D60AA3754CF348EC5CF55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01191365, Relevance: 1.9, APIs: 1, Instructions: 400libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 8b02b3a0d6ddf983ba234b05e9b55cd801d6ed11fbfbc20f193bfb336957d86f
                                                                                    • Instruction ID: 7b98e4e7d5511b2e123d52c59caf1f980a74ef25d9759e2a6a9b8d4536787f36
                                                                                    • Opcode Fuzzy Hash: 8b02b3a0d6ddf983ba234b05e9b55cd801d6ed11fbfbc20f193bfb336957d86f
                                                                                    • Instruction Fuzzy Hash: F50248B4A002288BDB68AF34D85879DB7B6BF88205F5085E9D60AA3754CF348EC5CF55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 011913A1, Relevance: 1.9, APIs: 1, Instructions: 395libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: 9307ce521a789894bbb8c337a31449d6f5de70c26aa8c79077b87e1244081d3d
                                                                                    • Instruction ID: 29373487c38854685d2710dcf38629e59c9d38f5d2fe9bcce01a148fb38e96eb
                                                                                    • Opcode Fuzzy Hash: 9307ce521a789894bbb8c337a31449d6f5de70c26aa8c79077b87e1244081d3d
                                                                                    • Instruction Fuzzy Hash: E60248B4A002298BDB68EF34D85879DB7B6BF88205F5085E9D60AA3754CF348EC5CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 011913E9, Relevance: 1.9, APIs: 1, Instructions: 388libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634790062.0000000001190000.00000040.00000001.sdmp, Offset: 01190000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: InitializeThunk
                                                                                    • String ID:
                                                                                    • API String ID: 2994545307-0
                                                                                    • Opcode ID: a5b48bdde3425b287e4beb91c25a16cdda5356e0911a2e71fdb66e774a6ab3c8
                                                                                    • Instruction ID: fcc2f32ffb1fb6af0a92902dd95bbd7d44d07e4f5bba282e9f52bafd3cce1d8a
                                                                                    • Opcode Fuzzy Hash: a5b48bdde3425b287e4beb91c25a16cdda5356e0911a2e71fdb66e774a6ab3c8
                                                                                    • Instruction Fuzzy Hash: 340248B4A002288BDB68EF34D85879DB7B6BF88205F5085E9D50AA3354CF348EC9CF51
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01210B78, Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634869745.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7a38d925322fcbc45d87c110aaa45b4f57ad577f0014d235565fcc2d6cffb120
                                                                                    • Instruction ID: 9d61240c86a65cb44379f01e056a8f03be7d4b13ea652e81152b0a1086db5f55
                                                                                    • Opcode Fuzzy Hash: 7a38d925322fcbc45d87c110aaa45b4f57ad577f0014d235565fcc2d6cffb120
                                                                                    • Instruction Fuzzy Hash: FD412472E1438A8FCB10DFA9C8446AEBBF0EF89314F15856ED505A7241EB789885CBD1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0124ED01, Relevance: 1.6, APIs: 1, Instructions: 113registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0124EE14
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634900352.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: Open
                                                                                    • String ID:
                                                                                    • API String ID: 71445658-0
                                                                                    • Opcode ID: 7c00e7f0f20c1dbf1961d4a9c7222faa4112c78f39b3ce0c0995aeb068037d8d
                                                                                    • Instruction ID: a4a5460aca066bee51c9bd372eb0017d0627eef1e50395e782951bcf79f4e56a
                                                                                    • Opcode Fuzzy Hash: 7c00e7f0f20c1dbf1961d4a9c7222faa4112c78f39b3ce0c0995aeb068037d8d
                                                                                    • Instruction Fuzzy Hash: 0E4166B1A043898FDB14CFA9C584A8EFFF5BF49304F29C16AE508AB341D7799845CB90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0124EFBC, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0124F081
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634900352.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3660427363-0
                                                                                    • Opcode ID: 398af4d49e79bb590b1dd60ceaeba6412574cbd315140cc42598db7a979931ae
                                                                                    • Instruction ID: e26279456f3b4b7faacca7bc9e722b77740449e5ce38269bca227ef8180a5336
                                                                                    • Opcode Fuzzy Hash: 398af4d49e79bb590b1dd60ceaeba6412574cbd315140cc42598db7a979931ae
                                                                                    • Instruction Fuzzy Hash: 1B4110B1D002589FCB24CFAAC984ACEBFF5BF88314F55802AE819AB304C7759845CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0124E188, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0124F081
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634900352.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3660427363-0
                                                                                    • Opcode ID: 422103cc12202169f9344ed5d9b65cd7a39aef012b1d011d4b6d5e80c3d7fabf
                                                                                    • Instruction ID: ee31e13a43310a9bf58dbcd0f41ecad58902337edda204add299a3ce632adcd9
                                                                                    • Opcode Fuzzy Hash: 422103cc12202169f9344ed5d9b65cd7a39aef012b1d011d4b6d5e80c3d7fabf
                                                                                    • Instruction Fuzzy Hash: 88310EB1D102589FCB24CF9AC984A9EBFF5BF88304F55802AE819AB304D7759849CF90
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0124E17C, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0124EE14
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634900352.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: Open
                                                                                    • String ID:
                                                                                    • API String ID: 71445658-0
                                                                                    • Opcode ID: 3a189115f1fff90492613b8e79c9c30c95806c142be5c4361482e913dc54745e
                                                                                    • Instruction ID: d1221ca401fb7a5e3ec1297fac543e9aba657e36e436b57a04e39a839e313eb5
                                                                                    • Opcode Fuzzy Hash: 3a189115f1fff90492613b8e79c9c30c95806c142be5c4361482e913dc54745e
                                                                                    • Instruction Fuzzy Hash: 303101B1D04289CFEB14CF99C584A8EFFF5BF48314F29816AE509AB341C7799885CB94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01211C39, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01211CBB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634869745.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: HookWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2559412058-0
                                                                                    • Opcode ID: eed8844351cfb061a667749fd57e2c868ecd6de9abe5b946052972e91b420384
                                                                                    • Instruction ID: 3cc2ff881df827576a55d7e6a7d85bf69d42682a07255b9eb6f02f23f7df407e
                                                                                    • Opcode Fuzzy Hash: eed8844351cfb061a667749fd57e2c868ecd6de9abe5b946052972e91b420384
                                                                                    • Instruction Fuzzy Hash: C02165B1D002098FCB10CFA9C844BEEBBF0BB88324F10842AE555A3250C774A945CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01211C40, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01211CBB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634869745.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: HookWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2559412058-0
                                                                                    • Opcode ID: 2061f61c97e26afab4da08398b4e296c9057c52a9ac2cb70e69cdac4975b9eaf
                                                                                    • Instruction ID: 1de813190fd40677ec807e28c71dac82050c0aac220a1c256909b1d4edd95546
                                                                                    • Opcode Fuzzy Hash: 2061f61c97e26afab4da08398b4e296c9057c52a9ac2cb70e69cdac4975b9eaf
                                                                                    • Instruction Fuzzy Hash: 022124B1D002099FCB14CFAAD944BEEFBF5BB88314F14842AE519A7750CB74A945CFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0121AC98, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,0121C2C1,00000800), ref: 0121C352
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634869745.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: 14d09a2ba9b01a69cc0a2b190eed58116fc357c5d03c08ccfbd142e51f249d9f
                                                                                    • Instruction ID: d6fcb1a23abcac8636ed290aa5e59b31cf3b84c1cf24586bd5dab717fb320c50
                                                                                    • Opcode Fuzzy Hash: 14d09a2ba9b01a69cc0a2b190eed58116fc357c5d03c08ccfbd142e51f249d9f
                                                                                    • Instruction Fuzzy Hash: 851114B69003499FDB14CF9AC484ADEFBF4EB98314F14842EE519B7200C3B4A546CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0121C2E1, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000000,?,0121C2C1,00000800), ref: 0121C352
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634869745.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: 90eb3bfef5912858a4fc2b2e8e5cd63dd058d7d2db68a538e4c966db6592e8ce
                                                                                    • Instruction ID: 665dee6eb5639f804b03d02f8dfb1fa26737247aaaf256457c24c72e559adc4e
                                                                                    • Opcode Fuzzy Hash: 90eb3bfef5912858a4fc2b2e8e5cd63dd058d7d2db68a538e4c966db6592e8ce
                                                                                    • Instruction Fuzzy Hash: 9B1103B69003498FDB14CF99C484ADEFBF4EB98324F15852ED529A7200C374A64ACFA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 01210C49, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 01210CB7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.634869745.0000000001210000.00000040.00000001.sdmp, Offset: 01210000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID: GlobalMemoryStatus
                                                                                    • String ID:
                                                                                    • API String ID: 1890195054-0
                                                                                    • Opcode ID: 64af3fb8ea5f6d6167ce8913a1e258864a654f6969179991bbd18be35122aa8e
                                                                                    • Instruction ID: 9d4f3d2a2618b65fe110ad0d121e53159525f3997325f7d4a6b5792a24ee2d05
                                                                                    • Opcode Fuzzy Hash: 64af3fb8ea5f6d6167ce8913a1e258864a654f6969179991bbd18be35122aa8e
                                                                                    • Instruction Fuzzy Hash: BC11FFB1C006599FCB10CF9AD444BEEFBF4AB48324F15812AE828B7240D378A955CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0147D01C, Relevance: .1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.635331392.000000000147D000.00000040.00000001.sdmp, Offset: 0147D000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e6b723af0d1a16d4f311069e90a77a95334ebc234e36142cc890a17a26bd2901
                                                                                    • Instruction ID: fdc9272c1bcff6faa0ad2a866c1bedd373faccc6ce9e23326f97b5909a5b654b
                                                                                    • Opcode Fuzzy Hash: e6b723af0d1a16d4f311069e90a77a95334ebc234e36142cc890a17a26bd2901
                                                                                    • Instruction Fuzzy Hash: 962137B1A04284DFCB16DF54D8C0B56BB61FF84358F24C56ED9094B356C33AD807CA61
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0147D006, Relevance: .1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000004.00000002.635331392.000000000147D000.00000040.00000001.sdmp, Offset: 0147D000, based on PE: false
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6d514eb29b33cd69f6f28a7644ae1a0cd8ad64e4dea54e3b24946e0b845eb0d4
                                                                                    • Instruction ID: f5900659af6ef15819816a13880b497b88ffece266a6f990602b54744b4995c3
                                                                                    • Opcode Fuzzy Hash: 6d514eb29b33cd69f6f28a7644ae1a0cd8ad64e4dea54e3b24946e0b845eb0d4
                                                                                    • Instruction Fuzzy Hash: CE217F755093C08FCB03CF24D990756BF71EF46218F28C5DAD8498B667C33A984ACB62
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions