Play interactive tour

Edit tour

Analysis Report zTM9EtIGQK.exe

Overview

General Information

Sample Name:	zTM9EtIGQK.exe
Analysis ID:	383945
MD5:	01158bfc4ce6cb2c5a3cdbf661f13f8b
SHA1:	4d18044e5cfa5ebb9b397dd742648db870b1f32a
SHA256:	4ee443331bdebfdfffa8f7fe75c1434504a900dc792561390f27c3f9f0c8bc09
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

zTM9EtIGQK.exe (PID: 2996 cmdline: 'C:\Users\user\Desktop\zTM9EtIGQK.exe' MD5: 01158BFC4CE6CB2C5A3CDBF661F13F8B)

schtasks.exe (PID: 5852 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

zTM9EtIGQK.exe (PID: 4864 cmdline: C:\Users\user\Desktop\zTM9EtIGQK.exe MD5: 01158BFC4CE6CB2C5A3CDBF661F13F8B)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "armyscheme3@yandex.combrowse9jasmtp.yandex.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.483950823.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.262469777.0000000003581000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: zTM9EtIGQK.exe PID: 4864	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: zTM9EtIGQK.exe PID: 4864	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: zTM9EtIGQK.exe PID: 2996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: zTM9EtIGQK.exe PID: 2996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.zTM9EtIGQK.exe.36231a0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.zTM9EtIGQK.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.zTM9EtIGQK.exe.36231a0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\zTM9EtIGQK.exe' , ParentImage: C:\Users\user\Desktop\zTM9EtIGQK.exe, ParentProcessId: 2996, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp', ProcessId: 5852

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: zTM9EtIGQK.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe

Avira: detection malicious, Label: HEUR/AGEN.1138557

Found malware configuration

Show sources

Source: 0.2.zTM9EtIGQK.exe.36231a0.2.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "armyscheme3@yandex.combrowse9jasmtp.yandex.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe

ReversingLabs: Detection: 35%

Multi AV Scanner detection for submitted file

Show sources

Source: zTM9EtIGQK.exe	Virustotal: Detection: 32%			Perma Link
Source: zTM9EtIGQK.exe	ReversingLabs: Detection: 35%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: zTM9EtIGQK.exe

Joe Sandbox ML: detected

Source: 7.2.zTM9EtIGQK.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: zTM9EtIGQK.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: zTM9EtIGQK.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0E6D1060
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0E6D2FC0
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0E6D2FAF
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0E6D1050

Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: http://NmvONo.com
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://repository.certum.pl/ycasha2.cer0
Source: zTM9EtIGQK.exe, 00000000.00000002.261724513.00000000024C1000.00000004.00000001.sdmp, zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: zTM9EtIGQK.exe, 00000007.00000002.494240674.0000000003314000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.yandex.com
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://subca.ocsp-certum.com0.
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: zTM9EtIGQK.exe	String found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
Source: zTM9EtIGQK.exe	String found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: zTM9EtIGQK.exe, 00000000.00000002.261241887.0000000000C07000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comicta
Source: zTM9EtIGQK.exe, 00000000.00000002.261241887.0000000000C07000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: zTM9EtIGQK.exe, 00000000.00000003.219533614.00000000054EB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comHC
Source: zTM9EtIGQK.exe, 00000000.00000003.219397829.00000000054EB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com~C
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: zTM9EtIGQK.exe, 00000000.00000003.221443733.00000000054E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnE
Source: zTM9EtIGQK.exe, 00000000.00000003.221443733.00000000054E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: zTM9EtIGQK.exe, 00000000.00000003.219814071.00000000054EB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comZC
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: http://yandex.ocsp-responder.com03
Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp, zTM9EtIGQK.exe, 00000007.00000002.494359087.0000000003340000.00000004.00000001.sdmp	String found in binary or memory: https://K7p4S11uSBScHXT6.com
Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: zTM9EtIGQK.exe, 00000000.00000002.262469777.0000000003581000.00000004.00000001.sdmp, zTM9EtIGQK.exe, 00000007.00000002.483950823.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 7.2.zTM9EtIGQK.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9BB50ABBu002d997Bu002d49D4u002d96BAu002dB4F190B3376Fu007d/u0036183AC38u002d4AD0u002d4B11u002d886Du002d06E3B37F3CC0.cs

Large array initialization: .cctor: array initializer size 11951

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD6EA8 NtQueryInformationProcess,		0_2_06DD6EA8
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD6EA0 NtQueryInformationProcess,		0_2_06DD6EA0

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_000FA9EA	0_2_000FA9EA
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_0235C2B0	0_2_0235C2B0
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_02359990	0_2_02359990
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD54C0	0_2_06DD54C0
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD6C60	0_2_06DD6C60
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DDC420	0_2_06DDC420
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD7A78	0_2_06DD7A78
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DDCB00	0_2_06DDCB00
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DDD130	0_2_06DDD130
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD8650	0_2_06DD8650
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD8660	0_2_06DD8660
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD7FD9	0_2_06DD7FD9
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD7FE8	0_2_06DD7FE8
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD5768	0_2_06DD5768
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD54B0	0_2_06DD54B0
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD6459	0_2_06DD6459
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD6468	0_2_06DD6468
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD5D88	0_2_06DD5D88
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD7D84	0_2_06DD7D84
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD2DB0	0_2_06DD2DB0
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD2DAE	0_2_06DD2DAE
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD5D4C	0_2_06DD5D4C
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD2258	0_2_06DD2258
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD7A5B	0_2_06DD7A5B
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD2268	0_2_06DD2268
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD7A1F	0_2_06DD7A1F
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD1B88	0_2_06DD1B88
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD1B78	0_2_06DD1B78
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD9318	0_2_06DD9318
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD9308	0_2_06DD9308
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD08F8	0_2_06DD08F8
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD2053	0_2_06DD2053
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD9818	0_2_06DD9818
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD9807	0_2_06DD9807
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD2038	0_2_06DD2038
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD2028	0_2_06DD2028
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD0908	0_2_06DD0908
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_0E6D2B88	0_2_0E6D2B88
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_0E6D1860	0_2_0E6D1860
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_000FAAC7	0_2_000FAAC7
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_000FAA54	0_2_000FAA54
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_00CEA9EA	7_2_00CEA9EA
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_01432D50	7_2_01432D50
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_01432020	7_2_01432020
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_0143AB70	7_2_0143AB70
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_01432618	7_2_01432618
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_0143B110	7_2_0143B110
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_0143D980	7_2_0143D980
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_0143BDBC	7_2_0143BDBC
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_0143EE10	7_2_0143EE10
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_02EA46A0	7_2_02EA46A0
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_02EA4690	7_2_02EA4690
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_02EA4672	7_2_02EA4672
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_05B97540	7_2_05B97540
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_05B994F8	7_2_05B994F8
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_05B96C70	7_2_05B96C70
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_05B96928	7_2_05B96928
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_00CEAAC7	7_2_00CEAAC7
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_00CEAA54	7_2_00CEAA54
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_05B9257B	7_2_05B9257B
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_05B92680	7_2_05B92680

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe 4EE443331BDEBFDFFFA8F7FE75C1434504A900DC792561390F27C3F9F0C8BC09

Source: zTM9EtIGQK.exe	Binary or memory string: OriginalFilename vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000000.00000002.270432002.000000000E3D0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000000.00000002.270432002.000000000E3D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameZLGbMGFFseWUKMCXRuKzK.exe4 vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000000.00000002.267978645.0000000006D40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000000.00000003.258888468.000000000DB66000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFilter.exe4 vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000000.00000002.268399680.00000000083F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000000.00000002.269700084.000000000E2D0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe	Binary or memory string: OriginalFilename vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000007.00000000.257991876.0000000000CE2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFilter.exe4 vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000007.00000002.483950823.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameZLGbMGFFseWUKMCXRuKzK.exe4 vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000007.00000002.498895022.0000000006580000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe, 00000007.00000002.489837671.00000000014A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs zTM9EtIGQK.exe
Source: zTM9EtIGQK.exe	Binary or memory string: OriginalFilenameFilter.exe4 vs zTM9EtIGQK.exe

Source: zTM9EtIGQK.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: zTM9EtIGQK.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VKAeWEikAShZpp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 7.2.zTM9EtIGQK.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.zTM9EtIGQK.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/4@0/0

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

File created: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp

Jump to behavior

Source: zTM9EtIGQK.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: zTM9EtIGQK.exe	Virustotal: Detection: 32%
Source: zTM9EtIGQK.exe	ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

File read: C:\Users\user\Desktop\zTM9EtIGQK.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\zTM9EtIGQK.exe 'C:\Users\user\Desktop\zTM9EtIGQK.exe'
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process created: C:\Users\user\Desktop\zTM9EtIGQK.exe C:\Users\user\Desktop\zTM9EtIGQK.exe
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process created: C:\Users\user\Desktop\zTM9EtIGQK.exe C:\Users\user\Desktop\zTM9EtIGQK.exe	Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: zTM9EtIGQK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: zTM9EtIGQK.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 0_2_06DD2D17 push es; ret	0_2_06DD2D18
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_01437A37 push edi; retn 0000h	7_2_01437A39
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_02EADCCE push 8BF08BFEh; iretd	7_2_02EADCDF
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Code function: 7_2_02EADD38 push FFFFFF8Bh; iretd	7_2_02EADD3B

Source: initial sample	Static PE information: section name: .text entropy: 7.59937504831
Source: initial sample	Static PE information: section name: .text entropy: 7.59937504831

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

File created: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp'

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zTM9EtIGQK.exe PID: 2996, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Window / User API: threadDelayed 3165			Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Window / User API: threadDelayed 6686			Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe TID: 968	Thread sleep time: -103140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe TID: 4772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe TID: 6196	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe TID: 6200	Thread sleep count: 3165 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe TID: 6200	Thread sleep count: 6686 > 30	Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Thread delayed: delay time: 103140	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWe
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

Memory written: C:\Users\user\Desktop\zTM9EtIGQK.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Process created: C:\Users\user\Desktop\zTM9EtIGQK.exe C:\Users\user\Desktop\zTM9EtIGQK.exe			Jump to behavior

Source: zTM9EtIGQK.exe, 00000007.00000002.490377339.0000000001A20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: zTM9EtIGQK.exe, 00000007.00000002.490377339.0000000001A20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: zTM9EtIGQK.exe, 00000007.00000002.490377339.0000000001A20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: zTM9EtIGQK.exe, 00000007.00000002.490377339.0000000001A20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Users\user\Desktop\zTM9EtIGQK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Users\user\Desktop\zTM9EtIGQK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.483950823.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.262469777.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zTM9EtIGQK.exe PID: 4864, type: MEMORY
Source: Yara match	File source: Process Memory Space: zTM9EtIGQK.exe PID: 2996, type: MEMORY
Source: Yara match	File source: 0.2.zTM9EtIGQK.exe.36231a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.zTM9EtIGQK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zTM9EtIGQK.exe.36231a0.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\zTM9EtIGQK.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zTM9EtIGQK.exe PID: 4864, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.483950823.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.262469777.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zTM9EtIGQK.exe PID: 4864, type: MEMORY
Source: Yara match	File source: Process Memory Space: zTM9EtIGQK.exe PID: 2996, type: MEMORY
Source: Yara match	File source: 0.2.zTM9EtIGQK.exe.36231a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.zTM9EtIGQK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zTM9EtIGQK.exe.36231a0.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job1	Process Injection112	Masquerading1	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	Credentials in Registry1	Security Software Discovery321	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion141	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Virtualization/Sandbox Evasion141	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zTM9EtIGQK.exe	32%	Virustotal		Browse
zTM9EtIGQK.exe	35%	ReversingLabs	Win32.Trojan.AgentTesla
zTM9EtIGQK.exe	100%	Avira	HEUR/AGEN.1138557
zTM9EtIGQK.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe	100%	Avira	HEUR/AGEN.1138557
C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe	35%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.zTM9EtIGQK.exe.f0000.0.unpack	100%	Avira	HEUR/AGEN.1138557	Download File
7.0.zTM9EtIGQK.exe.ce0000.0.unpack	100%	Avira	HEUR/AGEN.1138557	Download File
7.2.zTM9EtIGQK.exe.ce0000.1.unpack	100%	Avira	HEUR/AGEN.1138557	Download File
0.2.zTM9EtIGQK.exe.f0000.0.unpack	100%	Avira	HEUR/AGEN.1138557	Download File
7.2.zTM9EtIGQK.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://K7p4S11uSBScHXT6.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://tempuri.org/GridOneHSDataSet.xsd	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.founder.com.cn/cnE	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://NmvONo.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://tempuri.org/HighScoresDataSet.xsd	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.fonts.comHC	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.fontbureau.comicta	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://yandex.ocsp-responder.com03	0%	URL Reputation	safe
http://yandex.ocsp-responder.com03	0%	URL Reputation	safe
http://yandex.ocsp-responder.com03	0%	URL Reputation	safe
http://www.fonts.com~C	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.tiro.comZC	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false		high
https://K7p4S11uSBScHXT6.com	zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp, zTM9EtIGQK.exe, 00000007.00000002.494359087.0000000003340000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false		high
http://yandex.crl.certum.pl/ycasha2.crl0q	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false		high
http://tempuri.org/GridOneHSDataSet.xsd	zTM9EtIGQK.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	false		high
http://www.tiro.com	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnE	zTM9EtIGQK.exe, 00000000.00000003.221443733.00000000054E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://subca.ocsp-certum.com0.	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.certum.pl/ca.cer09	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false		high
http://www.founder.com.cn/cn/cThe	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	zTM9EtIGQK.exe, 00000000.00000002.261724513.00000000024C1000.00000004.00000001.sdmp, zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%	zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	zTM9EtIGQK.exe, 00000000.00000002.262469777.0000000003581000.00000004.00000001.sdmp, zTM9EtIGQK.exe, 00000007.00000002.483950823.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certum.pl/CPS0	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false		high
http://NmvONo.com	zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/ycasha2.cer0	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false		high
http://www.founder.com.cn/cnd	zTM9EtIGQK.exe, 00000000.00000003.221443733.00000000054E1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/HighScoresDataSet.xsd	zTM9EtIGQK.exe	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false		high
http://DynDns.comDynDNS	zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.certum.pl/ctnca.cer09	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false		high
http://www.fonts.comHC	zTM9EtIGQK.exe, 00000000.00000003.219533614.00000000054EB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false		high
http://www.fontbureau.comicta	zTM9EtIGQK.exe, 00000000.00000002.261241887.0000000000C07000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
https://www.certum.pl/CPS0	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false		high
http://smtp.yandex.com	zTM9EtIGQK.exe, 00000007.00000002.494240674.0000000003314000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://yandex.ocsp-responder.com03	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com~C	zTM9EtIGQK.exe, 00000000.00000003.219397829.00000000054EB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/cabarga.htmlN	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false		high
http://www.tiro.comZC	zTM9EtIGQK.exe, 00000000.00000003.219814071.00000000054EB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.yandex.net/certum/ycasha2.crl0-	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false		high
http://www.fontbureau.comm	zTM9EtIGQK.exe, 00000000.00000002.261241887.0000000000C07000.00000004.00000040.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmp	false		high
http://crl.certum.pl/ca.crl0h	zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383945
Start date:	08.04.2021
Start time:	12:55:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	zTM9EtIGQK.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/4@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 94% Number of executed functions: 128 Number of non-executed functions: 30
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:56:29	API Interceptor	636x Sleep call for process: zTM9EtIGQK.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe	AL JUNEIDI LIST.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zTM9EtIGQK.exe.log Download File
Process:	C:\Users\user\Desktop\zTM9EtIGQK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp Download File
Process:	C:\Users\user\Desktop\zTM9EtIGQK.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.197410812561367
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBStn:cbh47TlNQ//rydbz9I3YODOLNdq3O
MD5:	8C4E6C1F3629B50562C2774FC2B995AA
SHA1:	4A9060EC41D0F6E5BB00B7B6194AD82AFA9BAAA0
SHA-256:	C29A2FA4BE2912DAE590F96535F35D508898BFBCF7824CD32F331B1CF12DA2D5
SHA-512:	AB8EB6008B836B5691630ACA8C62286722ABD5FC03DB67A30B2522AC945EC5AFF1039FE87B17211AD59ED4C79923CFE19177C2A802874AADBAEE47C807853711
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe Download File
Process:	C:\Users\user\Desktop\zTM9EtIGQK.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	649728
Entropy (8bit):	7.589549958297263
Encrypted:	false
SSDEEP:	12288:9z54oxOwaGspLEPkLhHICpVazP9czBBo2OjKTe2/WQI6xfm:9z5GwupWkLdpGP9AYKThWQXxf
MD5:	01158BFC4CE6CB2C5A3CDBF661F13F8B
SHA1:	4D18044E5CFA5EBB9B397DD742648DB870B1F32A
SHA-256:	4EE443331BDEBFDFFFA8F7FE75C1434504A900DC792561390F27C3F9F0C8BC09
SHA-512:	D07D372E5399FDF8D95117D7D8F33CF3AFD75ABDC8C7BF812EECB18F73AC25D30E599AF11403B9621072435C18DB812A1EA0577792345BBF9C9381D0A213B98E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35%
Joe Sandbox View:	Filename: AL JUNEIDI LIST.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Vn`..............P.............f.... ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................H.......H.......\|...Xo..............@............................................0............(,...(-.........(.....o..........................(/......(0......(1......(2......(3....N..(....oK...(4....&..(5.....s6........s7........s8........s9........s:............0...........~....o;....+...0...........~....o<....+...0...........~....o=....+...0...........~....o>....+...0...........~....o?....+..&..(@....*...0..<........~.....(A.....,!r...p.....(B...oC...sD............~.....

C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\zTM9EtIGQK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.589549958297263
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	zTM9EtIGQK.exe
File size:	649728
MD5:	01158bfc4ce6cb2c5a3cdbf661f13f8b
SHA1:	4d18044e5cfa5ebb9b397dd742648db870b1f32a
SHA256:	4ee443331bdebfdfffa8f7fe75c1434504a900dc792561390f27c3f9f0c8bc09
SHA512:	d07d372e5399fdf8d95117d7d8f33cf3afd75abdc8c7bf812eecb18f73ac25d30e599af11403b9621072435c18db812a1ea0577792345bbf9c9381d0a213b98e
SSDEEP:	12288:9z54oxOwaGspLEPkLhHICpVazP9czBBo2OjKTe2/WQI6xfm:9z5GwupWkLdpGP9AYKThWQXxf
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Vn`..............P.............f.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49fa66
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x606E5614 [Thu Apr 8 01:02:12 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
or eax, 0C000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
push es
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or al, byte ptr [eax]
add byte ptr [eax], al
push cs
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax+eax], cl
add byte ptr [eax], al
add eax, 00000000h
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or eax, dword ptr [eax]
add byte ptr [eax], al
or eax, dword ptr [eax]
add byte ptr [eax], al
or al, 00h
add byte ptr [eax], al
or eax, 02000000h
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [00000000h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9fa14	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa0000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9df9c	0x9e000	False	0.776166312302	data	7.59937504831	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xa0000	0x5a4	0x600	False	0.416666666667	data	4.04558430369	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xa0090	0x314	data
RT_MANIFEST	0xa03b4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015
Assembly Version	1.0.0.0
InternalName	Filter.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Codewords
ProductVersion	1.0.0.0
FileDescription	Codewords
OriginalFilename	Filter.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: zTM9EtIGQK.exe PID: 2996 Parent PID: 5708

General

Start time:	12:56:23
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\zTM9EtIGQK.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\zTM9EtIGQK.exe'
Imagebase:	0xf0000
File size:	649728 bytes
MD5 hash:	01158BFC4CE6CB2C5A3CDBF661F13F8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.262469777.0000000003581000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5852 Parent PID: 2996

General

Start time:	12:56:42
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp'
Imagebase:	0x810000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6128 Parent PID: 5852

General

Start time:	12:56:42
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: zTM9EtIGQK.exe PID: 4864 Parent PID: 2996

General

Start time:	12:56:43
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\zTM9EtIGQK.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\zTM9EtIGQK.exe
Imagebase:	0xce0000
File size:	649728 bytes
MD5 hash:	01158BFC4CE6CB2C5A3CDBF661F13F8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.483950823.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: zTM9EtIGQK.exe PID: 2996 Parent PID: 5708 zTM9EtIGQK.exeCOMMON

Executed Functions

Function 06DD6EA0, Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06DD6F27

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: bc952d339a9ad75b3942b31e47b21fa77556fb60cc2a59f7714d5fb77adcaf75
Instruction ID: dad9cd2be5f0e2d103fa336c94579658b8233e8dd43012a4942a93615fe7153a
Opcode Fuzzy Hash: bc952d339a9ad75b3942b31e47b21fa77556fb60cc2a59f7714d5fb77adcaf75
Instruction Fuzzy Hash: A321EFB5D006589FCB10CFAAD984ACEBBF4FB48320F10842AE919A7310C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DD6EA8, Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06DD6F27

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: cded3b810f12f6c3d446853e995026bababd7119129c27630d8b760be2ade550
Instruction ID: 46430105bfee102e6d8e2b29de8b23bd4a0ec115b1788ef9239f606b88b09c01
Opcode Fuzzy Hash: cded3b810f12f6c3d446853e995026bababd7119129c27630d8b760be2ade550
Instruction Fuzzy Hash: 5B21CEB5D007599FCB10DF9AD884ADEBBF4FB48324F10842AE918A7310D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D1860, Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a31a6b8d9d173d033e95cdbcdc9b6d59c822c96f0db1f22cd37ff831fc57a63
Instruction ID: 7a047be0d7acf114bebdabef9e69a1413fa37abdc1661e2a22066e0223a835c6
Opcode Fuzzy Hash: 0a31a6b8d9d173d033e95cdbcdc9b6d59c822c96f0db1f22cd37ff831fc57a63
Instruction Fuzzy Hash: 46D1DE70B056148FEB25DB76D420BAA77F6AF8A300F54846DC54ACB390DB78ED09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06DDCB00, Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2b2515cff59242c260851c57c6bf9260fc3df9fb7140a17ed589434010a396
Instruction ID: 6dca293adeed4f9fbdbd546d22b3fbad4e901e8c29d5b045be4b1c5a3bfd59c6
Opcode Fuzzy Hash: 8a2b2515cff59242c260851c57c6bf9260fc3df9fb7140a17ed589434010a396
Instruction Fuzzy Hash: 13D14574E12218DFEB54DFA4D950BEDBBB6FB89300F209029E505BB394EB349901CB18

Uniqueness

Uniqueness Score: -1.00%

Function 06DD7A1F, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d9fb3d4d4a126581e7dbf5ff5f12c987881f93e0d264e13e6e1396f328f176
Instruction ID: 0d49a600042d4442b7c2c51984f6220ff9c1851e899ed8170783d94753a7946a
Opcode Fuzzy Hash: 36d9fb3d4d4a126581e7dbf5ff5f12c987881f93e0d264e13e6e1396f328f176
Instruction Fuzzy Hash: D6B1ADB0D15218DFDF54EFA4D844A9DBBB2FB88300F1095AAE54AAB254EB349A41CF10

Uniqueness

Uniqueness Score: -1.00%

Function 06DD7A5B, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4629b7e5b58889a805ec4d21db24c4fb13f565332b1ea39d7717f95d5e136640
Instruction ID: 70bb8d1aaa006c06aab5dc505681cd6222d606726d593097a11c88a4db86bdb7
Opcode Fuzzy Hash: 4629b7e5b58889a805ec4d21db24c4fb13f565332b1ea39d7717f95d5e136640
Instruction Fuzzy Hash: E7B18CB0D15258CFDB54EFB4D894ADDBBB2FF88300F1085AAE54AAB254EB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06DD7A78, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2933fab10ad259960c6d86fccbefcd956959cbae7cd6d994ae076b349ddf6da
Instruction ID: a4aef304d1308b438060b08784942ce7f07f5801fd85c6dd28a02eb9a6824788
Opcode Fuzzy Hash: b2933fab10ad259960c6d86fccbefcd956959cbae7cd6d994ae076b349ddf6da
Instruction Fuzzy Hash: 4BB168B0D15218CFEB54EFA4D884A9DBBB2FF88300F10956AE54ABB354EB349941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 06DD7D84, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc4a43cc2de1cf1d0aa291b91012eec9dc2dccc30e928d26a3b8b595105f522
Instruction ID: 075b72f31c549f1fc5e33a856db7495228fa9bbd03cf2559a78fcd26f2c51368
Opcode Fuzzy Hash: 1fc4a43cc2de1cf1d0aa291b91012eec9dc2dccc30e928d26a3b8b595105f522
Instruction Fuzzy Hash: CD9179B4D15218CFDB54EFA4D894A9DBBB2FB88300F10856AE54AAB254EB349941CF14

Uniqueness

Uniqueness Score: -1.00%

Function 06DDD130, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905ed27564089fd857837835c3709341cab27948953201ceb39842b55d35b7a8
Instruction ID: e30425867de600833a0123d6dfbe031930eeb8cc59ad448df35a5ca2ae7ade82
Opcode Fuzzy Hash: 905ed27564089fd857837835c3709341cab27948953201ceb39842b55d35b7a8
Instruction Fuzzy Hash: D471D4B4E012199FCB54EFA5D9549EEBBB3FF89300F20902AD916AB354EB345902CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06DD54C0, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9968106490882baffd6acdaae07c54b19eaecea3e1b9926b9182537271312d
Instruction ID: 370dfc524cb725f7d731445b5224c35667e590a0e2e5a42dd1a845fe59f12f32
Opcode Fuzzy Hash: 8d9968106490882baffd6acdaae07c54b19eaecea3e1b9926b9182537271312d
Instruction Fuzzy Hash: 267124B4D11208DFDB44DFE4E9986ADBBB2FF89301F10842AD916AB354EB349A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06DD54B0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b99c8f2c9a3451f9030eff203d47fc4876f1a6198f2469fb6b62274d55a8ab0
Instruction ID: 218b40276d0e310d2f2a166908aac8632d69b469cbf440b12ecb6d8c21d306a1
Opcode Fuzzy Hash: 1b99c8f2c9a3451f9030eff203d47fc4876f1a6198f2469fb6b62274d55a8ab0
Instruction Fuzzy Hash: E66137B4D11248DFDB44DFE4E9986ADBBB2FF89300F10842AE916AB354EB345A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06DD6C60, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b0f5683b8c04a76181a5835649e644edb166971a14576eb9d9fe471bd73207
Instruction ID: 7d5e2f0e59a5aef88bdccfaa7050c48a43d46f8fe8977963554685a6ba5acf17
Opcode Fuzzy Hash: 86b0f5683b8c04a76181a5835649e644edb166971a14576eb9d9fe471bd73207
Instruction Fuzzy Hash: 43512574E11659CFDB54EFE9D9405DDBBB2FF89300F24852AD519AB204EB30A942CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06DDC420, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f369bad7ac6798f1685326be936a821be69fb49f269c9682ff9642cd8ac62698
Instruction ID: 4a825b8569327195c4e847c1b685b326e03295cf0dda3d91761e7c62207847b4
Opcode Fuzzy Hash: f369bad7ac6798f1685326be936a821be69fb49f269c9682ff9642cd8ac62698
Instruction Fuzzy Hash: D5416970E292189FDB48DFA5D9505EDBBB7FF8D301F10942AD406B7294EB34A801CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D1060, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b624a76128beeda1a3d801201fe3a583356c07a3c766feabcefb10db240c2b87
Instruction ID: 234bd25844086b9738a148fd1b8f290b4d2cb5fb88d466e7ff829ccfe12e47dc
Opcode Fuzzy Hash: b624a76128beeda1a3d801201fe3a583356c07a3c766feabcefb10db240c2b87
Instruction Fuzzy Hash: 78114C30D092588FDB149FA6D5187EDBBF1AB4E301F549069D401B3290CBB44A48CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D1050, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73d721e7c8ca4975fc7ac10743cef4ab3bba56714a2c6c2bf62c7a5a716ac47
Instruction ID: 1e70df4e2d3fc8ad9f04b9ac953c04382106804b2f6ce2bc491ed15cf4f04e65
Opcode Fuzzy Hash: e73d721e7c8ca4975fc7ac10743cef4ab3bba56714a2c6c2bf62c7a5a716ac47
Instruction Fuzzy Hash: 6E116A30D09299CFDB159FA5E5187FDBBF1AB0F302F545469D081B3290CB748A48CB68

Uniqueness

Uniqueness Score: -1.00%

Function 02356B80, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02356BF0
GetCurrentThread.KERNEL32 ref: 02356C2D
GetCurrentProcess.KERNEL32 ref: 02356C6A
GetCurrentThreadId.KERNEL32 ref: 02356CC3

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1b59afa06def1460b63fc295539027ce284fc1e56c87b2e22f00c91ba02b4078
Instruction ID: 5e1e0f105d06fd713f0fbf10c8901c73a23b834a2897960578cf907224616919
Opcode Fuzzy Hash: 1b59afa06def1460b63fc295539027ce284fc1e56c87b2e22f00c91ba02b4078
Instruction Fuzzy Hash: E95164B4A006488FDB10CFA9CA48BDEBBF4FF89318F2084AAE519A7350D7755844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02356B90, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02356BF0
GetCurrentThread.KERNEL32 ref: 02356C2D
GetCurrentProcess.KERNEL32 ref: 02356C6A
GetCurrentThreadId.KERNEL32 ref: 02356CC3

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 08685303788f0ae5a9d958fecba3003ac18a4b842da523985ae9eba27d8307e0
Instruction ID: 3b0fd080c45ce4fe90ed29e16d67a722149d26a3e9617eca185b4d00de4fba0d
Opcode Fuzzy Hash: 08685303788f0ae5a9d958fecba3003ac18a4b842da523985ae9eba27d8307e0
Instruction Fuzzy Hash: 5B5155B4E006488FDB14CFAADA48B9EBBF4FF88318F208469E519A7350D7755844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06DDB07C, Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DDB2B6

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d83822b3e137d658eb0cef0000839a409e18717711ecc1cd943f8ede3f9132d2
Instruction ID: a156e5f227425ed196f3f36c0360a2642aca825288f2b4ce4841a281fba4c1e6
Opcode Fuzzy Hash: d83822b3e137d658eb0cef0000839a409e18717711ecc1cd943f8ede3f9132d2
Instruction Fuzzy Hash: BC913BB1D002199FDF60DF68CC41BEDBBB2BF48318F1585AAE819A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06DDB080, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DDB2B6

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d0b21a3d72e573991dfbaec654d2d5d5b7a21581c640af33a389cf0b21dd5e03
Instruction ID: a5337bcd92018abe9bae52b0b070f7408021f9efd4d8014e4dc20d2c086bf47a
Opcode Fuzzy Hash: d0b21a3d72e573991dfbaec654d2d5d5b7a21581c640af33a389cf0b21dd5e03
Instruction Fuzzy Hash: CC913BB1D002199FDF60DF68C8417EDBBB2BF48318F1585AAD819A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0235BBB8, Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0235BE0E

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 068e2fb76e7d631ad1a7a4a2f0b5661235fe8df7f7e497ccc9da3ba026a0d9d8
Instruction ID: 78faa0e6c8f299c2fa1dd88294b4036f7e99e7154b7b8d53ba59bab4095f23e2
Opcode Fuzzy Hash: 068e2fb76e7d631ad1a7a4a2f0b5661235fe8df7f7e497ccc9da3ba026a0d9d8
Instruction Fuzzy Hash: A6812770A00B158FD724DF29D451B5ABBF6BF88308F10892DD98AD7A44DB75E806CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06DDAB10, Relevance: 1.6, APIs: 1, Instructions: 127processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DDB2B6

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8cb7f7ac6b0a44684f3cda4cd9ac7e371ee97c73e478a8fe14b9790a54966617
Instruction ID: 8ba04cffcfe9a76e595783a2569b120a3ccea487806fea7148cfcebb02da3a22
Opcode Fuzzy Hash: 8cb7f7ac6b0a44684f3cda4cd9ac7e371ee97c73e478a8fe14b9790a54966617
Instruction Fuzzy Hash: F0513971D04218DFDF60EFA4C884BEDBBB2BF48308F11849AE80876250DB759989DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0235DC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0235DD8A

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 20444ee37c739b8d0bfee5a9fa356bca4e064aadb9b9126875e1472c79569ae9
Instruction ID: a638cfc42544f8b6680c2a8e6beb247eed166d57e9dbcbae02b33c0f8e6afa94
Opcode Fuzzy Hash: 20444ee37c739b8d0bfee5a9fa356bca4e064aadb9b9126875e1472c79569ae9
Instruction Fuzzy Hash: 7C51B0B1D00319DFDB14CF9AC984ADEBBB5FF88314F24812AE819AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0235DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0235DD8A

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7d5093846e53e2787096dad0385a742e6459738cd4bb12ed44d6bfcf101c2fc1
Instruction ID: a05f8f5c1f502aa979fceef017bbb11a35dfeb26c93e7677ab112fe1570d0d4a
Opcode Fuzzy Hash: 7d5093846e53e2787096dad0385a742e6459738cd4bb12ed44d6bfcf101c2fc1
Instruction Fuzzy Hash: 1A41ADB1D0031D9FDB14CF9AC984ADEBBB5BF88314F24812AE919AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02356D41, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02356E3F

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0206d10ba7df64d573f11cd0694f38b81ed4cfba9201fcf190a2d248079d67ea
Instruction ID: 2c8d089882b12f840fbe3e5a3e7b096080b7160edfeba4620e3500d545a2096f
Opcode Fuzzy Hash: 0206d10ba7df64d573f11cd0694f38b81ed4cfba9201fcf190a2d248079d67ea
Instruction Fuzzy Hash: 45416D76900258AFCF11CFA9D844AEEBFF9EF89320F14805AEA44A7311D3359955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06DDAD30, Relevance: 1.6, APIs: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DDADA6

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 364c7a7bcea23803f9614a4ff6a2da6a06a22b08d41f8f4a5ce3486db99fc8bc
Instruction ID: 17d901bfde9ef4401705b01dc0d5d89e0d267a2f9ecb8f28c7f58139d371f109
Opcode Fuzzy Hash: 364c7a7bcea23803f9614a4ff6a2da6a06a22b08d41f8f4a5ce3486db99fc8bc
Instruction Fuzzy Hash: 39315E729002098FCF10DFA9D9447EEBBF5FF88324F24841AE515A7240C7399949DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06DDADF8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DDAE88

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3795811d1583871587ee10a1d51792fd1d943069cfa1f9f7dc1c974ccb27c146
Instruction ID: 0499513989214332e84b1d95287282acdd65d86da6d39777f76d828af3079614
Opcode Fuzzy Hash: 3795811d1583871587ee10a1d51792fd1d943069cfa1f9f7dc1c974ccb27c146
Instruction Fuzzy Hash: EE2124719003499FCB10DFAAC884BEEBBF5FF88314F14842AE919A7340D7789945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02356DB0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02356E3F

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ab30465dfc85659b0cf68e8e0cd6e22968139082c871acc5bde2bd3c8136836f
Instruction ID: 468935c3633b6d5ad5c21e9d09e746a892741981cbc3e09a4d042060f0489d0b
Opcode Fuzzy Hash: ab30465dfc85659b0cf68e8e0cd6e22968139082c871acc5bde2bd3c8136836f
Instruction Fuzzy Hash: 532103B59012089FDB10CFA9D984ADEFBF8FF48324F24805AE954A3310D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DDAC58, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06DDACDE

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 38e2e7cfd9700fb8fef2b278748b597660845bca9c27ad274262b579b31508e3
Instruction ID: 59aa94f32597a9dd6e72c7bb18d66ec866112ed18146dbe4d5d59c2d17ea6656
Opcode Fuzzy Hash: 38e2e7cfd9700fb8fef2b278748b597660845bca9c27ad274262b579b31508e3
Instruction Fuzzy Hash: FA213771D002098FCB50DFA9C5847EEBBF4EF88224F14842ED559A7740CB789949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DDAEE8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DDAF68

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7565ab3b73646c14ade3452ab8863d3cc05cad0dd0176642e380fbdda3252a1c
Instruction ID: f9e20a65f5b99fd2705f385f492dfff5da77c451b42083a5a981650b080dab27
Opcode Fuzzy Hash: 7565ab3b73646c14ade3452ab8863d3cc05cad0dd0176642e380fbdda3252a1c
Instruction Fuzzy Hash: BB2128B1C003499FCB10DFAAC884AEEBBF5FF48314F54842EE519A7240C7759945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DDAC60, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06DDACDE

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 84d1dc7313885215f330caf4b3a40e247012c5c5ed389a6c5fc63b30e444f07c
Instruction ID: 331445cd81f4b747a43d0734dac6280a6ae60cea5cb60cc8233ef244f1610a9d
Opcode Fuzzy Hash: 84d1dc7313885215f330caf4b3a40e247012c5c5ed389a6c5fc63b30e444f07c
Instruction Fuzzy Hash: 8E210971D002098FDB50DFAAC5847EEBBF4EF88224F14842AD519A7340DB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02356DB8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02356E3F

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 06333ab8f70a3a918bb9851fbb157e5ad1084285706b1c674a7606c9526b8520
Instruction ID: d1d9ff3b479be8d45e95f2eead969ae6a8f267ba4b6440b87fd722123ae607c5
Opcode Fuzzy Hash: 06333ab8f70a3a918bb9851fbb157e5ad1084285706b1c674a7606c9526b8520
Instruction Fuzzy Hash: 1B21C2B59012189FDB10CFAAD984ADEBBF8FB48724F14841AE918A3310D375A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0235B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0235BE89,00000800,00000000,00000000), ref: 0235C09A

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ea32b0b5897b2ca72e05b562d9e7f5cba862bfcd6f5169fa0ebd5837b79b4a8e
Instruction ID: 3af8674c588dba871614dfe21a9e72a37ce73dfedc09dc6dd369fb5458ec6ac2
Opcode Fuzzy Hash: ea32b0b5897b2ca72e05b562d9e7f5cba862bfcd6f5169fa0ebd5837b79b4a8e
Instruction Fuzzy Hash: 8B1106B69003188FCB10DF9AC444BDEFBF4EF88328F14841AE919A7600C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DD53B8, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06DD542B

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 71529523f589ac3e595ba3f8dc4df95090033590e34a9e3bd0ba8c14e38a1b77
Instruction ID: e04afee5cda6853c5bf838dfc91cc072177c6fb0c6795f3d35c938557329fe6b
Opcode Fuzzy Hash: 71529523f589ac3e595ba3f8dc4df95090033590e34a9e3bd0ba8c14e38a1b77
Instruction Fuzzy Hash: AE21D3B19002199FCB10DF9AD984BDEBBF8FB48324F10842AE959A7240D379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DD53B1, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06DD542B

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 096d26fe84e773ab577ad27b8a7294e943c421c86711c5d0f4ea2e796d102ff0
Instruction ID: fc2899c357425cd30e4d68e457b0f0ceba8ded5a961262db02ef97602acf531d
Opcode Fuzzy Hash: 096d26fe84e773ab577ad27b8a7294e943c421c86711c5d0f4ea2e796d102ff0
Instruction Fuzzy Hash: C72117B1D002199FCB10DF9AD984BDEBBF4FB48324F10842AE559A7740D3749645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0235C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0235BE89,00000800,00000000,00000000), ref: 0235C09A

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 64241cbc09df8a15492494768c92f2d41caf27a6a221d02bc2c621f97b408e49
Instruction ID: ccfa4413d3cbde3a0ff96681019855498f8b1154ab69df489895c3f039774916
Opcode Fuzzy Hash: 64241cbc09df8a15492494768c92f2d41caf27a6a221d02bc2c621f97b408e49
Instruction Fuzzy Hash: F31106B69003099FCB10CF9AC844BDEFBF4EF89328F14855AE959A7600C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06DDAD38, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DDADA6

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 486fef27234578ab0ef8209dd66a415a966e8031d773f80dbeb8c7ece5baf3a0
Instruction ID: aad75de6e0c55a925267be7357f4cf704f7651f0245f30244bba17f7be8b979e
Opcode Fuzzy Hash: 486fef27234578ab0ef8209dd66a415a966e8031d773f80dbeb8c7ece5baf3a0
Instruction Fuzzy Hash: BD1137729002489FCF10DFAAC844BDFBBF5EF88324F24841AE915A7250D775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DD9070, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06DD90E8

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 2b854b12a3db570b4b8f9fb43a824a56ad8f1ea841ac85385e0b13c04a676e87
Instruction ID: 5b1f4c8c4911247bf944899578489cd471e912e2f446a5ea3f7e1cb219fffbf9
Opcode Fuzzy Hash: 2b854b12a3db570b4b8f9fb43a824a56ad8f1ea841ac85385e0b13c04a676e87
Instruction Fuzzy Hash: CB1142B5C0061A9BCB10CF9AD9547AEFBB4FB48320F10812AD819B7700CB756605CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DDABA8, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DDAC12

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 52c44821e9fe1d654f8afb6346f7c44cafeb47989de15858e6102bd00ee8390d
Instruction ID: 37091cd7576c7fb14953b3579527d31f61f1c2cf9e569cc545c70192be228791
Opcode Fuzzy Hash: 52c44821e9fe1d654f8afb6346f7c44cafeb47989de15858e6102bd00ee8390d
Instruction Fuzzy Hash: 051119B1D042488FDB20DFA9D5447EEFBF5EF88228F24882DD555A7340C7795945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06DD9078, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06DD90E8

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 8316cf98fb86e02771701a5600163e7fdb38ffc57c131fa6feb81febfae370fc
Instruction ID: d381007f2b2c5af360a0d329355e38d404d385362c3b84e1b8f5abb484de0e05
Opcode Fuzzy Hash: 8316cf98fb86e02771701a5600163e7fdb38ffc57c131fa6feb81febfae370fc
Instruction Fuzzy Hash: 461134B1C006199FCB10DF9AD954BEEFBB4FB48324F10811AD818A7740C775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DDABB0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DDAC12

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5d770597f9ebd15fff326e41e9b9e0df588c650b59ede58c199f24d0ea579be7
Instruction ID: fa43021133c3bf87e7d6991316bb17ed67b2d1d3e8ab983baea562dc70e9c22a
Opcode Fuzzy Hash: 5d770597f9ebd15fff326e41e9b9e0df588c650b59ede58c199f24d0ea579be7
Instruction Fuzzy Hash: D71128B1D042488BCB10DFAAC8447DEFBF4EB88224F248419D519A7340CB75A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0235BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0235BE0E

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 716d5abbd895f6cbe8fcd52b7834fe3ceddd3da71c61856ce1c58013291d3137
Instruction ID: f5b1e3ad37e1721ea987ea14bfe674e6ebccb736ebc3e4d55dfb878e7a29c9e0
Opcode Fuzzy Hash: 716d5abbd895f6cbe8fcd52b7834fe3ceddd3da71c61856ce1c58013291d3137
Instruction Fuzzy Hash: 6C1110B6C002598FCB20CF9AD844BDEFBF5EF88228F24841AD919A7600C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0235DEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0235DF1D

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d29268e75978fc17f0e444a824a4d658f5a503451e970d149ae4c3c300abd562
Instruction ID: 51b2864dd3abe267f9f6343210b52e721ef0d74d7a1355908ae4815544bbed35
Opcode Fuzzy Hash: d29268e75978fc17f0e444a824a4d658f5a503451e970d149ae4c3c300abd562
Instruction Fuzzy Hash: E51103B59003099FDB10CF99D984BDEBBF8EB88324F20841AE959A3700C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0235DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0235DF1D

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e04b56d3a531bfa6b73f232787496942fe38d4a569c3488f253018d8aefbd6fe
Instruction ID: 2942e16f812c11cef5092f6469ef5f7e79d1c529d52cb50b952b34cdefa5efb4
Opcode Fuzzy Hash: e04b56d3a531bfa6b73f232787496942fe38d4a569c3488f253018d8aefbd6fe
Instruction Fuzzy Hash: FA1115B58003089FDB10CF99D984BDEBBF8EB88324F20841AE919A3700C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DDF988, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06DDF9E5

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ea4fb67368c734078f471400b42fba1250d9154196c5b2120f564650d3929e97
Instruction ID: f4d11fad0589fa5d359596d0da3069ceaa6270a5ce512bac7d833ff11c304570
Opcode Fuzzy Hash: ea4fb67368c734078f471400b42fba1250d9154196c5b2120f564650d3929e97
Instruction Fuzzy Hash: D311D3B58003499FDB10DF9AD985BDEBBF8EB48324F20841AE555A7700C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D05A9, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3890c82a1d8c60969c7d0cc5d2ba67ee0d6fb8c22800d5c6ac2f1f992ba908f7
Instruction ID: c516fd0e65bbd3e6f9de36595b74bf104964789779187e710dc7610500362e6f
Opcode Fuzzy Hash: 3890c82a1d8c60969c7d0cc5d2ba67ee0d6fb8c22800d5c6ac2f1f992ba908f7
Instruction Fuzzy Hash: 2231AF30B096118BCB65AB79E4A062E77A3AF89304F54887DD4498F756DB34DC098B94

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D05B8, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8d71a9df7dc201eb6a47faf53eb8e4e6b043f12ac7e91e372cc5f3b36765fc
Instruction ID: cd1d7f276283e8939874164c097c101843754f7905a244bf1cccdc61dd1b161c
Opcode Fuzzy Hash: 3f8d71a9df7dc201eb6a47faf53eb8e4e6b043f12ac7e91e372cc5f3b36765fc
Instruction Fuzzy Hash: F231BC70B046118BCB68EB79E4A0A2E77A3AFC9704F54883CD5098F796DB34DC098B94

Uniqueness

Uniqueness Score: -1.00%

Function 0094D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261112988.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064e5e3b506f720001e8de77e14b322b9c4603ae08f6d32ae815659c340c7570
Instruction ID: 091c0c225d229058c451c3dcb6c91aa73e33f380bb975d2075c4b533dc7abb9d
Opcode Fuzzy Hash: 064e5e3b506f720001e8de77e14b322b9c4603ae08f6d32ae815659c340c7570
Instruction Fuzzy Hash: 312128B5504204DFDB05CF14D9C0F16BB69FB88328F348569F9094B25AC73AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261196211.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8e70b13a4eb1955728968f858b52941ce4d9c2ee3b51627f0b9e9f0d6e7957
Instruction ID: 3d5bdf34fc4515cc0d5e06a14d8e9e5292e3495bff04d77b30d9d814c5e56bdb
Opcode Fuzzy Hash: 3a8e70b13a4eb1955728968f858b52941ce4d9c2ee3b51627f0b9e9f0d6e7957
Instruction Fuzzy Hash: 772104B1504248DFDB14DF24D8D0B26BBA6FB84314F34C9ADEA094B246CB36D84BCB61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261196211.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3c881db2abbf6ee1154810ad200000a96345f3c9b384b32a6da7963e2df685
Instruction ID: d335c4c63937627bd52bc30c1b707de379c535ee04cbcaba6186886a23b063f5
Opcode Fuzzy Hash: db3c881db2abbf6ee1154810ad200000a96345f3c9b384b32a6da7963e2df685
Instruction Fuzzy Hash: 1B21C5B1504248DFDB05DF14D9C0B26BBA6FB84314F24C9ADEA094B256C736D84ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261196211.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46df0674da427b07827aa0a7449122bfad136873bd7724bb25a06098e233a0c8
Instruction ID: 65d20e2555cdea4db74418226430bd6a78785dcb7eb111e80731f64e459bb11a
Opcode Fuzzy Hash: 46df0674da427b07827aa0a7449122bfad136873bd7724bb25a06098e233a0c8
Instruction Fuzzy Hash: E521C6755093848FCB02CF20D5A0B15BFB2EB46314F28C5EAD8498B657C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D158C, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dca260f9a3dcb510d432ada6e5f1ef0d6ab9d0797576b9461314f298cda3c2a
Instruction ID: 42cace199b21c39c5acce162edf48a4763a7a550ca20ea54e03c66a92a6c7b70
Opcode Fuzzy Hash: 2dca260f9a3dcb510d432ada6e5f1ef0d6ab9d0797576b9461314f298cda3c2a
Instruction Fuzzy Hash: 09115C70E06209CFDB14DF69D054AAEB7F1AF49304F55846AC458AB321D778ED02CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0094D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261112988.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4288b8d1924a243b74452ed9894bda5974195c5eafdb5ecf84050c0b22077c9
Instruction ID: b116202d8f79adc102927092d497bf5cf7003cbc7911e911d2191a45f6bac980
Opcode Fuzzy Hash: a4288b8d1924a243b74452ed9894bda5974195c5eafdb5ecf84050c0b22077c9
Instruction Fuzzy Hash: 8011D376404280CFCF11CF10D5C4B16BF71FB94324F2886A9E8054B61AC33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D1CB7, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bdba6d3dbbe6f9e43df78ad024941567ff9f1a71e017883514c1fb8cbf3e2a
Instruction ID: dae6d24b14949a63d57c9e074efba7a2a29c1cd40360e1c08cd347af16ed763f
Opcode Fuzzy Hash: f1bdba6d3dbbe6f9e43df78ad024941567ff9f1a71e017883514c1fb8cbf3e2a
Instruction Fuzzy Hash: F6116A70E052058FDB18DF69D054BBEBBF1AF4A300F5984A9C858AB322D778D842CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261196211.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ef8b8e69474e9e3f59cfca7e61f3031d75341f00d8d617f05e8a12da4b6053
Instruction ID: 5b1b40f8ce20ab54f0f7f455ed16e1cc1ac0d7d0e8afe936ddda168f49c155cb
Opcode Fuzzy Hash: 27ef8b8e69474e9e3f59cfca7e61f3031d75341f00d8d617f05e8a12da4b6053
Instruction Fuzzy Hash: D3119075504284DFCB11CF10D5C4B25FBB2FB84314F28C6AED9494B656C33AD84ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0094D75D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261112988.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b65df82c57c48bd1209f8ece2b508956dea9d8ce7b1686a8f35163504e7364
Instruction ID: b032afd5f9220e9012640986a2ebb67464d24bdb5cdc4dad8be939f743b99938
Opcode Fuzzy Hash: 83b65df82c57c48bd1209f8ece2b508956dea9d8ce7b1686a8f35163504e7364
Instruction Fuzzy Hash: 3701F7B50093449EEB104A15CC80FA6BBDCEF41724F28C85AED045B246D3789844C672

Uniqueness

Uniqueness Score: -1.00%

Function 0094D75C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261112988.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fc9f743cae66b92103485dd427867f7f114fee919305ed793317b6a20f31c2
Instruction ID: 33408831ee55cde591649147eb64a1679d30ec28046287ba6a4c60f0ea1179f1
Opcode Fuzzy Hash: 67fc9f743cae66b92103485dd427867f7f114fee919305ed793317b6a20f31c2
Instruction Fuzzy Hash: 41F062B54052549EEB108A15DD84B62FB9CEF91734F28C45AED085B286C378AC44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D0F20, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45f97a627c2ea2852970826dd8a77fe0a789ebec93ab811f2622fbaf83296d2
Instruction ID: 8d145c45a5a2f1771b9560db37babea0799691629f6220647ae4f8e0fd625057
Opcode Fuzzy Hash: f45f97a627c2ea2852970826dd8a77fe0a789ebec93ab811f2622fbaf83296d2
Instruction Fuzzy Hash: 1DF0DAB0D0430A9FDB44DFA9D841AAFBBF5EF48200F5045A9E918E7301E77499458BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D0F12, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a395ce7feedccf8182b95a1356fd7feccb430c6e5decf9efeec94c62683e00d
Instruction ID: acbe55595397d6f0bccfb11f434eb31e8eae4704fafc0eab8d4d6d2c699bc481
Opcode Fuzzy Hash: 7a395ce7feedccf8182b95a1356fd7feccb430c6e5decf9efeec94c62683e00d
Instruction Fuzzy Hash: D2F0CDB0E083869FD754CFA9D415AAFBFF5AF09220F20498CE890DB282DB349441CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D2304, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c384254858d537afedcd2341a04baec6a1703fe1a3ea0917db319a3c6984c76b
Instruction ID: 6f7cad97397ac79c42a6a70bfa00a93e55dd7638583b0f523b222839e89d30a5
Opcode Fuzzy Hash: c384254858d537afedcd2341a04baec6a1703fe1a3ea0917db319a3c6984c76b
Instruction Fuzzy Hash: 06F05EB1D492499FC740DFAA986429A7FF0FF1A200F8485AAE001DB231E7748906DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D22AF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a9ded9bccef3f3a6c09dfc5b04c2dc8cd1e08849d1753ce18940aedcd24805
Instruction ID: 15dfd6cafde929a664befea6dfa6f813d49f4ca23f5720f37b74452baaf6240a
Opcode Fuzzy Hash: d0a9ded9bccef3f3a6c09dfc5b04c2dc8cd1e08849d1753ce18940aedcd24805
Instruction Fuzzy Hash: 01F03970E49249AFC741DF7DD8256AEBFF0EF49204F5585AAD085D7621DB7089068F80

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D0EC8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce2a9d41837b25d9a6f0b67404782110e393d0a776d059e1cfa2cc80c2fa5bd
Instruction ID: 83dcbd51e43be7a4e349f091c70f08b746c55461fa1f9df7d28e4ecbbf5063f4
Opcode Fuzzy Hash: 2ce2a9d41837b25d9a6f0b67404782110e393d0a776d059e1cfa2cc80c2fa5bd
Instruction Fuzzy Hash: 5FE012B0D4420A9FC780EFAAD905A5EBBF5AB08200F6084A9C018E7211EB708A058F90

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D0EBA, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0749cc7b38e4353d5f69cfa51c7c9eed74c91c78419c044e323e267c447e69f7
Instruction ID: c0341a35968e23310e4b5dee50ce132323bf228255543aa3f241211ea4ff19af
Opcode Fuzzy Hash: 0749cc7b38e4353d5f69cfa51c7c9eed74c91c78419c044e323e267c447e69f7
Instruction Fuzzy Hash: CAE0D870E44245EFC350CF79D504A4ABFF25F05324F6585D8D4A4DB2A3CB3548068B00

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D22C0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209511ffe4e2a14b79c996ba8c570a9419db346fe4b9db0aa03b63536519d443
Instruction ID: 7afb3f7fd7730fc5c6ae34b916f384efa2bae46011f6439403e5747d748ae5fe
Opcode Fuzzy Hash: 209511ffe4e2a14b79c996ba8c570a9419db346fe4b9db0aa03b63536519d443
Instruction Fuzzy Hash: 33E092B0D442099FD740EFAAD91565EBFF0BF08200F5085A9D015E7221EB749A059F91

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D1C78, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154520a38b8365ae81f114088d12bf921ef5ad6b9b4fbdb004f1cbdea7346315
Instruction ID: 3759c573f3bd0f063f277798ecef86545c6052bb264ba3011f899178f7712a81
Opcode Fuzzy Hash: 154520a38b8365ae81f114088d12bf921ef5ad6b9b4fbdb004f1cbdea7346315
Instruction Fuzzy Hash: 7DD012B0D4531D9FD740EFB9950179EBBF56B04200F90886AC015E7201EBB846058F91

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D0FC0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cf47fe9453b78bf80ab880a60d88c3d36cf7902d8a949c55da924a4d613ea2
Instruction ID: 66ba14b5ffe08c4cb313bb0f3b08e33b65a48022f3aeb041c1fe506b1adb25b2
Opcode Fuzzy Hash: c3cf47fe9453b78bf80ab880a60d88c3d36cf7902d8a949c55da924a4d613ea2
Instruction Fuzzy Hash: EFD0123265410C5E4BC0EA94F800C9777EDBB65700F808432E904C7521E721E978D795

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06DD0908, Relevance: 2.7, Strings: 2, Instructions: 196COMMON

Download Yara Rule

Strings

1 @o, xrefs: 06DD0AB3
1 @o, xrefs: 06DD0AA5

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID: 1 @o$1 @o
API String ID: 0-4067625395
Opcode ID: 7f64d420bbe7a44ece69fc85d3710373a687cd2b122a208c2d82912d030046fb
Instruction ID: 8282553a85a7574d2d57058035b1ea57bdf2c086be5f874c8e40f59ae426a113
Opcode Fuzzy Hash: 7f64d420bbe7a44ece69fc85d3710373a687cd2b122a208c2d82912d030046fb
Instruction Fuzzy Hash: F1910274E1520ACFDB44CFA9D58499EFBF1FF88210F249569E459AB324D330AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 000FA9EA, Relevance: 2.0, Instructions: 1969COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.259411958.00000000000F2000.00000002.00020000.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.259390828.00000000000F0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b813345669f40c3c178840dd7e0b31dd1f99c7bf02b8b2432daffd8a8bb7bc
Instruction ID: 8a55e8dfc079ebdbc81a9186d7c5e9ea2566fa72b829db4c99baaa9eb285b327
Opcode Fuzzy Hash: 32b813345669f40c3c178840dd7e0b31dd1f99c7bf02b8b2432daffd8a8bb7bc
Instruction Fuzzy Hash: 05E2246680E7C19FCB135B786DB51E5BFB19E6721871E08C7C0C08F4A7E218199BDB62

Uniqueness

Uniqueness Score: -1.00%

Function 06DD9807, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

*y/s, xrefs: 06DD986C

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID: *y/s
API String ID: 0-1861999474
Opcode ID: 846d20ba81eeb309bff542a6eca638fb0e6bff9b7283ed4541f10b6ac122505f
Instruction ID: b8a156c858765298a00237c3cd84f3709e253e745cb96d085fb35d67efdda30f
Opcode Fuzzy Hash: 846d20ba81eeb309bff542a6eca638fb0e6bff9b7283ed4541f10b6ac122505f
Instruction Fuzzy Hash: 5F817970E0520ACFDB44DFEAC591AEEFBF6AF88310F14D426D414AB254D7359A428FA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DD08F8, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

1 @o, xrefs: 06DD0AB3

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID: 1 @o
API String ID: 0-2095724020
Opcode ID: 08e46f44b8afd0ff9ba878ae9bc74361ddb138d73d30251d75e1461ea9884f74
Instruction ID: be26b5ea245a643a67d0a0d31a668c2ab89d7ddcd13c74b05d30827477add43e
Opcode Fuzzy Hash: 08e46f44b8afd0ff9ba878ae9bc74361ddb138d73d30251d75e1461ea9884f74
Instruction Fuzzy Hash: CA910574E1520ACFDB44CFA9D58499EFBF1FF89210F14956AE459AB324D330AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06DD9818, Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

*y/s, xrefs: 06DD986C

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID: *y/s
API String ID: 0-1861999474
Opcode ID: 08fcdca80c0b6a8957676663565c6257f53827f518517bd826b2615d3c219659
Instruction ID: cd4dfc5f99d94496bc45a0fa6cc1f310d2dd3b9961121adbcab2d7bbb76a0b6b
Opcode Fuzzy Hash: 08fcdca80c0b6a8957676663565c6257f53827f518517bd826b2615d3c219659
Instruction Fuzzy Hash: EF715870E0520ACFDB44DFEAC591AEEFBF6AB88310F14D426D514AB254D7359A418F90

Uniqueness

Uniqueness Score: -1.00%

Function 0235C2B0, Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a5c4faf650d165a669d09dc83597ee4c7e468d5864a2a70617d40cd1023cdf
Instruction ID: 9c22eeaafd4d69121dd3ab3c2aa2fbfee57974f798f20ce1445b728cab12b59c
Opcode Fuzzy Hash: 32a5c4faf650d165a669d09dc83597ee4c7e468d5864a2a70617d40cd1023cdf
Instruction Fuzzy Hash: 555249F19807068FD712CF14ECC85997BB9FB40328FD24A09D5665FA90D3B8A56ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D2B88, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c8c25634fce57440016edd7c169555187dbc3bedd92d345639cd4807e4d087
Instruction ID: f859fc2c70697775f7c8cbaa449e3373715a07830123061b41c187d51d2d447f
Opcode Fuzzy Hash: a0c8c25634fce57440016edd7c169555187dbc3bedd92d345639cd4807e4d087
Instruction Fuzzy Hash: 32D1C234A042088FDB58DF69D5A8BA9B7F1BF8D301F6584A8E409EB371DB31AD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06DD9318, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96292f13131abc5d068acd901a83ff9c8f6442354ef9bf0e5c32670bd44a4bab
Instruction ID: 36a9faacf4bc2e83d5155dd0e05a4b333ec9ac829851558b2d2282a23e5aef49
Opcode Fuzzy Hash: 96292f13131abc5d068acd901a83ff9c8f6442354ef9bf0e5c32670bd44a4bab
Instruction Fuzzy Hash: 5AB125B4E05209CFCB44DFE9C6906DEFBF2AF89310F14D529D409AB258E7359942CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02359990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.261569727.0000000002350000.00000040.00000001.sdmp, Offset: 02350000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399fc5fac1b4fb2b9e0b31b72298d34f3753a7855badeab4de283e8586ea6329
Instruction ID: 031bf41db3bccf7c2f009d57b76ee2746acc0af4e8a960e7b50b162d504c5f32
Opcode Fuzzy Hash: 399fc5fac1b4fb2b9e0b31b72298d34f3753a7855badeab4de283e8586ea6329
Instruction Fuzzy Hash: 70A15C32E006298FCF15DFA5C84499EB7B3FF85304B15856AE809BB225EB35E955CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06DD9308, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3209255fc7bf9fec98ee0b1a5192d7f29f8c3e9d0eee4c20fdc4be75d2290c58
Instruction ID: 33f661b134841856f13df11541bfb3c06ed8e4208155f44ed0f752cc8e871299
Opcode Fuzzy Hash: 3209255fc7bf9fec98ee0b1a5192d7f29f8c3e9d0eee4c20fdc4be75d2290c58
Instruction Fuzzy Hash: 07B146B4E05209CFCB44DFE9C6905DEFBF2AF89310F14952AD409AB359E7359902CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DD6468, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc1ea46282c8bf3fdd31f949299c034a61eebc846523870deed1284cc520c7b
Instruction ID: 45a223c6aaa6ee1eb40db4577ee06f731a57c130033c87bd439f9ecf3a39a0fe
Opcode Fuzzy Hash: 1fc1ea46282c8bf3fdd31f949299c034a61eebc846523870deed1284cc520c7b
Instruction Fuzzy Hash: 1B911774E14229CFDB54DFA9C990A9DBBB2BF88304F2081A9D509A7355DB309A81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06DD6459, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7acbdb7e6bdce507faf07f35355e0770b967f96bbf071be2d668f251ab1b7f
Instruction ID: dfe664cae45318a9b7fd42a4dcd0f5e8cd8a42740174b056130fc7f654be12c7
Opcode Fuzzy Hash: fd7acbdb7e6bdce507faf07f35355e0770b967f96bbf071be2d668f251ab1b7f
Instruction Fuzzy Hash: 5C912974E15259CFDB54DFA9C980A9EBBF2BF89300F1481AAD409A7355DB309E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06DD5768, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446b2731e721ffbc1183ebe3a02d1149becdad0f245ef617b853d3f08c666352
Instruction ID: 55f6d01318e2a140eba651fd84b1842c24bda37adc5698f53ff36245115b8c6b
Opcode Fuzzy Hash: 446b2731e721ffbc1183ebe3a02d1149becdad0f245ef617b853d3f08c666352
Instruction Fuzzy Hash: 3D811774E04219CFDB54DFA9D980A9EBBF2AB89304F24C1AAD409A7255DB309E41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06DD5D4C, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435646e289f7c21bcd0ccddc64152bee961d3d1103523c1f68cbbde6fd538445
Instruction ID: e571c3b53c7cbd8b759b53d12b352ec3e32df7df2b7958ff77edbde29372292a
Opcode Fuzzy Hash: 435646e289f7c21bcd0ccddc64152bee961d3d1103523c1f68cbbde6fd538445
Instruction Fuzzy Hash: 7F716A74A01259DFDB14DFA9D980AAEFBF2FF88300F24C5A9D448A7215DB309941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06DD5D88, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9190319fd0a8514c55dbf257b002bab95e1ff1adcc8a6a951fb72238d41bfd95
Instruction ID: 565ba93c67163ed96bf39fb5a2f2bddeb1d3955ed8a6a21fecb08e10b806b638
Opcode Fuzzy Hash: 9190319fd0a8514c55dbf257b002bab95e1ff1adcc8a6a951fb72238d41bfd95
Instruction Fuzzy Hash: 12512874E11259DFDB54DFAAD980AAEFBF2BB89300F24D169D408A7315DB309941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06DD2028, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbf04a5ee58855ff1e5934cd0bd1bea8cc9d2e08d4369f92f5d40f4e0c49aec
Instruction ID: 5a61af1343ebd6c4e89919209577d6d85ae880f6e7d2399d92253c32716481a9
Opcode Fuzzy Hash: 3cbf04a5ee58855ff1e5934cd0bd1bea8cc9d2e08d4369f92f5d40f4e0c49aec
Instruction Fuzzy Hash: EA5128B4E0520ADFDB44DFAAC5815AEFBF2EF88300F24D46AC555A7218D3349B41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 06DD2038, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f24c0d99d6dc130fffd004af33ea61e439af0d9aa3d6b32a530c7a51f5634b0
Instruction ID: 0cb135ee9ece1dabcdaba10bf0e0b4e8cff00a96b85ada2718fc747c10e60de4
Opcode Fuzzy Hash: 0f24c0d99d6dc130fffd004af33ea61e439af0d9aa3d6b32a530c7a51f5634b0
Instruction Fuzzy Hash: CA51F8B4E0520ADFDB44DFAAC5815AEFBB2EB88340F24D46AC515B7218E3349B41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06DD2053, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de27f9db6cb4eb4a6eadee19c60c5ceb25e55af4b2a45ac975331cab3731593
Instruction ID: 0bcb78f0d9788ac9cc52125064469b92cd582982041b46d26e7350376af48c3b
Opcode Fuzzy Hash: 6de27f9db6cb4eb4a6eadee19c60c5ceb25e55af4b2a45ac975331cab3731593
Instruction Fuzzy Hash: D74129B4E0560ADFDB44DF9AC5814AEFBB2EF88340F24D46AC555B7228D3349B41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 06DD1B88, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d63049c7d7be54f41aa0c92c38da7ee79ca40f04742ca6f316e381b13c8a0a
Instruction ID: 426f20486bf2c27807be2d23fd9c4be40151a77904452668f103481a04c30ac7
Opcode Fuzzy Hash: 29d63049c7d7be54f41aa0c92c38da7ee79ca40f04742ca6f316e381b13c8a0a
Instruction Fuzzy Hash: 8641D770E0420A8FDB48DFAAC9815EEFBF2FB89300F24D469C515A7254E73496428F94

Uniqueness

Uniqueness Score: -1.00%

Function 06DD1B78, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fd32603aa42e32ed6ed34154b67737b0b04a3e1691863839296d94acf19ba2
Instruction ID: 2d1d6b3910eb7dc579e704bbb1fc33f60d47ab9a441e5027494787a516c04265
Opcode Fuzzy Hash: 94fd32603aa42e32ed6ed34154b67737b0b04a3e1691863839296d94acf19ba2
Instruction Fuzzy Hash: 2A41E570E0464A8FDB48DFAAC9815AEFBF2FF89300F24D46AC515A7254E73496428F94

Uniqueness

Uniqueness Score: -1.00%

Function 06DD2DB0, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1939572862fe7752efc4ae3710e37d6cdc560ef7464c55320db50af242995bc
Instruction ID: a8c2a1830ffc1236a430cb3f822d2b81b45ca872c352c41fa0214e6e8b81d135
Opcode Fuzzy Hash: d1939572862fe7752efc4ae3710e37d6cdc560ef7464c55320db50af242995bc
Instruction Fuzzy Hash: 66414FB1E016188BDB68DF6B9D4479EFBF3AFC8300F14C1BA854CA6214EB300A468F11

Uniqueness

Uniqueness Score: -1.00%

Function 06DD2DAE, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbe0a641fa8100550c17e82ce4afbb755be9f3cc1e4b6bfb1534d057ec9300b
Instruction ID: 7efabdf92b9a25bc5fc3c429aecc989382f9729f3f1d819b6070df9e094cd0a7
Opcode Fuzzy Hash: 0bbe0a641fa8100550c17e82ce4afbb755be9f3cc1e4b6bfb1534d057ec9300b
Instruction Fuzzy Hash: 804130B1E016188BDB68DF6B9D4479EFAF3BFC8300F14C1BA850DA6215EB300A468F11

Uniqueness

Uniqueness Score: -1.00%

Function 06DD8650, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7516c2c1fac5f91ec459fe494c655d045f930dd5c6c18c0dc99885f2b5eb6858
Instruction ID: 149c253962871825cc0139173badc0cc76671367f1f315cf6edc051a3155ef01
Opcode Fuzzy Hash: 7516c2c1fac5f91ec459fe494c655d045f930dd5c6c18c0dc99885f2b5eb6858
Instruction Fuzzy Hash: 69215770E16618DBDB59CFAAD9406AEFBF3AFC9310F18C07AD448A7255EB300A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06DD8660, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0338e63a53a6a7bb546561f961e645b93efca4fc8605ded549db51788bec98f0
Instruction ID: 23a4b79e944431a9cb1eef68802bbead556b03a5f75e19d644becbaf334f4b71
Opcode Fuzzy Hash: 0338e63a53a6a7bb546561f961e645b93efca4fc8605ded549db51788bec98f0
Instruction Fuzzy Hash: 9D11E771E11619DBDB58CFAAD94069EFBF7EBC8210F18C13AD508A7214EB305A428B91

Uniqueness

Uniqueness Score: -1.00%

Function 06DD7FE8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9a121dffd7db98eaf7a6b7e1e1cefcc217b7c02c140685986838ac5c006b7b
Instruction ID: ea2a512332a8179bf440584d8ee4588f9fefc08e5da25f12ad5fdab7f251d911
Opcode Fuzzy Hash: 0c9a121dffd7db98eaf7a6b7e1e1cefcc217b7c02c140685986838ac5c006b7b
Instruction Fuzzy Hash: E1112971E116199BDB48CFABD9406EEFBF7AFC8210F14C17AD908A7214DB305A018F91

Uniqueness

Uniqueness Score: -1.00%

Function 06DD2268, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78f84ae36215eea9ca9b4afde28d124801932973c9ea89ac128682bdfa59d0f8
Instruction ID: ba8da504e2b913aaf62f50004d3c5db1336d2d942b0ae8cb003ec0da1191f746
Opcode Fuzzy Hash: 78f84ae36215eea9ca9b4afde28d124801932973c9ea89ac128682bdfa59d0f8
Instruction Fuzzy Hash: 5011C971E016189BEB5CCFABD84069EFAF7AFC8200F04C07AC918A6264EB3056558F51

Uniqueness

Uniqueness Score: -1.00%

Function 06DD2258, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd1d4f55ea2669903f099b9f9c460b969a2edb1d5a40295f883d9bc8d369504
Instruction ID: 35fab921f802fcbd550e3b223e90d708326a106dd9baf0f692861d5f919a95ca
Opcode Fuzzy Hash: 8cd1d4f55ea2669903f099b9f9c460b969a2edb1d5a40295f883d9bc8d369504
Instruction Fuzzy Hash: 7B210071E016189BEB1CCF6BD94068EFAF3AFC9300F08C47AC908AA264EB300645CF11

Uniqueness

Uniqueness Score: -1.00%

Function 06DD7FD9, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268103995.0000000006DD0000.00000040.00000001.sdmp, Offset: 06DD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0dcfe2ef9ad61700b4078ccf737034521a3226920e90f8e5a014e770ac86170
Instruction ID: 51cefce80c029576d37db34926084e7193cadc15b0b322f1fefa6f671519767d
Opcode Fuzzy Hash: f0dcfe2ef9ad61700b4078ccf737034521a3226920e90f8e5a014e770ac86170
Instruction Fuzzy Hash: FA114F70E126199BDB59CF6AD9406AEFAF3AFC9200F14C17AD408A7364DB344A11CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D2FAF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457aaedc7023901ab9d4e5fb637887f4eede812db7775d3f3b358aab69de4751
Instruction ID: 77a892ec5445de93274aa79432b2581aa3595e8b0e8a2d4b2aa225aea3b60e5c
Opcode Fuzzy Hash: 457aaedc7023901ab9d4e5fb637887f4eede812db7775d3f3b358aab69de4751
Instruction Fuzzy Hash: 8111A030C4A2589FDB108FA5E418BFEBBF0AB0E314F445469D401B3380C7748D48DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0E6D2FC0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.270712571.000000000E6D0000.00000040.00000001.sdmp, Offset: 0E6D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9593d6465ad194bd3341d339a8655a8a4a33ac612e14a6219c3ba9679e9391b
Instruction ID: 81b5bf78ea1b6d2b91e8f60f58f6bccbd1d66788b9edef1168934e3a1a0a4300
Opcode Fuzzy Hash: a9593d6465ad194bd3341d339a8655a8a4a33ac612e14a6219c3ba9679e9391b
Instruction Fuzzy Hash: 2C112A30D492588BDB15CFA6D418BEEBBF1AB4E310F54946AD401B3390C7784A48CAA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: zTM9EtIGQK.exe PID: 4864 Parent PID: 2996 zTM9EtIGQK.exeCOMMON

Executed Functions

Function 0143AB70, Relevance: 1.3, Instructions: 1289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107f882a131293ca9f147c4ea921ea0283ccb02e1820b8638180728fdfa4d809
Instruction ID: 2b805276403f2dff0ad4cea87262720cd5f2886fe975256c9e8b9436287ab459
Opcode Fuzzy Hash: 107f882a131293ca9f147c4ea921ea0283ccb02e1820b8638180728fdfa4d809
Instruction Fuzzy Hash: F6B28F34A002058FDB25DBB8D4987ADBBF2EFC8314F15846AE50ADB3A5DB349C46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01432D50, Relevance: .9, Instructions: 883COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bded21c1121ca6ab583d1a882ba091e0a906001e26a5d25343528bbdfc6eeb
Instruction ID: 0dc9ffb82dfd29f896903e20f2b0dfcfc8e8b5b4dfd03f4c20fbcbc8fdbebf24
Opcode Fuzzy Hash: 07bded21c1121ca6ab583d1a882ba091e0a906001e26a5d25343528bbdfc6eeb
Instruction Fuzzy Hash: 02821730A006099FDB15CF69D584AAEBBF2FF88314F15896AE9459B3B1DB30ED41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0143B110, Relevance: .7, Instructions: 734COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057fd2fce58fad1fcac1d8a1a060dc0ea4e72143b89de09f5a408d3d1baaa507
Instruction ID: f310e6a5449b15eebf8b08f0ef44a219b21b689093705b0d44459bdf5d172c63
Opcode Fuzzy Hash: 057fd2fce58fad1fcac1d8a1a060dc0ea4e72143b89de09f5a408d3d1baaa507
Instruction Fuzzy Hash: 74624C34A002058FDB24ABA4D89876DBBB3FFC8314F158469E91ADB354DF34AC869F51

Uniqueness

Uniqueness Score: -1.00%

Function 01432020, Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0cbf323fe3925c923daea04a3ea3a9e21fd14b41d3f20a97bfc573949fa7dd
Instruction ID: 7f14fa275ed3d418986caf97ede67a18b64b2f748b2380ae339614212ce7dfe6
Opcode Fuzzy Hash: 4a0cbf323fe3925c923daea04a3ea3a9e21fd14b41d3f20a97bfc573949fa7dd
Instruction Fuzzy Hash: B0127D70A002199FDB14DF68D894BAEBBB2FFC8304F14846AE5169B3A1DF74D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01432618, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b739d68e51f35253e36b1c59f9fb62448df7749e69f1d6dc974b3c0309d3e3c
Instruction ID: 81a81129e8e6f3c2ee9b469a671125a9c95390576479a5abe7ea7d17698b5fa3
Opcode Fuzzy Hash: 0b739d68e51f35253e36b1c59f9fb62448df7749e69f1d6dc974b3c0309d3e3c
Instruction Fuzzy Hash: CB024930A00109DFDB15DFA8D984EAEBBB6FF88314F15806AE915AB371D774E842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02EA6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02EA69A0
GetCurrentThread.KERNEL32 ref: 02EA69DD
GetCurrentProcess.KERNEL32 ref: 02EA6A1A
GetCurrentThreadId.KERNEL32 ref: 02EA6A73

Memory Dump Source

Source File: 00000007.00000002.490488932.0000000002EA0000.00000040.00000001.sdmp, Offset: 02EA0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c57e34c47feeb38e27b9252de56617905c2b413d28eb1ac38c2253e4353e9b54
Instruction ID: 5d6d5515427e6ab6dd89d16d61a4d0ccd31832007077b07e555f9855c1f6b3f8
Opcode Fuzzy Hash: c57e34c47feeb38e27b9252de56617905c2b413d28eb1ac38c2253e4353e9b54
Instruction Fuzzy Hash: 795143B0A002498FDB14CFAAD548BDEBBF4FF89318F24845AE409A7350DB346884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02EA500F, Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.490488932.0000000002EA0000.00000040.00000001.sdmp, Offset: 02EA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d39bbeb87a5382072b311228d4d3526caeca345a7225e963a8e16c1e66a138
Instruction ID: 9110c513a365abd920a1bb9dc56dd6fd24b18c710bd34feff10532e5ea12085f
Opcode Fuzzy Hash: 00d39bbeb87a5382072b311228d4d3526caeca345a7225e963a8e16c1e66a138
Instruction Fuzzy Hash: AF6143B1C04348AFCF12CFA9C890ADDBFB5BF49304F59819AE808AB221D775A855CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02EA5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02EA51A2

Memory Dump Source

Source File: 00000007.00000002.490488932.0000000002EA0000.00000040.00000001.sdmp, Offset: 02EA0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a35e2a1da15132798f740f065a629a5fbc5389888f1be7b7b7711c73897ff6e4
Instruction ID: 8923288841461cb3e39f8d16b501f654509a322df4ed18a81df341d1305ad816
Opcode Fuzzy Hash: a35e2a1da15132798f740f065a629a5fbc5389888f1be7b7b7711c73897ff6e4
Instruction Fuzzy Hash: 1341D1B1D003099FDF14CF99C894ADEBBB5FF88314F64912AE819AB210D775A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EA779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02EA7F09

Memory Dump Source

Source File: 00000007.00000002.490488932.0000000002EA0000.00000040.00000001.sdmp, Offset: 02EA0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7b934103e2836c4a425a93e8d5c34fbf098413b37822c21a64aa222d8ba560fc
Instruction ID: 176f87d20c3bf8dd5e824abffca20e910f9731dfd9dbe80f0c6345c13f670b2f
Opcode Fuzzy Hash: 7b934103e2836c4a425a93e8d5c34fbf098413b37822c21a64aa222d8ba560fc
Instruction Fuzzy Hash: BF414CB5A002098FCB14CF99C448AAEFBF5FF88314F25C499E519AB311D734A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02EAC189, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02EAC212

Memory Dump Source

Source File: 00000007.00000002.490488932.0000000002EA0000.00000040.00000001.sdmp, Offset: 02EA0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 895e6c37c586fe0b5d929ad89bfa4c241896c71da21ccefc48f02f00a1017f3d
Instruction ID: e6545243fdbf3c5009b5026f4d36e522791180370f3288cc800fe865cfc16988
Opcode Fuzzy Hash: 895e6c37c586fe0b5d929ad89bfa4c241896c71da21ccefc48f02f00a1017f3d
Instruction Fuzzy Hash: 5D31D4B18043488FDB10DFA5E91939E7FF4FB56318F24905AE448AB342D7796509CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EA6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EA6BEF

Memory Dump Source

Source File: 00000007.00000002.490488932.0000000002EA0000.00000040.00000001.sdmp, Offset: 02EA0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f4682136c159024dbf85a51864b7cd27e68f4c223edb6465a340820bf851032a
Instruction ID: 222dd32a83e0452f27b400a98b17a07a3cc8864ec74efe0a6fed0f652b7b7391
Opcode Fuzzy Hash: f4682136c159024dbf85a51864b7cd27e68f4c223edb6465a340820bf851032a
Instruction Fuzzy Hash: FD21E2B59002089FDF10CFAAD984ADEBBF8FB48324F15841AE914A7310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EA6B62, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EA6BEF

Memory Dump Source

Source File: 00000007.00000002.490488932.0000000002EA0000.00000040.00000001.sdmp, Offset: 02EA0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f58e69c6b40e2b4c04dbeacb08192a54050148cb4300ece030fdd8d046a5626
Instruction ID: d91a28fd580352b31f00055eef7be69f666edc7a451428e79f995ec58ac1bdb7
Opcode Fuzzy Hash: 7f58e69c6b40e2b4c04dbeacb08192a54050148cb4300ece030fdd8d046a5626
Instruction Fuzzy Hash: 4D21E0B69002089FDF10CFA9D985ADEBBF8FF48324F15845AE914A7310D378A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02EAC198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 02EAC212

Memory Dump Source

Source File: 00000007.00000002.490488932.0000000002EA0000.00000040.00000001.sdmp, Offset: 02EA0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: ea240da2ddb71e194271b1e300aad82c70cec3fc2bfc7c80e4ede315cf684518
Instruction ID: fe7af1e6d032e415671f8713945f146f82f72dbd1209f27c7d2e18f4ba298cca
Opcode Fuzzy Hash: ea240da2ddb71e194271b1e300aad82c70cec3fc2bfc7c80e4ede315cf684518
Instruction Fuzzy Hash: C7117FB19003098FDB10DFA5D5487DFBBF4FB48718F20942AD409A7604DB396544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01433E28, Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b176be2f9c0173bf0e7187afbe40d5806bafdf7aee0c2705ec64ab786d7e0af
Instruction ID: 684225e003cfedf9a676f99300ff2a87b25f4aa2f6c2d1bd70a54a0d7d43c54c
Opcode Fuzzy Hash: 7b176be2f9c0173bf0e7187afbe40d5806bafdf7aee0c2705ec64ab786d7e0af
Instruction Fuzzy Hash: 43724534A0411D8FDB25AFA4C850BAEB7B6FFC8304F1180A9D60A9B390DB359D45DF62

Uniqueness

Uniqueness Score: -1.00%

Function 05B9F430, Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.498736158.0000000005B90000.00000040.00000001.sdmp, Offset: 05B90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b61e21d0dfbb758d0981d946bbe05d29930980748fa1917be12bad47d48f8f0
Instruction ID: f3b3aedb23bf84b2a800dcd56c653fd28354cdc434763d6d2fbf2051fd4992ba
Opcode Fuzzy Hash: 2b61e21d0dfbb758d0981d946bbe05d29930980748fa1917be12bad47d48f8f0
Instruction Fuzzy Hash: 2BE17074B102098FDF19DBA8D494BBDBBB2FB89320F158479E406EB391DA34EC458B51

Uniqueness

Uniqueness Score: -1.00%

Function 0143D24E, Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49f37a2795f46bf6270d413ae8d7839da67758b0b2fc6861eedcf8eb9ee2e06
Instruction ID: 92d4327726786af45f3902dbfa583e5b6273b37e7d2951838d96ad51fe29d813
Opcode Fuzzy Hash: d49f37a2795f46bf6270d413ae8d7839da67758b0b2fc6861eedcf8eb9ee2e06
Instruction Fuzzy Hash: FBE17034B493818FD7468BB898646A63BF69F8A314F1584F7E549CB3A3E638DC05CB11

Uniqueness

Uniqueness Score: -1.00%

Function 014316C8, Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b111cfc1e9b16600c3a4b35780530ff85dac826b5a19cedfce307b1602d01043
Instruction ID: ddf26da85d003ce2e070a2d5a47b5c6e060d6d47ddc86457b41252c41cd0ac3d
Opcode Fuzzy Hash: b111cfc1e9b16600c3a4b35780530ff85dac826b5a19cedfce307b1602d01043
Instruction Fuzzy Hash: EFC1AE347042158FDB169B28D894A7F7BF2BFC8655F15842AE9068B3A1DF34CC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B9F420, Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.498736158.0000000005B90000.00000040.00000001.sdmp, Offset: 05B90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e83ae46dfb45c173232523ea2c87bfde72f9246102fc17d196e90bcb9ea4921
Instruction ID: 30c454d845921a409334e46108cf633293c98d0fba4792bfd0512cb3c6d1504b
Opcode Fuzzy Hash: 8e83ae46dfb45c173232523ea2c87bfde72f9246102fc17d196e90bcb9ea4921
Instruction Fuzzy Hash: E5C12B74E102098FDF59DBA8D494BBDBBB2FB89310F158469E806EB390DA34EC458B51

Uniqueness

Uniqueness Score: -1.00%

Function 01434C78, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6674c55b6dd20181a13015598a016bc0817e9d67cc5acef836709314af72fc56
Instruction ID: b6b57d1ea2a70caee7c96cc169b9a663f91fd0c7fd9db885bba4385cb0ea7717
Opcode Fuzzy Hash: 6674c55b6dd20181a13015598a016bc0817e9d67cc5acef836709314af72fc56
Instruction Fuzzy Hash: A5D1E975A005148FCB15CF6DD5989ADBBF6EF8C310B2A84AAE505AB371CB30EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01434B58, Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4feb154f4cd0e9a954ec32454e0d27b4a8d6bbc0987100b44a5eac11302e9d33
Instruction ID: 819dd2d68574b757c007a9a4a8c3e587cfa46776b95debedd4a8571e073e7ebc
Opcode Fuzzy Hash: 4feb154f4cd0e9a954ec32454e0d27b4a8d6bbc0987100b44a5eac11302e9d33
Instruction Fuzzy Hash: 8BD1E871A005158FCB15CFA9C5989EDBBF6FF88310B2A849AE515AB371DB34EC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0143CE60, Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be0316d24eb2fc8eac50dd7e2fd48af9d921df46d972f355731c22093d71ea1
Instruction ID: 3ba9466a7fd9918fc5ac5e970f99a9a5c8a8bd8112f613c8d3544b06c81755ff
Opcode Fuzzy Hash: 9be0316d24eb2fc8eac50dd7e2fd48af9d921df46d972f355731c22093d71ea1
Instruction Fuzzy Hash: D6C18C74A043498FC741DFB4D4A469E7BB6EF89304F1589B6D804EB762EB389C0ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 0143F948, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8295c5494e2f9e0d8b131089c576e3cc4f295644b1d8f13d924a7cc518af65
Instruction ID: 9dfabba4a505265f68d9d6432afd050b410b9dac9a6c2b5cb120a5003db4f116
Opcode Fuzzy Hash: 8d8295c5494e2f9e0d8b131089c576e3cc4f295644b1d8f13d924a7cc518af65
Instruction Fuzzy Hash: EAA1A030B402089FDB10ABB4D858B6D7BB2FF85325F258526E9269B3E4DF309C099B51

Uniqueness

Uniqueness Score: -1.00%

Function 01431AC0, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a3e3dfe9890e152791f1d7199fc579b70cbe80f0f3e79c8c5b8a29cb976e6b
Instruction ID: d142300c6a904ece8bd5824c20664e81ccf424f350ff73ff48b31eaadb8a9f15
Opcode Fuzzy Hash: 83a3e3dfe9890e152791f1d7199fc579b70cbe80f0f3e79c8c5b8a29cb976e6b
Instruction Fuzzy Hash: 1B819134A00105CFDB18DF69D488AAABBB1BFCDA45B15816AD506DB371DB31E842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01435280, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba56a07a0f5c6f1fe5afe5f8e9793c610ef43a7f5eab2b62bd10783bd3602b9b
Instruction ID: 44c2d652b80e61ecd8aebe1db3f0daf2c42d7f71be087661cab8ced24ff9e361
Opcode Fuzzy Hash: ba56a07a0f5c6f1fe5afe5f8e9793c610ef43a7f5eab2b62bd10783bd3602b9b
Instruction Fuzzy Hash: 22915E71A042558FCB15CF68C984A6EBBF5FF98311F16846AE9159F3B2C770E841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01433AC8, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05774c24ecdef977be5e9582b1f775324b6260b2b1cbaff836cfad7838f7813f
Instruction ID: fbe1b2135494361e07684c4091d8c8c9b9e2a8eb1c92cd0de814c96c92a295f3
Opcode Fuzzy Hash: 05774c24ecdef977be5e9582b1f775324b6260b2b1cbaff836cfad7838f7813f
Instruction Fuzzy Hash: DE514B313141159FDB19DF3ED888A6ABBE9FF8865071544AAE516CB372EB31DC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0143F510, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7788398a68a8dfeaabb875e08ed2fd12dc73adf65700e822c72d92e4b9216dbf
Instruction ID: ed358f925dc4f011fc4908acbc9ed8adc1f3a03f4f8e624b22f8519898805f42
Opcode Fuzzy Hash: 7788398a68a8dfeaabb875e08ed2fd12dc73adf65700e822c72d92e4b9216dbf
Instruction Fuzzy Hash: 49519734B053419FD742DBB89454AAB3BF5DF89310F1584B6D449DB3A2EA38DC0A8761

Uniqueness

Uniqueness Score: -1.00%

Function 0143EA68, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fca61becab0609f0f3615d23a6bab4c819d845cdb25567d18fc6b5186a69f51
Instruction ID: 5ad39a796c4e95b6da6519de9e7b51a079cce31674c9662972ddc1a2c7f128e5
Opcode Fuzzy Hash: 9fca61becab0609f0f3615d23a6bab4c819d845cdb25567d18fc6b5186a69f51
Instruction Fuzzy Hash: 56519D30B012088FCB14EBB8D9546AEB7F6EFC8318B118879D515EB355DB31EC0A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 0143C930, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a067bdd9b5a212490f7cf656c4d7674094bd3fdfe7045dc7fd3ca37247387a3
Instruction ID: 753cd8f17f91cbb518a75ea5c1589a5a81fd2da0bda2b5dd1c01e8a4dc1ac02a
Opcode Fuzzy Hash: 7a067bdd9b5a212490f7cf656c4d7674094bd3fdfe7045dc7fd3ca37247387a3
Instruction Fuzzy Hash: 0A51C030B042449FEB159BB9C8547AE7AE2AFC9304F15847BE405AF3D2DB789C45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014354F0, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cb841864d512ce81e0a02a07bedccae8315e6bc80d038747ba14ac97419c60
Instruction ID: 998226517a20ac001e7827c1de56802559e61c16933673d692616b355d5b88c3
Opcode Fuzzy Hash: 95cb841864d512ce81e0a02a07bedccae8315e6bc80d038747ba14ac97419c60
Instruction Fuzzy Hash: 7241BF313002058FCB169F68E8646AA3BF2EFC9210F05406AF54ACF3A1DB38DD12DB61

Uniqueness

Uniqueness Score: -1.00%

Function 014338D8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804a040bef90c76428050ef289866f9cceb038f42c32b9d38cf376fc7723c80e
Instruction ID: 21bb19d1fa0e6730aa78448bc40fb12327ae2bfe6e3399df4fca271a2e1abdff
Opcode Fuzzy Hash: 804a040bef90c76428050ef289866f9cceb038f42c32b9d38cf376fc7723c80e
Instruction Fuzzy Hash: 40410474610219DFDB159F28D888AAA7BB6FF8C314F10406AF9169B3B1CB31ED51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014314A8, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68e75e494a07389b83364709a83dc9fef1ed6605d122d4b074f91b3ddce429e
Instruction ID: 3e6dd861aeddd74beed59088fc93f4410f9f6dce4d1bb6853cc1fca1ddc55c24
Opcode Fuzzy Hash: a68e75e494a07389b83364709a83dc9fef1ed6605d122d4b074f91b3ddce429e
Instruction Fuzzy Hash: 1F4143313002099FCF069F69E854AAF7BF6FB88701F048026FA06DB3A1DB35D9159B90

Uniqueness

Uniqueness Score: -1.00%

Function 0143F720, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731e74ab55c22786c15a8adcb17ebed9c6b9d397c9411c3753bdfc4cdcd4e39c
Instruction ID: 56cca848ef2f943f46865e6a391252d5eacd362cf7fbbfb7364cd1f22c31722f
Opcode Fuzzy Hash: 731e74ab55c22786c15a8adcb17ebed9c6b9d397c9411c3753bdfc4cdcd4e39c
Instruction Fuzzy Hash: 5C31E334F002119FDB159BB8C8146AE7BF1AF8C304F018476E905EB351EB349C098BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0143F898, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993e5967e45511f9deb33e36735620795973b454be0a41c41ebc54a7612d6956
Instruction ID: cda551e97845c62c2a09266a79181b1097d13a72aae8126cc01bcae556854866
Opcode Fuzzy Hash: 993e5967e45511f9deb33e36735620795973b454be0a41c41ebc54a7612d6956
Instruction Fuzzy Hash: F2310430B043859FC7069B7898646AB3BE5DFCA314F1544BBE444DF3A2EB398C0A8752

Uniqueness

Uniqueness Score: -1.00%

Function 0143D6D0, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7340d1b930be66280289cddb07d3cd320c833a9dc2fff299e60941a835f9512c
Instruction ID: 76d93cdb873aee38fd68506e6a72c5e35e43cafd20252f8129ab4213a9ace9c1
Opcode Fuzzy Hash: 7340d1b930be66280289cddb07d3cd320c833a9dc2fff299e60941a835f9512c
Instruction Fuzzy Hash: C031D031F002458FDB55AFB8C4546AEBBE3AFCC204B154869D416DB7A4EF34DD0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 0143D6E0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89ccf517795ffe0797054ee2286d841e2477a2bc4035a81cb1b3e6d0282c229
Instruction ID: 86e71c94c6d19f7cbb9a9d057b79b25dd63e190f2b18658ae49226db56cec2b6
Opcode Fuzzy Hash: c89ccf517795ffe0797054ee2286d841e2477a2bc4035a81cb1b3e6d0282c229
Instruction Fuzzy Hash: 5331B031F002058FDB55ABB4C0646AFBBE6AFCC204B154469D416DF7A4DF34DC0A8BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0143F780, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74b74e58d38abfa146cb198913effbb4abe7820e623b24279a5d45a31fc1a58
Instruction ID: b5a82d9e7a24bcf121f6611316ec6ebeea26ff57bfd1897133a0822837a714fa
Opcode Fuzzy Hash: e74b74e58d38abfa146cb198913effbb4abe7820e623b24279a5d45a31fc1a58
Instruction Fuzzy Hash: 8731D435F002258BCB14ABB8C4046AE7AF6EF8C244F01846AD906EB354FF349C098BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0143E9B8, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5eda02889ea465fdfd76ce7746f3c62cc998b595e6f299ad66b5427094b4a6
Instruction ID: 2581a1c4ccbd0f34450773b3472771c2f88c8c9a69f5e8c8c965c6f2a935a3d7
Opcode Fuzzy Hash: 3b5eda02889ea465fdfd76ce7746f3c62cc998b595e6f299ad66b5427094b4a6
Instruction Fuzzy Hash: AE31F3307493818FD3018B7898146A73BB6EF85314F1580F7E448EF2A3D639DC0A8B51

Uniqueness

Uniqueness Score: -1.00%

Function 0143AEA8, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b62f47fbbbbe5d2882cdc44892fa3bda50353f903eac1e9fa8da569f41e786
Instruction ID: 990b79516b0d86e91693752e881555ba0b21900c09085a57834354c6b368bce0
Opcode Fuzzy Hash: 50b62f47fbbbbe5d2882cdc44892fa3bda50353f903eac1e9fa8da569f41e786
Instruction Fuzzy Hash: 3D31FB70B001054BDF25DFB9D49076FB3A2EBC9215F20483AD52ADB795DB30DD498792

Uniqueness

Uniqueness Score: -1.00%

Function 01433D09, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6efcd64cd2203335d842efb92c8cbbbf678bb1f675d7309d08de3adfe75cae4
Instruction ID: 58eaaa1248e61633daec6fb87b821d410235ffd5504119c5e5cc020913dec4bf
Opcode Fuzzy Hash: b6efcd64cd2203335d842efb92c8cbbbf678bb1f675d7309d08de3adfe75cae4
Instruction Fuzzy Hash: 2321B3303042154BDB266F2A989967E7A9BBFC8515B14403AE902CBBB5EF35CC439791

Uniqueness

Uniqueness Score: -1.00%

Function 01433D18, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a9849885306d23b0e85ea250dcdfab6e912cc766f0dc05523c7f62277701c7
Instruction ID: 2e8183b86f702ed3fe3646c8ac610a4c24ffc0ff329fe40a5443285f68362a55
Opcode Fuzzy Hash: e9a9849885306d23b0e85ea250dcdfab6e912cc766f0dc05523c7f62277701c7
Instruction Fuzzy Hash: 4A2195303042054BDB266F2A989967F7A9BBFC8619F14403AE502CBBF5DE79CC439791

Uniqueness

Uniqueness Score: -1.00%

Function 0143AB10, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6855d2c7a7ebf57fd4c8300e23fcd3004d413a829ebe5d720174cfc1e525b7
Instruction ID: 053abfde6219387c04e5f0402b6061108e8bad66e35aeb3398f4cb72cb3cc282
Opcode Fuzzy Hash: 7c6855d2c7a7ebf57fd4c8300e23fcd3004d413a829ebe5d720174cfc1e525b7
Instruction Fuzzy Hash: F731AF70A402098FCB45CF68D5806EEBBF2EF89310F24846AD548EB361E7359D46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01433C10, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4add88427bbdf4df64e401050ba1576f625e41d659abb2089cfe5b02895be3ae
Instruction ID: 6a4aed74853ecfeec5eaa4fb5163e9e4ae1b613472608c42194a88f0dc50ff80
Opcode Fuzzy Hash: 4add88427bbdf4df64e401050ba1576f625e41d659abb2089cfe5b02895be3ae
Instruction Fuzzy Hash: 12217C323042559FEB11DE6B9840ABB7FAAFBC9250B054426F916CB361DA39DD11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0143EC90, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187c76227761cbcd68f69326d3cfaab9a3e274c9460faf130cac6c205fb8b586
Instruction ID: 289c8378c4432e992518394b2c5ccb9d5bf4643ee7eb7c65c712b514d9ff28a4
Opcode Fuzzy Hash: 187c76227761cbcd68f69326d3cfaab9a3e274c9460faf130cac6c205fb8b586
Instruction Fuzzy Hash: D1219330B053458FC741DBB889046AF77F2EFCC210B1585BAD509EB3A1EB389D068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0143C864, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321ef7a9c3b9a46571aff5f6df1c805ddc3fa3d9a2633002911f8128ca53420c
Instruction ID: 6387311fcf93227bb8603b120bf91f647615996d029efa33a8c2c421cf58a793
Opcode Fuzzy Hash: 321ef7a9c3b9a46571aff5f6df1c805ddc3fa3d9a2633002911f8128ca53420c
Instruction Fuzzy Hash: 3031BF74A052488FDB02CBA8D4946DD7BB2EB8D314F1540ABE089FB3A2D7748E44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0154D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.490113274.000000000154D000.00000040.00000001.sdmp, Offset: 0154D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062177285fea62dd8b8c3f6ba99dd0d5ba54e0655948877f0f83d7c18ca866d1
Instruction ID: c4641c9803688a4126b47b765803c3f7214bb1a020693ef87c51f2fa9cc80f4e
Opcode Fuzzy Hash: 062177285fea62dd8b8c3f6ba99dd0d5ba54e0655948877f0f83d7c18ca866d1
Instruction Fuzzy Hash: 2221FFB1504204DFDB15CF94D8C4B26BBB5FB94258F24C9A9E90D4F246D33AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05B9F890, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.498736158.0000000005B90000.00000040.00000001.sdmp, Offset: 05B90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66bcb629ed67fb0193ceb54fa827bc364313f7fec0d00b44d4e94c14a7f5b750
Instruction ID: d4ba4407e8a4d96c5c903356c55ce4435e4e40bb293f50d89d14ecac7548ed03
Opcode Fuzzy Hash: 66bcb629ed67fb0193ceb54fa827bc364313f7fec0d00b44d4e94c14a7f5b750
Instruction Fuzzy Hash: BD113F6271D2C51FC716477468695B67F6AAFCA12071A44FBE046CB282ED64CC0683A1

Uniqueness

Uniqueness Score: -1.00%

Function 0143C798, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe51b178ae1ef2d95576e1ae8b86354cc484ef296f2194c745d3ec01f48cae73
Instruction ID: a5e1dcfdf482c8ce85524429f690f3f04b8da503b7f45f70723a0a9797938cc0
Opcode Fuzzy Hash: fe51b178ae1ef2d95576e1ae8b86354cc484ef296f2194c745d3ec01f48cae73
Instruction Fuzzy Hash: D121AE31B053489FDB05DBA8D454ADEBBF6AF89314F10806AE405AB3A2DB749D04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014319E0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a98c47d7986e077585c57278f99b91ea983318e98779b76f3e74b4f74a2f858
Instruction ID: 22330617116e05383a07e3498c817490e17f8ddc015b56263ea2b72c3b582309
Opcode Fuzzy Hash: 9a98c47d7986e077585c57278f99b91ea983318e98779b76f3e74b4f74a2f858
Instruction Fuzzy Hash: 0D11E3317006158FD716AA29D49497BBBE6FFC8A62B14447AE906CB360DF30DC4387D0

Uniqueness

Uniqueness Score: -1.00%

Function 0154D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.490113274.000000000154D000.00000040.00000001.sdmp, Offset: 0154D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc7a86977862d58f96f11e7d1092e561625db0601b6270f8b487bb07ddd8518
Instruction ID: e28acd2978591c780ff31cf82477f85e117a0d7e221d7731fe2fa0358d9acfde
Opcode Fuzzy Hash: fcc7a86977862d58f96f11e7d1092e561625db0601b6270f8b487bb07ddd8518
Instruction Fuzzy Hash: 71218E755093808FCB12CF24D994B15BF71FB46218F28C5EAD8498F667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 01435448, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c36086918c7fcca0d41935b36098a4d8dc1dceaef5222dc6b96db6a3c52632
Instruction ID: d1d3dffc2de86c700ac43d0f2c7a19cc65a50ee49c12ae71b76e66b9f5ea71b7
Opcode Fuzzy Hash: 99c36086918c7fcca0d41935b36098a4d8dc1dceaef5222dc6b96db6a3c52632
Instruction Fuzzy Hash: B5113A71E0025A9FCB05DFA9D8446AEBBF5FF88211F10442BE515EB351D7748A15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0143ECF0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc85ea4f34497ffa7bbe58c8cf45d99e9247c05653e57304078b01142041913
Instruction ID: f9b5f9e951712e85ce678ace420450a1cdef4ccf588c3ae6f01f819cb2a38195
Opcode Fuzzy Hash: bbc85ea4f34497ffa7bbe58c8cf45d99e9247c05653e57304078b01142041913
Instruction Fuzzy Hash: 03112E35F002198F8B40EFB9D844AAFB7F5FBCC610750842AD509E7314EB349D068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0143F660, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f210295d570b94d51cde8b3c77b9120c2bcc87efa902ecf6695ba023522c249
Instruction ID: 4f104f0ce0026d79332863c03238dbf7086f58aa5f1d6630fb22ab33140cabd7
Opcode Fuzzy Hash: 2f210295d570b94d51cde8b3c77b9120c2bcc87efa902ecf6695ba023522c249
Instruction Fuzzy Hash: 6C112A34F002198F8B40EFB9D841AAFB7F6FBDC6107108469D519E7364EB389D068B91

Uniqueness

Uniqueness Score: -1.00%

Function 0143D610, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec207a383d0a1e14b2623a86dbfa2acd8913d307edbccce7604f41e0127e6262
Instruction ID: 7e3e35d4a20d61189e3b71a05946975ff2eafb8ba3a45d1cfa88e6351447146b
Opcode Fuzzy Hash: ec207a383d0a1e14b2623a86dbfa2acd8913d307edbccce7604f41e0127e6262
Instruction Fuzzy Hash: F8112135B002158F8B44DFBCD5459AE7BF6FB8C611710846AE90AE7754EF345D028B91

Uniqueness

Uniqueness Score: -1.00%

Function 01431629, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c322ad8b2cab8a8da0f3eb5d236257b20f64baf3644491d881a2fb7133abd608
Instruction ID: 5334084a3dbb4443883eaa86f7c04e33de50cf7f5729216a99e8dc02d6d14824
Opcode Fuzzy Hash: c322ad8b2cab8a8da0f3eb5d236257b20f64baf3644491d881a2fb7133abd608
Instruction Fuzzy Hash: F301D4327000196BDF119EA8A810BAF3BFBFBC8650F18802AF509CB390DE71891197A0

Uniqueness

Uniqueness Score: -1.00%

Function 0143AA71, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288b110a033e4279f722a4a3468e5201b91353fc8ff7bf9640222e14ff16a124
Instruction ID: 1edc44d7055fbc34dd14f4f9bbea16a49795db23e38fb849e1a9f3d812677b44
Opcode Fuzzy Hash: 288b110a033e4279f722a4a3468e5201b91353fc8ff7bf9640222e14ff16a124
Instruction Fuzzy Hash: 8A01D6729086048FC345EB7C98452ED7BF5EF8C220F2508AAD589D3201E3348A41CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 01432C40, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be918a967f1474bf5599355bdab2a48393de87ea201f30d12c340cecab009c7e
Instruction ID: 923ec8d77912a898c88fd7f6edc6a954cae9e5febb8c630b902b172cb2af5f75
Opcode Fuzzy Hash: be918a967f1474bf5599355bdab2a48393de87ea201f30d12c340cecab009c7e
Instruction Fuzzy Hash: 8E018C3160424CCFCB54DF68E4808DDB3F2FF88218B014A1AE5499B720DB31AD0ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 0143ED4F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b72709a6b417f86573f0b55517c67d42bf92eecb6475b3df27bbd1795681b69
Instruction ID: 44b590c9702acddf6a96becc0dadab8a84f682cc7e7b42184d41f7484a252d09
Opcode Fuzzy Hash: 5b72709a6b417f86573f0b55517c67d42bf92eecb6475b3df27bbd1795681b69
Instruction Fuzzy Hash: 04E0ED35B001298B8F40EBB9D4559DEB3F2FFCC2157018066E50AE7364EE389D168B91

Uniqueness

Uniqueness Score: -1.00%

Function 0143D671, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03f44dbeae0d6239193756e81d59824f88a22859f56dfee8f05ed08e6d6d3a7
Instruction ID: 17c6e6680b9c30a41766b08e4c316f4a0b2cb74cc591b6748482a887913d03ad
Opcode Fuzzy Hash: a03f44dbeae0d6239193756e81d59824f88a22859f56dfee8f05ed08e6d6d3a7
Instruction Fuzzy Hash: 6EE0C035B001148B8F44EBB8D5558ED77F6EB8C2157048066E90AE7794EF386C018B55

Uniqueness

Uniqueness Score: -1.00%

Function 0143AAA8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa164a5f78bc13fccff56163fa498ac8e560f2c54b8d1b2be822116a04c832e
Instruction ID: cfb0158aeeefdb4bec2fb9765c4f7e196d8bddedc914f3a7b5b85c576952f44b
Opcode Fuzzy Hash: 3fa164a5f78bc13fccff56163fa498ac8e560f2c54b8d1b2be822116a04c832e
Instruction Fuzzy Hash: 17E01275E001199F4754DBAD98055AE7FF9EA8C221B110476EA19E3200EB704A01CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0143F6BF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6b9d3c96a7c6fe683c0248f4c2cbc0ef562991a54a7129c1e0294500039b23
Instruction ID: 118418e1c4a637d2a1061bfbee0634eabe5760ae5f388e255c2a5959977d3239
Opcode Fuzzy Hash: bc6b9d3c96a7c6fe683c0248f4c2cbc0ef562991a54a7129c1e0294500039b23
Instruction Fuzzy Hash: E4E0ED35F001298B8F40FBB8D4559ED73F2AFDC2157018066D51AE7364EF389C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 01431D6F, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab20d1b4743a91039617ab721b7a273efdeb615aa4033bc2254e265dfc292481
Instruction ID: c028398cfbfad2a370873d7b1a316867e7cfd45b6c4dd9c5532589bdd3f53f44
Opcode Fuzzy Hash: ab20d1b4743a91039617ab721b7a273efdeb615aa4033bc2254e265dfc292481
Instruction Fuzzy Hash: A5D0123005C34D4EDB82EF79B44116637AEEBC0105F408936A1444B165EF7958199B95

Uniqueness

Uniqueness Score: -1.00%

Function 01431D80, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe42b900a2ad9efce35c68eb531f8ba6b2c0ed76f08eff30cdc9d57f210f5cf
Instruction ID: 1d7790b8d5c7033c41db60252c50e6235a397634de282f58af85f597097455d5
Opcode Fuzzy Hash: 1fe42b900a2ad9efce35c68eb531f8ba6b2c0ed76f08eff30cdc9d57f210f5cf
Instruction Fuzzy Hash: 90C0123001C30E4AC7C0FFA5F441466336FEAC01057408931A1054B624AF7C99065795

Uniqueness

Uniqueness Score: -1.00%

Function 01435721, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.489642768.0000000001430000.00000040.00000001.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7daa073e1778f004b8d8d00613a9131227dd52043c297121efc4a45aa82f2809
Instruction ID: 43f2d9d8bc7e61fe76c386c765ae0ca2dfc39f4e65f1a2d2ac9935ce6e911e88
Opcode Fuzzy Hash: 7daa073e1778f004b8d8d00613a9131227dd52043c297121efc4a45aa82f2809
Instruction Fuzzy Hash: 0FC04C36F15118DB5B14DAC4A4500ECB3A5EBC8579B508057E5195660097315B368A95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report zTM9EtIGQK.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior