Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report njGJ1eW44wshoMr.exe

Overview

General Information

Sample Name:njGJ1eW44wshoMr.exe
Analysis ID:344975
MD5:3642d5bf033629d0a716fff2c17125b2
SHA1:47993d2f980a7c3de204b008618c9b4c25511a49
SHA256:c7af68bcec3b1c2e3a87f08111ab75b525799c5386fa85b529f8690bfa1c766a
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • njGJ1eW44wshoMr.exe (PID: 4188 cmdline: 'C:\Users\user\Desktop\njGJ1eW44wshoMr.exe' MD5: 3642D5BF033629D0A716FFF2C17125B2)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "Msrcg53Go53k", "URL: ": "http://u8XlnFfKOIQs9ntdu.org", "To: ": "presidencia@cefortem.cat", "ByHost: ": "mail.cefortem.cat:587", "Password: ": "4RubS", "From: ": "presidencia@cefortem.cat"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.680815845.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.355060435.0000000003E90000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.354112729.0000000002DD7000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.njGJ1eW44wshoMr.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: njGJ1eW44wshoMr.exe.6468.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "Msrcg53Go53k", "URL: ": "http://u8XlnFfKOIQs9ntdu.org", "To: ": "presidencia@cefortem.cat", "ByHost: ": "mail.cefortem.cat:587", "Password: ": "4RubS", "From: ": "presidencia@cefortem.cat"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: njGJ1eW44wshoMr.exeVirustotal: Detection: 26%Perma Link
              Source: njGJ1eW44wshoMr.exeReversingLabs: Detection: 30%
              Machine Learning detection for sampleShow sources
              Source: njGJ1eW44wshoMr.exeJoe Sandbox ML: detected
              Source: 1.2.njGJ1eW44wshoMr.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: njGJ1eW44wshoMr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: njGJ1eW44wshoMr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: http://u8XlnFfKOIQs9ntdu.org
              Source: global trafficTCP traffic: 192.168.2.6:49757 -> 46.16.62.134:587
              Source: Joe Sandbox ViewIP Address: 46.16.62.134 46.16.62.134
              Source: Joe Sandbox ViewASN Name: CDMONsistemescdmoncomES CDMONsistemescdmoncomES
              Source: global trafficTCP traffic: 192.168.2.6:49757 -> 46.16.62.134:587
              Source: unknownDNS traffic detected: queries for: mail.cefortem.cat
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: http://DXhCun.com
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.687782985.0000000005F6C000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.687782985.0000000005F6C000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.687782985.0000000005F6C000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.687782985.0000000005F6C000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.332863380.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://en.w
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.332609376.0000000005D7B000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.332609376.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comh
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.684619940.0000000002F4D000.00000004.00000001.sdmpString found in binary or memory: http://mail.cefortem.cat
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.682596949.0000000001170000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.687782985.0000000005F6C000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.687782985.0000000005F6C000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: http://u8XlnFfKOIQs9ntdu.org
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.337317423.0000000005D83000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000003.337240657.0000000005D83000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.337279867.0000000005D83000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html&
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.336631403.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.336266777.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comO
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335498649.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.336266777.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.336266777.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335498649.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexc
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comf
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335213930.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comfac
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comkO
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.M
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comofG
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comr-tk
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comslnt
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.336266777.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue-
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000003.344524376.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.339182936.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/O
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.342211762.0000000005D9E000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000003.340409954.0000000005D9E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.340038806.0000000005D9E000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.339875376.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlG
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.340685503.0000000005D7B000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.344524376.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.339605314.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersL
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.339605314.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersO
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.339557174.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersa
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.339706590.0000000005D7B000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000003.339651663.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersz
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354020205.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com9t
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354020205.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comas
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.334128429.0000000005D84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.334385567.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.333749487.0000000005D7F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/7
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.334128429.0000000005D84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.334704774.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnark
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.334801239.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-sM
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.342253941.0000000005D7B000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000003.342086297.0000000005D7B000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.333676360.0000000005D7F000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.333347958.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.m.
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.331736060.0000000005D62000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.331736060.0000000005D62000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.333749487.0000000005D7F000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.cn
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.333676360.0000000005D7F000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.333676360.0000000005D7F000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr6
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.333676360.0000000005D7F000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krs-cl
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.336110347.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comT
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.336266777.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comf
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.334654620.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn-u
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.339035591.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.339035591.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deC
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335498649.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335064386.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnO
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335064386.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnZ
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.336631403.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
              Source: njGJ1eW44wshoMr.exe, 00000000.00000003.335064386.0000000005D7B000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnofG
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.355060435.0000000003E90000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000001.00000002.680815845.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\njGJ1eW44wshoMr.exeJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 0_2_009C83220_2_009C8322
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 1_2_010A46A01_2_010A46A0
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 1_2_010A45D01_2_010A45D0
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 1_2_05DC75401_2_05DC7540
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 1_2_05DC94F81_2_05DC94F8
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 1_2_05DC6C701_2_05DC6C70
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 1_2_05DC69281_2_05DC6928
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 1_2_007B83221_2_007B8322
              Source: njGJ1eW44wshoMr.exeBinary or memory string: OriginalFilename vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.352877434.00000000009C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyYFU+ vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.355060435.0000000003E90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.355060435.0000000003E90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaLjBjGUvWecwGptNRQryBtRBaVCtO.exe4 vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exeBinary or memory string: OriginalFilename vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.682482212.00000000010DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.688302251.0000000006C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.680815845.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameaLjBjGUvWecwGptNRQryBtRBaVCtO.exe4 vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.680946962.00000000007B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyYFU+ vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.687936279.0000000006250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.681440756.0000000000CF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.681332281.00000000009D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exeBinary or memory string: OriginalFilenameyYFU+ vs njGJ1eW44wshoMr.exe
              Source: njGJ1eW44wshoMr.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\njGJ1eW44wshoMr.exe.logJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeMutant created: \Sessions\1\BaseNamedObjects\egACZUqeVySfQhEDeEFwVnWG
              Source: njGJ1eW44wshoMr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: njGJ1eW44wshoMr.exeVirustotal: Detection: 26%
              Source: njGJ1eW44wshoMr.exeReversingLabs: Detection: 30%
              Source: unknownProcess created: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe 'C:\Users\user\Desktop\njGJ1eW44wshoMr.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe {path}
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess created: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: njGJ1eW44wshoMr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: njGJ1eW44wshoMr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: njGJ1eW44wshoMr.exe, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.njGJ1eW44wshoMr.exe.9c0000.0.unpack, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.njGJ1eW44wshoMr.exe.9c0000.0.unpack, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.2.njGJ1eW44wshoMr.exe.7b0000.1.unpack, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 1.0.njGJ1eW44wshoMr.exe.7b0000.0.unpack, loginForm.cs.Net Code: SuspendLayout System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 1_2_0103D95C push eax; ret 1_2_0103D95D
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 1_2_0103E28A push eax; ret 1_2_0103E349
              Source: initial sampleStatic PE information: section name: .text entropy: 7.54334100572
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.354112729.0000000002DD7000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: njGJ1eW44wshoMr.exe PID: 4188, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354058469.0000000002DA1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354058469.0000000002DA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWindow / User API: threadDelayed 1326Jump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWindow / User API: threadDelayed 8525Jump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe TID: 852Thread sleep time: -31500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe TID: 2944Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe TID: 6648Thread sleep time: -17524406870024063s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe TID: 6656Thread sleep count: 1326 > 30Jump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe TID: 6656Thread sleep count: 8525 > 30Jump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354798767.00000000030D1000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354058469.0000000002DA1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354058469.0000000002DA1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354058469.0000000002DA1000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354112729.0000000002DD7000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354058469.0000000002DA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354112729.0000000002DD7000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354798767.00000000030D1000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354112729.0000000002DD7000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: njGJ1eW44wshoMr.exe, 00000000.00000002.354058469.0000000002DA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.682596949.0000000001170000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeProcess created: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe {path}Jump to behavior
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.682763913.0000000001690000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.682763913.0000000001690000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.682763913.0000000001690000.00000002.00000001.sdmpBinary or memory string: &Program Manager
              Source: njGJ1eW44wshoMr.exe, 00000001.00000002.682763913.0000000001690000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Users\user\Desktop\njGJ1eW44wshoMr.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeCode function: 1_2_05DC5A94 GetUserNameW,1_2_05DC5A94
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.680815845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.355060435.0000000003E90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: njGJ1eW44wshoMr.exe PID: 4188, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: njGJ1eW44wshoMr.exe PID: 6468, type: MEMORY
              Source: Yara matchFile source: 1.2.njGJ1eW44wshoMr.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\njGJ1eW44wshoMr.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Yara matchFile source: 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: njGJ1eW44wshoMr.exe PID: 6468, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.680815845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.355060435.0000000003E90000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: njGJ1eW44wshoMr.exe PID: 4188, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: njGJ1eW44wshoMr.exe PID: 6468, type: MEMORY
              Source: Yara matchFile source: 1.2.njGJ1eW44wshoMr.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information2Input Capture11System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing12Credentials in Registry1Query Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery211Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion13LSA SecretsVirtualization/Sandbox Evasion13SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection12Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              njGJ1eW44wshoMr.exe26%VirustotalBrowse
              njGJ1eW44wshoMr.exe30%ReversingLabsByteCode-MSIL.Packed.Generic
              njGJ1eW44wshoMr.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              1.2.njGJ1eW44wshoMr.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.carterandcone.comofG0%Avira URL Cloudsafe
              http://DXhCun.com0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.sandoll.co.kr60%Avira URL Cloudsafe
              http://www.carterandcone.comes0%Avira URL Cloudsafe
              http://www.carterandcone.comva0%Avira URL Cloudsafe
              http://www.carterandcone.comen0%Avira URL Cloudsafe
              http://www.founder.com.cn/cnark0%Avira URL Cloudsafe
              http://r3.i.lencr0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.zhongyicts.com.cnofG0%Avira URL Cloudsafe
              http://www.carterandcone.comkO0%Avira URL Cloudsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com-0%Avira URL Cloudsafe
              http://r3.i.lencr.org/00%URL Reputationsafe
              http://r3.i.lencr.org/00%URL Reputationsafe
              http://r3.i.lencr.org/00%URL Reputationsafe
              http://www.founder.com.cn/cnD0%Avira URL Cloudsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.fontbureau.comas0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.carterandcone.comC0%URL Reputationsafe
              http://www.carterandcone.comC0%URL Reputationsafe
              http://www.carterandcone.comC0%URL Reputationsafe
              http://www.carterandcone.comr-tk0%Avira URL Cloudsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://r3.o.lencr.org00%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html&0%Avira URL Cloudsafe
              http://www.carterandcone.comO0%Avira URL Cloudsafe
              http://www.sandoll.cn0%Avira URL Cloudsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://fontfabrik.comh0%Avira URL Cloudsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.urwpp.de0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://www.sandoll.co.krs-cl0%Avira URL Cloudsafe
              http://www.carterandcone.comue-0%Avira URL Cloudsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
              http://u8XlnFfKOIQs9ntdu.org0%Avira URL Cloudsafe
              http://www.carterandcone.coma0%URL Reputationsafe
              http://www.carterandcone.coma0%URL Reputationsafe
              http://www.carterandcone.coma0%URL Reputationsafe
              http://www.carterandcone.comexc0%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://www.carterandcone.comf0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/70%Avira URL Cloudsafe
              http://www.sajatypeworks.comt0%URL Reputationsafe
              http://www.sajatypeworks.comt0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              mail.cefortem.cat
              		46.16.62.134
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://u8XlnFfKOIQs9ntdu.orgtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1njGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.carterandcone.comofGnjGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersGnjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                  		high
                  http://DXhCun.comnjGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers/?njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersLnjGJ1eW44wshoMr.exe, 00000000.00000003.339605314.0000000005D7B000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bThenjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sandoll.co.kr6njGJ1eW44wshoMr.exe, 00000000.00000003.333676360.0000000005D7F000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comesnjGJ1eW44wshoMr.exe, 00000000.00000003.336266777.0000000005D7B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers?njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comvanjGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.carterandcone.comennjGJ1eW44wshoMr.exe, 00000000.00000003.336266777.0000000005D7B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designersBnjGJ1eW44wshoMr.exe, 00000000.00000003.344524376.0000000005D7B000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cnarknjGJ1eW44wshoMr.exe, 00000000.00000003.334704774.0000000005D7B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://r3.i.lencrnjGJ1eW44wshoMr.exe, 00000001.00000002.682596949.0000000001170000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.comnjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnofGnjGJ1eW44wshoMr.exe, 00000000.00000003.335064386.0000000005D7B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.carterandcone.comkOnjGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersnjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000003.344524376.0000000005D7B000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/OnjGJ1eW44wshoMr.exe, 00000000.00000003.339182936.0000000005D7B000.00000004.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krnjGJ1eW44wshoMr.exe, 00000000.00000003.333676360.0000000005D7F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comnjGJ1eW44wshoMr.exe, 00000000.00000003.336631403.0000000005D7B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersOnjGJ1eW44wshoMr.exe, 00000000.00000003.339605314.0000000005D7B000.00000004.00000001.sdmpfalse
                                		high
                                http://www.carterandcone.com-njGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://r3.i.lencr.org/0njGJ1eW44wshoMr.exe, 00000001.00000002.687782985.0000000005F6C000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnDnjGJ1eW44wshoMr.exe, 00000000.00000003.334128429.0000000005D84000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comnjGJ1eW44wshoMr.exe, 00000000.00000003.331736060.0000000005D62000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDnjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comasnjGJ1eW44wshoMr.exe, 00000000.00000002.354020205.00000000014F7000.00000004.00000040.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cn/cThenjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmnjGJ1eW44wshoMr.exe, 00000000.00000003.342253941.0000000005D7B000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000003.342086297.0000000005D7B000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comnjGJ1eW44wshoMr.exe, 00000000.00000003.332609376.0000000005D7B000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlGnjGJ1eW44wshoMr.exe, 00000000.00000003.339875376.0000000005D7B000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.comCnjGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersanjGJ1eW44wshoMr.exe, 00000000.00000003.339557174.0000000005D7B000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.carterandcone.comr-tknjGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://r3.o.lencr.org0njGJ1eW44wshoMr.exe, 00000001.00000002.687782985.0000000005F6C000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleasenjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ipify.org%GETMozilla/5.0njGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		low
                                    http://www.ascendercorp.com/typedesigners.htmlnjGJ1eW44wshoMr.exe, 00000000.00000003.337317423.0000000005D83000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000003.337240657.0000000005D83000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.ascendercorp.com/typedesigners.html&njGJ1eW44wshoMr.exe, 00000000.00000003.337279867.0000000005D83000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comOnjGJ1eW44wshoMr.exe, 00000000.00000003.336266777.0000000005D7B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fonts.comnjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.cnnjGJ1eW44wshoMr.exe, 00000000.00000003.333749487.0000000005D7F000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sandoll.co.krnjGJ1eW44wshoMr.exe, 00000000.00000003.333676360.0000000005D7F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comhnjGJ1eW44wshoMr.exe, 00000000.00000003.332609376.0000000005D7B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.urwpp.deDPleasenjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersznjGJ1eW44wshoMr.exe, 00000000.00000003.339706590.0000000005D7B000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000003.339651663.0000000005D7B000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.urwpp.denjGJ1eW44wshoMr.exe, 00000000.00000003.339035591.0000000005D7B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnnjGJ1eW44wshoMr.exe, 00000000.00000003.335498649.0000000005D7B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comnjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipnjGJ1eW44wshoMr.exe, 00000000.00000002.355060435.0000000003E90000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000001.00000002.680815845.0000000000402000.00000040.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sandoll.co.krs-clnjGJ1eW44wshoMr.exe, 00000000.00000003.333676360.0000000005D7F000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comue-njGJ1eW44wshoMr.exe, 00000000.00000003.336266777.0000000005D7B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://cps.root-x1.letsencrypt.org0njGJ1eW44wshoMr.exe, 00000001.00000002.687782985.0000000005F6C000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comanjGJ1eW44wshoMr.exe, 00000000.00000003.335498649.0000000005D7B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.carterandcone.comexcnjGJ1eW44wshoMr.exe, 00000000.00000003.335498649.0000000005D7B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comnjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                            		high
                                            http://DynDns.comDynDNSnjGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comfnjGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/7njGJ1eW44wshoMr.exe, 00000000.00000003.333749487.0000000005D7F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sajatypeworks.comtnjGJ1eW44wshoMr.exe, 00000000.00000003.331736060.0000000005D62000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.m.njGJ1eW44wshoMr.exe, 00000000.00000003.333347958.0000000005D7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://cps.letsencrypt.org0njGJ1eW44wshoMr.exe, 00000001.00000002.687782985.0000000005F6C000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hanjGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comfacnjGJ1eW44wshoMr.exe, 00000000.00000003.335213930.0000000005D7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.como.MnjGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.comslntnjGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://en.wnjGJ1eW44wshoMr.exe, 00000000.00000003.332863380.0000000005D7B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comnnjGJ1eW44wshoMr.exe, 00000000.00000003.335917362.0000000005D7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://api.ipify.org%$njGJ1eW44wshoMr.exe, 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.carterandcone.comlnjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deCnjGJ1eW44wshoMr.exe, 00000000.00000003.339035591.0000000005D7B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.founder.com.cn/cn/njGJ1eW44wshoMr.exe, 00000000.00000003.334385567.0000000005D7B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNnjGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnnjGJ1eW44wshoMr.exe, 00000000.00000003.334128429.0000000005D84000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlnjGJ1eW44wshoMr.exe, 00000000.00000003.340038806.0000000005D9E000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.tiro.comn-unjGJ1eW44wshoMr.exe, 00000000.00000003.334654620.0000000005D7B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlnjGJ1eW44wshoMr.exe, 00000000.00000003.342211762.0000000005D9E000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000003.340409954.0000000005D9E000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.tiro.comTnjGJ1eW44wshoMr.exe, 00000000.00000003.336110347.0000000005D7B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnZnjGJ1eW44wshoMr.exe, 00000000.00000003.335064386.0000000005D7B000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cno.njGJ1eW44wshoMr.exe, 00000000.00000003.336631403.0000000005D7B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://mail.cefortem.catnjGJ1eW44wshoMr.exe, 00000001.00000002.684619940.0000000002F4D000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8njGJ1eW44wshoMr.exe, 00000000.00000003.340685503.0000000005D7B000.00000004.00000001.sdmp, njGJ1eW44wshoMr.exe, 00000000.00000002.358220825.0000000005E50000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.zhongyicts.com.cnOnjGJ1eW44wshoMr.exe, 00000000.00000003.335064386.0000000005D7B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cnl-sMnjGJ1eW44wshoMr.exe, 00000000.00000003.334801239.0000000005D7B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tiro.comfnjGJ1eW44wshoMr.exe, 00000000.00000003.336266777.0000000005D7B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fontbureau.com9tnjGJ1eW44wshoMr.exe, 00000000.00000002.354020205.00000000014F7000.00000004.00000040.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    46.16.62.134
                                                    		unknownSpain
                                                    		197712CDMONsistemescdmoncomEStrue

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Emerald
                                                    Analysis ID:344975
                                                    Start date:27.01.2021
                                                    Start time:15:16:14
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 8m 58s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:njGJ1eW44wshoMr.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:19
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@3/2@2/1
                                                    EGA Information:Failed
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 34
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.64.90.137, 52.147.198.201, 51.104.139.180, 95.101.22.216, 95.101.22.224, 52.155.217.156, 20.54.26.129, 67.27.159.126, 8.248.139.254, 67.27.158.126, 67.27.157.254, 67.27.158.254, 51.103.5.186, 51.104.144.132, 23.210.248.85
                                                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    15:17:12API Interceptor1044x Sleep call for process: njGJ1eW44wshoMr.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    46.16.62.1343nG9LW7Z21dxUoM.exeGet hashmaliciousBrowse
                                                      keeFDE9dhCGNNez.exeGet hashmaliciousBrowse
                                                        74tF1foMeQyUMCh.exeGet hashmaliciousBrowse
                                                          qm7JU84PFgfqvgs.exeGet hashmaliciousBrowse
                                                            WbGKi8E5OE4eCFG.exeGet hashmaliciousBrowse
                                                              r9SWnqQlK8PFPEp.exeGet hashmaliciousBrowse
                                                                L9oOm9x3I7YZFcA.exeGet hashmaliciousBrowse
                                                                  jKiL1mzTAVltJ30.exeGet hashmaliciousBrowse
                                                                    09xcuRN2HJmRRCm.exeGet hashmaliciousBrowse
                                                                      aLjBjGUvWecwGptNRQryBtRBaVCtO.exeGet hashmaliciousBrowse
                                                                        UsU2f18QuIdAe2U.exeGet hashmaliciousBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          mail.cefortem.cat3nG9LW7Z21dxUoM.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          keeFDE9dhCGNNez.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          74tF1foMeQyUMCh.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          qm7JU84PFgfqvgs.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          WbGKi8E5OE4eCFG.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          r9SWnqQlK8PFPEp.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          L9oOm9x3I7YZFcA.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          jKiL1mzTAVltJ30.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          09xcuRN2HJmRRCm.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          aLjBjGUvWecwGptNRQryBtRBaVCtO.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          UsU2f18QuIdAe2U.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          CDMONsistemescdmoncomES3nG9LW7Z21dxUoM.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          keeFDE9dhCGNNez.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          74tF1foMeQyUMCh.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          qm7JU84PFgfqvgs.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          winlog.exeGet hashmaliciousBrowse
                                                                          • 46.16.61.250
                                                                          PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                          • 46.16.61.250
                                                                          WbGKi8E5OE4eCFG.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          r9SWnqQlK8PFPEp.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          L9oOm9x3I7YZFcA.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exeGet hashmaliciousBrowse
                                                                          • 134.0.10.35
                                                                          jKiL1mzTAVltJ30.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          09xcuRN2HJmRRCm.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          57229937-122020-4-7676523.docGet hashmaliciousBrowse
                                                                          • 185.66.41.128
                                                                          aLjBjGUvWecwGptNRQryBtRBaVCtO.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          UsU2f18QuIdAe2U.exeGet hashmaliciousBrowse
                                                                          • 46.16.62.134
                                                                          Nakit Akisi Detaylariniz.exeGet hashmaliciousBrowse
                                                                          • 46.16.61.250
                                                                          Archivo_122020_1977149.docGet hashmaliciousBrowse
                                                                          • 185.66.41.128
                                                                          Doc.docGet hashmaliciousBrowse
                                                                          • 185.66.41.127
                                                                          JI35907_2020.docGet hashmaliciousBrowse
                                                                          • 185.66.41.127
                                                                          SHIPMENT DOCUMENTS, INV+BL DRAFT.exeGet hashmaliciousBrowse
                                                                          • 185.34.194.66

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\njGJ1eW44wshoMr.exe.log
                                                                          Process:C:\Users\user\Desktop\njGJ1eW44wshoMr.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1216
                                                                          Entropy (8bit):5.355304211458859
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                          C:\Users\user\AppData\Roaming\y2hqe4dr.iim\Chrome\Default\Cookies
                                                                          Process:C:\Users\user\Desktop\njGJ1eW44wshoMr.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                          Category:dropped
                                                                          Size (bytes):20480
                                                                          Entropy (8bit):0.6951152985249047
                                                                          Encrypted:false
                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
                                                                          MD5:EA7F9615D77815B5FFF7C15179C6C560
                                                                          SHA1:3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
                                                                          SHA-256:A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
                                                                          SHA-512:9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.38324091168724
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                          File name:njGJ1eW44wshoMr.exe
                                                                          File size:832000
                                                                          MD5:3642d5bf033629d0a716fff2c17125b2
                                                                          SHA1:47993d2f980a7c3de204b008618c9b4c25511a49
                                                                          SHA256:c7af68bcec3b1c2e3a87f08111ab75b525799c5386fa85b529f8690bfa1c766a
                                                                          SHA512:d0539565dbd492ed31b00accab13a629f2535fe9d3123e90038fb55591a079d9ddc0e9f7fde493cdb49621f50901283e0d8a8343617089519b0cac57b9eda4d0
                                                                          SSDEEP:12288:Gqfu19QFt3oLWPaoMeSEKBtqKuCwaBjaBF:Ggt3oLiMeSTBtq9Za1a
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.................. ........@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:e0dc9e0e1e9296e8

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4bbdce
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x6010D3C4 [Wed Jan 27 02:45:24 2021 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v4.0.30319
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbbd7c0x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x10e98.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000xb9dd40xb9e00False0.643945443847data7.54334100572IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0xbc0000x10e980x11000False0.133128446691data4.50774411316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0xce0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0xbc1000x10828data
                                                                          RT_GROUP_ICON0xcc9380x14data
                                                                          RT_VERSION0xcc95c0x33cdata
                                                                          RT_MANIFEST0xccca80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightCopyright 2017
                                                                          Assembly Version1.0.0.0
                                                                          InternalNameZwj.exe
                                                                          FileVersion1.0.0.0
                                                                          CompanyName
                                                                          LegalTrademarks
                                                                          Comments
                                                                          ProductNameHotelMgmtSystem
                                                                          ProductVersion1.0.0.0
                                                                          FileDescriptionHotelMgmtSystem
                                                                          OriginalFilenameZwj.exe

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 27, 2021 15:18:58.971848965 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:18:59.033337116 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:18:59.033540964 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:18:59.679548979 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:18:59.680159092 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:18:59.739547014 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:18:59.739764929 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:18:59.740308046 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:18:59.800381899 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:18:59.850013018 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:18:59.881191969 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:18:59.946923018 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:18:59.946962118 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:18:59.946980000 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:18:59.947123051 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:18:59.958525896 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.020937920 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:00.068723917 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.531128883 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.590985060 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:00.593214035 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.652664900 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:00.654033899 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.719590902 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:00.721302032 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.785753012 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:00.786225080 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.852276087 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:00.852926016 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.913556099 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:00.916759014 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.916860104 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.917643070 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.917711020 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:00.976367950 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:00.980758905 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:01.068741083 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:01.115701914 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:03.480679035 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:03.543390036 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:03.543489933 CET5874975746.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:03.543580055 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:03.673533916 CET49757587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.057267904 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.116765022 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.119281054 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.213311911 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.213740110 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.274231911 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.274247885 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.274631977 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.334006071 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.334525108 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.397619009 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.399039984 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.399627924 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.461936951 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.461961031 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.462543011 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.522383928 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.523814917 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.587853909 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.588437080 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.649934053 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.650512934 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.715550900 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.715950966 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.778768063 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.781414032 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.781725883 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.781898975 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.782078981 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.782417059 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.782530069 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.782634974 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.782751083 CET49758587192.168.2.646.16.62.134
                                                                          Jan 27, 2021 15:19:04.843467951 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.843492985 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:04.845757961 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:05.941018105 CET5874975846.16.62.134192.168.2.6
                                                                          Jan 27, 2021 15:19:05.991224051 CET49758587192.168.2.646.16.62.134

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 27, 2021 15:16:59.815766096 CET5838453192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:16:59.866231918 CET53583848.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:00.783004045 CET6026153192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:00.830945015 CET53602618.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:01.711787939 CET5606153192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:01.759639025 CET53560618.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:02.708695889 CET5833653192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:02.759476900 CET53583368.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:05.516943932 CET5378153192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:05.566940069 CET53537818.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:06.833964109 CET5406453192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:06.884680986 CET53540648.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:08.478435040 CET5281153192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:08.529804945 CET53528118.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:09.690593004 CET5529953192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:09.753953934 CET53552998.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:10.515866041 CET6374553192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:10.566662073 CET53637458.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:11.341995001 CET5005553192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:11.389877081 CET53500558.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:12.467647076 CET6137453192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:12.518620014 CET53613748.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:13.326427937 CET5033953192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:13.374473095 CET53503398.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:14.084614992 CET6330753192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:14.132606983 CET53633078.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:27.842717886 CET4969453192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:27.896604061 CET53496948.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:32.180165052 CET5498253192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:32.238857031 CET53549828.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:46.335989952 CET5001053192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:46.396779060 CET53500108.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:47.063313007 CET6371853192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:47.122426033 CET53637188.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:47.704229116 CET6211653192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:47.762708902 CET53621168.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:47.854887009 CET6381653192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:47.905693054 CET53638168.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:48.209753036 CET5501453192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:48.269081116 CET53550148.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:48.772367001 CET6220853192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:48.831435919 CET53622088.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:49.102900982 CET5757453192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:49.151017904 CET53575748.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:49.383307934 CET5181853192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:49.444660902 CET53518188.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:49.568905115 CET5662853192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:49.616848946 CET53566288.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:50.049755096 CET6077853192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:50.106091976 CET53607788.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:50.975233078 CET5379953192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:51.028278112 CET53537998.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:52.093208075 CET5468353192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:52.141129017 CET53546838.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:52.656398058 CET5932953192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:52.704351902 CET53593298.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:17:54.047588110 CET6402153192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:17:54.108644009 CET53640218.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:18:29.896775961 CET5612953192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:18:29.944745064 CET53561298.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:18:35.059742928 CET5817753192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:18:35.122203112 CET53581778.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:18:54.687736988 CET5070053192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:18:54.736819983 CET53507008.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:18:55.164331913 CET5406953192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:18:55.215059042 CET53540698.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:18:58.776926994 CET6117853192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:18:58.866444111 CET53611788.8.8.8192.168.2.6
                                                                          Jan 27, 2021 15:19:03.998423100 CET5701753192.168.2.68.8.8.8
                                                                          Jan 27, 2021 15:19:04.054814100 CET53570178.8.8.8192.168.2.6

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Jan 27, 2021 15:18:58.776926994 CET192.168.2.68.8.8.80x7864Standard query (0)mail.cefortem.catA (IP address)IN (0x0001)
                                                                          Jan 27, 2021 15:19:03.998423100 CET192.168.2.68.8.8.80x6cbfStandard query (0)mail.cefortem.catA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Jan 27, 2021 15:18:58.866444111 CET8.8.8.8192.168.2.60x7864No error (0)mail.cefortem.cat46.16.62.134A (IP address)IN (0x0001)
                                                                          Jan 27, 2021 15:19:04.054814100 CET8.8.8.8192.168.2.60x6cbfNo error (0)mail.cefortem.cat46.16.62.134A (IP address)IN (0x0001)

                                                                          SMTP Packets

                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                          Jan 27, 2021 15:18:59.679548979 CET5874975746.16.62.134192.168.2.6220 fnadk-03.srv.cat ESMTP
                                                                          Jan 27, 2021 15:18:59.680159092 CET49757587192.168.2.646.16.62.134EHLO 642294
                                                                          Jan 27, 2021 15:18:59.739764929 CET5874975746.16.62.134192.168.2.6250-fnadk-03.srv.cat
                                                                          250-PIPELINING
                                                                          250-SIZE 47185920
                                                                          250-ETRN
                                                                          250-STARTTLS
                                                                          250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
                                                                          250-ENHANCEDSTATUSCODES
                                                                          250-8BITMIME
                                                                          250-DSN
                                                                          250 CHUNKING
                                                                          Jan 27, 2021 15:18:59.740308046 CET49757587192.168.2.646.16.62.134STARTTLS
                                                                          Jan 27, 2021 15:18:59.800381899 CET5874975746.16.62.134192.168.2.6220 2.0.0 Ready to start TLS
                                                                          Jan 27, 2021 15:19:04.213311911 CET5874975846.16.62.134192.168.2.6220 fnadk-03.srv.cat ESMTP
                                                                          Jan 27, 2021 15:19:04.213740110 CET49758587192.168.2.646.16.62.134EHLO 642294
                                                                          Jan 27, 2021 15:19:04.274247885 CET5874975846.16.62.134192.168.2.6250-fnadk-03.srv.cat
                                                                          250-PIPELINING
                                                                          250-SIZE 47185920
                                                                          250-ETRN
                                                                          250-STARTTLS
                                                                          250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
                                                                          250-ENHANCEDSTATUSCODES
                                                                          250-8BITMIME
                                                                          250-DSN
                                                                          250 CHUNKING
                                                                          Jan 27, 2021 15:19:04.274631977 CET49758587192.168.2.646.16.62.134STARTTLS
                                                                          Jan 27, 2021 15:19:04.334006071 CET5874975846.16.62.134192.168.2.6220 2.0.0 Ready to start TLS

                                                                          Code Manipulations

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: njGJ1eW44wshoMr.exe PID: 4188 Parent PID: 5984

                                                                          General

                                                                          Start time:15:17:04
                                                                          Start date:27/01/2021
                                                                          Path:C:\Users\user\Desktop\njGJ1eW44wshoMr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\njGJ1eW44wshoMr.exe'
                                                                          Imagebase:0x9c0000
                                                                          File size:832000 bytes
                                                                          MD5 hash:3642D5BF033629D0A716FFF2C17125B2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.355060435.0000000003E90000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.354112729.0000000002DD7000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Analysis Process: njGJ1eW44wshoMr.exe PID: 6468 Parent PID: 4188

                                                                          General

                                                                          Start time:15:17:15
                                                                          Start date:27/01/2021
                                                                          Path:C:\Users\user\Desktop\njGJ1eW44wshoMr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:{path}
                                                                          Imagebase:0x7b0000
                                                                          File size:832000 bytes
                                                                          MD5 hash:3642D5BF033629D0A716FFF2C17125B2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.680815845.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.683036649.0000000002BE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >

                                                                            Analysis Process: njGJ1eW44wshoMr.exe PID: 4188 Parent PID: 5984 njGJ1eW44wshoMr.exeCOMMON

                                                                            Executed Functions

                                                                            Function 00F6D4C4, Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.353181758.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2225309041cedf9d3cf0f9247a2bc6661ec801cf63b07c8e91d8ee71793235e7
                                                                            • Instruction ID: 0aebcc544d7f741685d81da399cc250c208742069ef355a97dbaf3499586e2e7
                                                                            • Opcode Fuzzy Hash: 2225309041cedf9d3cf0f9247a2bc6661ec801cf63b07c8e91d8ee71793235e7
                                                                            • Instruction Fuzzy Hash: 61212572E04240DFDB05DF14D8C0B26BF65FB88328F28C569E8064B646C736DC46EBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00F7D01C, Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.353202852.0000000000F7D000.00000040.00000001.sdmp, Offset: 00F7D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: af01e205f7ff551b17b2efc47123e0d39f5f8e7610051a8b532af38f339972e9
                                                                            • Instruction ID: 36b9df1a7c336097521bf7700b02aaf642d8cd964b05b7030ad9c5729c7788c8
                                                                            • Opcode Fuzzy Hash: af01e205f7ff551b17b2efc47123e0d39f5f8e7610051a8b532af38f339972e9
                                                                            • Instruction Fuzzy Hash: 7821F575508240DFDB14DF14D9C0B16BB75FF84324F64C56ED80E4B24AC736D846DA62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00F7D005, Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.353202852.0000000000F7D000.00000040.00000001.sdmp, Offset: 00F7D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b9e8f69f67429335d56d5101cb852b2fd1be86a116ae1c8cfdd45a4f858253b8
                                                                            • Instruction ID: 7a4251b733d9404f91f81726584aed44da3641a9a8c52de7cdedd4968c57005b
                                                                            • Opcode Fuzzy Hash: b9e8f69f67429335d56d5101cb852b2fd1be86a116ae1c8cfdd45a4f858253b8
                                                                            • Instruction Fuzzy Hash: AA214F755093808FCB12CF24D994B15BF71EF46224F28C5EBD8498B697C33A984ACB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00F6D4BF, Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.353181758.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
                                                                            • Instruction ID: 913831e96cd548b93b8f83419571ae932ba5ec4eda97304836bc5de1964db100
                                                                            • Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
                                                                            • Instruction Fuzzy Hash: C511D376904280CFCB15CF10D5C4B16BF71FB84324F28C6A9D8450BA56C336D85ADBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00F6D759, Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.353181758.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 415ab59b1634c25a0d06a5fd95622352519aa13b17473b14db03f46851924a01
                                                                            • Instruction ID: c4d877f59a728e8000cb685dd7936b9a3d56a2326a00b301b60a9e7701a36813
                                                                            • Opcode Fuzzy Hash: 415ab59b1634c25a0d06a5fd95622352519aa13b17473b14db03f46851924a01
                                                                            • Instruction Fuzzy Hash: F301F772E087449AE7104A26DC84767BBA8EF51778F28C45AED045A286C7789C44EAB2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00F6D758, Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.353181758.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b31913fd3f4dc236cca83d67966619a5c22660761ceb25c6d9ba014ef0dccffc
                                                                            • Instruction ID: 3e74283dcb029eb9ce392641b29d1d9c753c0332ac8c8c2dc923f9323c478f5f
                                                                            • Opcode Fuzzy Hash: b31913fd3f4dc236cca83d67966619a5c22660761ceb25c6d9ba014ef0dccffc
                                                                            • Instruction Fuzzy Hash: 56F0C271904344AEE7208E16DCC4B62FBA8EF51774F18C45AED085B286C3789C44CAB1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Analysis Process: njGJ1eW44wshoMr.exe PID: 6468 Parent PID: 4188 njGJ1eW44wshoMr.exeCOMMON

                                                                            Executed Functions

                                                                            Function 05DC5A94, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 05DCB62B
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: 49514dee04803dd08b467a9553e0b94c90f5efb988d08f91b5cdf241c8110ecd
                                                                            • Instruction ID: 20ae3bb3871ddaaff570b816ff1f956bf4557dd996156fa9bc16164f0ff0b02f
                                                                            • Opcode Fuzzy Hash: 49514dee04803dd08b467a9553e0b94c90f5efb988d08f91b5cdf241c8110ecd
                                                                            • Instruction Fuzzy Hash: 43513270E102198FEB14CFA9C886BEDBBB5BF48314F55816EE815AB350DB749844CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05DC94F8, Relevance: 1.6, Strings: 1, Instructions: 338COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: <l
                                                                            • API String ID: 0-2278483159
                                                                            • Opcode ID: 2576362d71982bf4400cfd48f1bdbe4917f8b971e9cb460a963f85aa8976837e
                                                                            • Instruction ID: 6c97c669995b94deddaff9eabcefce5f1c514db628994ff4fb5274871a79b25d
                                                                            • Opcode Fuzzy Hash: 2576362d71982bf4400cfd48f1bdbe4917f8b971e9cb460a963f85aa8976837e
                                                                            • Instruction Fuzzy Hash: 91D13C75E0020ACFCB14DFA8C494AAEBBF2FF48314F15855AE515AB391DB34A946CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A46A0, Relevance: .3, Instructions: 315COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: efede90a7676ad91db5c1d4ab3d5bbd872a39ce92550c5371f21faa673962a50
                                                                            • Instruction ID: 599b34baf4173b87cd47f5d8e421f9211faf22093f4792742eca351612ad42fb
                                                                            • Opcode Fuzzy Hash: efede90a7676ad91db5c1d4ab3d5bbd872a39ce92550c5371f21faa673962a50
                                                                            • Instruction Fuzzy Hash: 0112C6F0C817459FE712CF65E9482893BB1F745798F648B08D2A12B2E1D7F911AACF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A45D0, Relevance: .3, Instructions: 298COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c9be34ad180ac8a5075daed7a75e292d034dfe7c30008642ca7a96181316f64b
                                                                            • Instruction ID: 8d10f4180bd1c000e93f5603b88e9b0bce37fa65f6306f8a83aeefaecb297413
                                                                            • Opcode Fuzzy Hash: c9be34ad180ac8a5075daed7a75e292d034dfe7c30008642ca7a96181316f64b
                                                                            • Instruction Fuzzy Hash: AAE19DB1C847858FD713CF64E8581893FB1FB463A8F648A09D1A16B2E2D7F9106ACF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05DC6C70, Relevance: .3, Instructions: 281COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 39240358d196cf90523868595cb91220ea34aff11e59d66035fefd9604d9a140
                                                                            • Instruction ID: d2e76d32670578e34ff1950289c04172131db79c96ffa9cf077c0fa1a83732a4
                                                                            • Opcode Fuzzy Hash: 39240358d196cf90523868595cb91220ea34aff11e59d66035fefd9604d9a140
                                                                            • Instruction Fuzzy Hash: 72B12970E0421A9FDB10CFA9D8857EDBBF2BF88344F14816EE815A7294DB74D845CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05DC7540, Relevance: .3, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 00d5900c8f06a60a59a17e62c9c1dc1b95734b498436833d3c3d57466dac38f1
                                                                            • Instruction ID: 9498cf5ebd5bdb50d4c062345801c3dfdfd43e6d3562ee7cfbc2e8ca817c4988
                                                                            • Opcode Fuzzy Hash: 00d5900c8f06a60a59a17e62c9c1dc1b95734b498436833d3c3d57466dac38f1
                                                                            • Instruction Fuzzy Hash: 53B12970E0420A8FDB10CFA9D8857ADBBF2FF88354F24816ED815A7294EB749845CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05DC6928, Relevance: .2, Instructions: 238COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8f1fcd8291a9d2e44dc8837e0958986901b64024e36b2e924c28aeb711f02f60
                                                                            • Instruction ID: 73857039d0d979173f255531c2d17000ccdeb3eb6885a233553ae1584098878a
                                                                            • Opcode Fuzzy Hash: 8f1fcd8291a9d2e44dc8837e0958986901b64024e36b2e924c28aeb711f02f60
                                                                            • Instruction Fuzzy Hash: 82912870E0420A9BDB14CFA9C9857ADBBF2BF88304F24816EE415AB354EB74D945CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A691F, Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 010A69A0
                                                                            • GetCurrentThread.KERNEL32 ref: 010A69DD
                                                                            • GetCurrentProcess.KERNEL32 ref: 010A6A1A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 010A6A73
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID:
                                                                            • API String ID: 2063062207-0
                                                                            • Opcode ID: b48be9d3f6508154eae4a2d363840535b752ab4980a4af582683b8db6ca8c6e4
                                                                            • Instruction ID: db1ad3bb7a3955d2b85c4edd74fdecfe00d899c246b56e735d5702f688647c3a
                                                                            • Opcode Fuzzy Hash: b48be9d3f6508154eae4a2d363840535b752ab4980a4af582683b8db6ca8c6e4
                                                                            • Instruction Fuzzy Hash: 675154B09006448FDB14CFA9D588BEEBFF0AF88314F24845AE059AB350DB795944CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32 ref: 010A69A0
                                                                            • GetCurrentThread.KERNEL32 ref: 010A69DD
                                                                            • GetCurrentProcess.KERNEL32 ref: 010A6A1A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 010A6A73
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Current$ProcessThread
                                                                            • String ID:
                                                                            • API String ID: 2063062207-0
                                                                            • Opcode ID: 8d628fe2af8aca266f3a2ae6b393b1b61034fdd0f7830cce429c93ace680ebbd
                                                                            • Instruction ID: dbc0844f737f0669c36eaf3ff32a9d677eab4bed1e01e5ed8c8ba407d93bae18
                                                                            • Opcode Fuzzy Hash: 8d628fe2af8aca266f3a2ae6b393b1b61034fdd0f7830cce429c93ace680ebbd
                                                                            • Instruction Fuzzy Hash: D95154B09007498FDB14CFA9D588BDEBBF0EF88314F24845AE059A7350DB755984CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A5084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010A51A2
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 0e3ee4ec378cee72f34b61ec707d46393be348d25bae021a79d52a306240ca90
                                                                            • Instruction ID: ec77c594e27d34fd043bd090c3305218832459f587fce2c480ee739ff129598a
                                                                            • Opcode Fuzzy Hash: 0e3ee4ec378cee72f34b61ec707d46393be348d25bae021a79d52a306240ca90
                                                                            • Instruction Fuzzy Hash: 7551D1B1D103089FDB14CF99D884ADEBBF5BF88314F65812AE819AB210D774A985CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010A51A2
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 6a21ea159543e420b6228cb68101e1caca7dca57f49d1ed6e5e879cf23d7310e
                                                                            • Instruction ID: 09381ed50bb819ac2a8ef78082a566d09706d46fce8b151faa3b6f033f53846c
                                                                            • Opcode Fuzzy Hash: 6a21ea159543e420b6228cb68101e1caca7dca57f49d1ed6e5e879cf23d7310e
                                                                            • Instruction Fuzzy Hash: 1C41C0B1D103089FDB14CF99D884ADEBBB5BF88314F64822AE819AB210D774A945CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 010A7F01
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CallProcWindow
                                                                            • String ID:
                                                                            • API String ID: 2714655100-0
                                                                            • Opcode ID: e3a078ee65d1bf1e8002660662eb172cd6cb98b9dbc93da1a5a505530d122960
                                                                            • Instruction ID: e00f0b90de4c40eea719ca9da801dfaca18c8f55c1736585543870e49f55f76d
                                                                            • Opcode Fuzzy Hash: e3a078ee65d1bf1e8002660662eb172cd6cb98b9dbc93da1a5a505530d122960
                                                                            • Instruction Fuzzy Hash: 6F4158B5A00305CFCB15CF99C488AAABBF5FF88314F24C499E559AB321D775A941CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05DCF758, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 05DCF811
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: QueryValue
                                                                            • String ID:
                                                                            • API String ID: 3660427363-0
                                                                            • Opcode ID: 6add32dcb1f8ef84dd39987ecbb604da636796eb562a5bbeaecb575ee778b95b
                                                                            • Instruction ID: 1d3b5c9be12bc9f76afe617ba2111492220239af6357c1cf4d34854464f1bf18
                                                                            • Opcode Fuzzy Hash: 6add32dcb1f8ef84dd39987ecbb604da636796eb562a5bbeaecb575ee778b95b
                                                                            • Instruction Fuzzy Hash: 3431E1B1D002599FCB10CF9AD884ACEBFF6BF48314F15806AE819AB310D7749945CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05DCF4F0, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 05DCF5A4
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Open
                                                                            • String ID:
                                                                            • API String ID: 71445658-0
                                                                            • Opcode ID: f33807796725bfa21edbf09072dcdc4262f4015eed86935b3fbbe83b19777979
                                                                            • Instruction ID: f5f9d9ab0fa6a1c81a820eb184536e9a0e40c742993f32cc2e537957d57e4aa3
                                                                            • Opcode Fuzzy Hash: f33807796725bfa21edbf09072dcdc4262f4015eed86935b3fbbe83b19777979
                                                                            • Instruction Fuzzy Hash: A031E0B1D1124A8FDB10CF99C584A8EFFF5BB48304F29816EE509AB341C7759985CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010AC119, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 010AC1A2
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: EncodePointer
                                                                            • String ID:
                                                                            • API String ID: 2118026453-0
                                                                            • Opcode ID: 90f785633dc233ea4458d244f568b3cf7fe0c3f6a83e05fd959c7910d73dde06
                                                                            • Instruction ID: b26a95c10e5604501c0667c1339268442320fb4594b6b982cf0bad8f4fd50a2b
                                                                            • Opcode Fuzzy Hash: 90f785633dc233ea4458d244f568b3cf7fe0c3f6a83e05fd959c7910d73dde06
                                                                            • Instruction Fuzzy Hash: ED31F1B19053858FEB10DFA8E90979E7FF4FB46319F54805AE488A7242CB7C6905CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05DCCDED, Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Clipboard
                                                                            • String ID:
                                                                            • API String ID: 220874293-0
                                                                            • Opcode ID: 1f69d6353d50422fcfad6c6bdd0760171201ae333a7103317abe89a768b0e437
                                                                            • Instruction ID: 5d828d8f1ed415f6c7fbb172f4766c0f1ad835e29b62e60dce9d0a5cde8b4b88
                                                                            • Opcode Fuzzy Hash: 1f69d6353d50422fcfad6c6bdd0760171201ae333a7103317abe89a768b0e437
                                                                            • Instruction Fuzzy Hash: 333103B0E40249DFDB10CF99C585BCEBBF5AF49318F24805AE508BB790D7B49945CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05DCC888, Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Clipboard
                                                                            • String ID:
                                                                            • API String ID: 220874293-0
                                                                            • Opcode ID: e0e8a0a4b3263aaaad3fc70f6d25faf188060333fbab3bd0970ddbf9acdc55e9
                                                                            • Instruction ID: cf6e64bdb0459a9334d18023af8497fc74866cdf3da55752fa725332424f2654
                                                                            • Opcode Fuzzy Hash: e0e8a0a4b3263aaaad3fc70f6d25faf188060333fbab3bd0970ddbf9acdc55e9
                                                                            • Instruction Fuzzy Hash: AE3102B09502499FDB10CF99C884BDEBFF5AF4A314F24805AE509BB390DBB49945CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010A6BEF
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 3e035429447492ac1ee1f2b0ba9ad8523314fd89e48fb6c53065ba931354fcd8
                                                                            • Instruction ID: 38c61d655dc4645e931a01e6d011d9f924ae887de7ef9b715bf4ed706c52b31b
                                                                            • Opcode Fuzzy Hash: 3e035429447492ac1ee1f2b0ba9ad8523314fd89e48fb6c53065ba931354fcd8
                                                                            • Instruction Fuzzy Hash: B621D3B5D002489FDB10CFA9D984AEEBBF8FB48324F15841AE954B7310D778A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A6B62, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010A6BEF
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: e91ace0f9d3df8583a1b4f1120f252db2bcfcf3b6eb19ed13a50e39c8264b084
                                                                            • Instruction ID: 4173565333dace73e55faddf413dee2f86c5eb155e4d0b6531d184cd53144d03
                                                                            • Opcode Fuzzy Hash: e91ace0f9d3df8583a1b4f1120f252db2bcfcf3b6eb19ed13a50e39c8264b084
                                                                            • Instruction Fuzzy Hash: D121E2B5D002489FDB10CFA9D985AEEBBF4EB48320F15841AE914B7310D778A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010AC128, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 010AC1A2
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: EncodePointer
                                                                            • String ID:
                                                                            • API String ID: 2118026453-0
                                                                            • Opcode ID: 8faf0d032501ca8f1dd4032c34eb8c113c1de76d50adf2af7d226a28f9d49db9
                                                                            • Instruction ID: 7a585d01201f63fc8412303b8b5bfb04f56b6c59c9c4014eb243eee583ecbae4
                                                                            • Opcode Fuzzy Hash: 8faf0d032501ca8f1dd4032c34eb8c113c1de76d50adf2af7d226a28f9d49db9
                                                                            • Instruction Fuzzy Hash: C1117CB1A003458FEB50DFA9D50979EBFF4FB45325F608429D849E3641CB786905CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A3300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 010A4116
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 4da009858693c10300f3ba80a6e6faaf6d3fe410fa189d8db723d5a6bf6993ac
                                                                            • Instruction ID: dd71661c0a2bf749b72d1d8a272c5aedbb47f88a49abe693109a0a4b6f5c6ca1
                                                                            • Opcode Fuzzy Hash: 4da009858693c10300f3ba80a6e6faaf6d3fe410fa189d8db723d5a6bf6993ac
                                                                            • Instruction Fuzzy Hash: 651134B6D006498FDB20CF9AD444BDEFBF4EB88210F14846AD959B7200C3B4A545CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05DC9244, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,05DCC0F7), ref: 05DCC187
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: b7d408b241b09f11eda08c17e30ffc4ce65900eaf74c01f2ca7d412abcc7fb64
                                                                            • Instruction ID: f3ab4d091f990fee2659b5696f79df25b76363ad232bcf6adb31908cd8c87c0d
                                                                            • Opcode Fuzzy Hash: b7d408b241b09f11eda08c17e30ffc4ce65900eaf74c01f2ca7d412abcc7fb64
                                                                            • Instruction Fuzzy Hash: 3F1125B19046498FCB10DF9AD884BDEBBF4EB88324F24845AD529A7310C7B4A944CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 05DCC774, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OleInitialize.OLE32(00000000), ref: 05DCCD05
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.687727816.0000000005DC0000.00000040.00000001.sdmp, Offset: 05DC0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: Initialize
                                                                            • String ID:
                                                                            • API String ID: 2538663250-0
                                                                            • Opcode ID: 75f51814cfed6578ffd286650b3015c83ffdd5c422444badc58f09539d8d2542
                                                                            • Instruction ID: 8065a8e06eef1e213258ebd804c591af04ff9a6483d4bdd87bca2ce2625d1fc9
                                                                            • Opcode Fuzzy Hash: 75f51814cfed6578ffd286650b3015c83ffdd5c422444badc58f09539d8d2542
                                                                            • Instruction Fuzzy Hash: 7B1103B19047498FCB10DF99D845BDEBFF4EB48324F20845AD519A7710C778A944CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 010A40AA, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 010A4116
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682408835.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 53b1fde05d2e7b7197ad34d9cd094caa593c075a5e87d4bab695f0fb22e3ea30
                                                                            • Instruction ID: f4d4638c545be307c9ce890eca8da6c78032d54244947eaf025968a8b80f12c6
                                                                            • Opcode Fuzzy Hash: 53b1fde05d2e7b7197ad34d9cd094caa593c075a5e87d4bab695f0fb22e3ea30
                                                                            • Instruction Fuzzy Hash: B21143B6C006098FDB10CF9AD444BDEFBF4AF88210F15842AD928B7600D3B8A545CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0102D450, Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682108814.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9f1735dc813a8cef20e6d377d69325a67d37245d2752ff462c6a6b2b7a275bbe
                                                                            • Instruction ID: 0bd918361fa41c21bc341ba86c00b9daa8b19dba26e816c4aa22798e6d41df71
                                                                            • Opcode Fuzzy Hash: 9f1735dc813a8cef20e6d377d69325a67d37245d2752ff462c6a6b2b7a275bbe
                                                                            • Instruction Fuzzy Hash: B1210371504240DFDB01DF94D8C0B6BBBA5FB88324F24C5A9E9454B247C736EC45CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0103D01C, Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682150493.000000000103D000.00000040.00000001.sdmp, Offset: 0103D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c9c1bcc56a2a0da3dc6c4dbdd8f53ae70c1a77d5dcaca62931e9823bb3f6fc5c
                                                                            • Instruction ID: 7666a8ab00bb2997fc7ea415e2bcb813ce7f85782c77e356667dcc2edbd79bb8
                                                                            • Opcode Fuzzy Hash: c9c1bcc56a2a0da3dc6c4dbdd8f53ae70c1a77d5dcaca62931e9823bb3f6fc5c
                                                                            • Instruction Fuzzy Hash: 44214571504240DFCB10CFA4D8C0B16FBA9FB84B54F64C9ADE8894B242C336D806CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0103D006, Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682150493.000000000103D000.00000040.00000001.sdmp, Offset: 0103D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: becf6118c4d32033d108746f81366010ccf9c0158998062a5ccd88d5db316e96
                                                                            • Instruction ID: 53c706ba12c558cb7b90469f50aa5fed71a271329b7c09269cf934c8b6c728f1
                                                                            • Opcode Fuzzy Hash: becf6118c4d32033d108746f81366010ccf9c0158998062a5ccd88d5db316e96
                                                                            • Instruction Fuzzy Hash: 852183754083809FCB02CF64D994B11BFB5EB86214F28C5DAD8858F257C33AD856CB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0102D44B, Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000001.00000002.682108814.000000000102D000.00000040.00000001.sdmp, Offset: 0102D000, based on PE: false
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
                                                                            • Instruction ID: cc95f284ee7b9e8c0d4911c87cbfea1224dc7bed2cd65a8728d815980be2e36d
                                                                            • Opcode Fuzzy Hash: 475f330473868ad3c29f7e884537fa5e2c046c0b54d26c118bd7d839c6bfe152
                                                                            • Instruction Fuzzy Hash: A911B176404280CFDB12CF54D5C4B56BFB1FB88324F28C6A9D8450B657C336D85ACBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions